ON Semiconductor
/
mbed-os
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: mbed-TFT-example-NCS36510 mbed-Accelerometer-example-NCS36510 mbed-Accelerometer-example-NCS36510
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * struct { 00084 * NameType name_type; 00085 * select (name_type) { 00086 * case host_name: HostName; 00087 * } name; 00088 * } ServerName; 00089 * 00090 * enum { 00091 * host_name(0), (255) 00092 * } NameType; 00093 * 00094 * opaque HostName<1..2^16-1>; 00095 * 00096 * struct { 00097 * ServerName server_name_list<1..2^16-1> 00098 * } ServerNameList; 00099 */ 00100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00102 00103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00105 00106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00108 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00112 00113 memcpy( p, ssl->hostname, hostname_len ); 00114 00115 *olen = hostname_len + 9; 00116 } 00117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00118 00119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00121 unsigned char *buf, 00122 size_t *olen ) 00123 { 00124 unsigned char *p = buf; 00125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00126 00127 *olen = 0; 00128 00129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00130 return; 00131 00132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00133 00134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00135 { 00136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00137 return; 00138 } 00139 00140 /* 00141 * Secure renegotiation 00142 */ 00143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00145 00146 *p++ = 0x00; 00147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00148 *p++ = ssl->verify_data_len & 0xFF; 00149 00150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00151 00152 *olen = 5 + ssl->verify_data_len; 00153 } 00154 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00155 00156 /* 00157 * Only if we handle at least one key exchange that needs signatures. 00158 */ 00159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00162 unsigned char *buf, 00163 size_t *olen ) 00164 { 00165 unsigned char *p = buf; 00166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00167 size_t sig_alg_len = 0; 00168 const int *md; 00169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00170 unsigned char *sig_alg_list = buf + 6; 00171 #endif 00172 00173 *olen = 0; 00174 00175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00176 return; 00177 00178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00179 00180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00181 { 00182 #if defined(MBEDTLS_ECDSA_C) 00183 sig_alg_len += 2; 00184 #endif 00185 #if defined(MBEDTLS_RSA_C) 00186 sig_alg_len += 2; 00187 #endif 00188 } 00189 00190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00191 { 00192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00193 return; 00194 } 00195 00196 /* 00197 * Prepare signature_algorithms extension (TLS 1.2) 00198 */ 00199 sig_alg_len = 0; 00200 00201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00202 { 00203 #if defined(MBEDTLS_ECDSA_C) 00204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00206 #endif 00207 #if defined(MBEDTLS_RSA_C) 00208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00210 #endif 00211 } 00212 00213 /* 00214 * enum { 00215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00216 * sha512(6), (255) 00217 * } HashAlgorithm; 00218 * 00219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00220 * SignatureAlgorithm; 00221 * 00222 * struct { 00223 * HashAlgorithm hash; 00224 * SignatureAlgorithm signature; 00225 * } SignatureAndHashAlgorithm; 00226 * 00227 * SignatureAndHashAlgorithm 00228 * supported_signature_algorithms<2..2^16-2>; 00229 */ 00230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00232 00233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00235 00236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00238 00239 *olen = 6 + sig_alg_len; 00240 } 00241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00243 00244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00252 unsigned char *elliptic_curve_list = p + 6; 00253 size_t elliptic_curve_len = 0; 00254 const mbedtls_ecp_curve_info *info; 00255 #if defined(MBEDTLS_ECP_C) 00256 const mbedtls_ecp_group_id *grp_id; 00257 #else 00258 ((void) ssl); 00259 #endif 00260 00261 *olen = 0; 00262 00263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00264 00265 #if defined(MBEDTLS_ECP_C) 00266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00267 { 00268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00269 #else 00270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00271 { 00272 #endif 00273 if( info == NULL ) 00274 { 00275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00276 return; 00277 } 00278 00279 elliptic_curve_len += 2; 00280 } 00281 00282 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00283 { 00284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00285 return; 00286 } 00287 00288 elliptic_curve_len = 0; 00289 00290 #if defined(MBEDTLS_ECP_C) 00291 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00292 { 00293 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00294 #else 00295 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00296 { 00297 #endif 00298 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00299 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00300 } 00301 00302 if( elliptic_curve_len == 0 ) 00303 return; 00304 00305 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00306 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00307 00308 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00309 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00310 00311 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00312 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00313 00314 *olen = 6 + elliptic_curve_len; 00315 } 00316 00317 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00318 unsigned char *buf, 00319 size_t *olen ) 00320 { 00321 unsigned char *p = buf; 00322 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00323 00324 *olen = 0; 00325 00326 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00327 00328 if( end < p || (size_t)( end - p ) < 6 ) 00329 { 00330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00331 return; 00332 } 00333 00334 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00335 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00336 00337 *p++ = 0x00; 00338 *p++ = 2; 00339 00340 *p++ = 1; 00341 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00342 00343 *olen = 6; 00344 } 00345 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00346 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00347 00348 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00349 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00350 unsigned char *buf, 00351 size_t *olen ) 00352 { 00353 int ret; 00354 unsigned char *p = buf; 00355 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00356 size_t kkpp_len; 00357 00358 *olen = 0; 00359 00360 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00361 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00362 return; 00363 00364 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00365 00366 if( end - p < 4 ) 00367 { 00368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00369 return; 00370 } 00371 00372 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00373 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00374 00375 /* 00376 * We may need to send ClientHello multiple times for Hello verification. 00377 * We don't want to compute fresh values every time (both for performance 00378 * and consistency reasons), so cache the extension content. 00379 */ 00380 if( ssl->handshake->ecjpake_cache == NULL || 00381 ssl->handshake->ecjpake_cache_len == 0 ) 00382 { 00383 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00384 00385 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00386 p + 2, end - p - 2, &kkpp_len, 00387 ssl->conf->f_rng, ssl->conf->p_rng ); 00388 if( ret != 0 ) 00389 { 00390 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00391 return; 00392 } 00393 00394 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00395 if( ssl->handshake->ecjpake_cache == NULL ) 00396 { 00397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00398 return; 00399 } 00400 00401 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00402 ssl->handshake->ecjpake_cache_len = kkpp_len; 00403 } 00404 else 00405 { 00406 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00407 00408 kkpp_len = ssl->handshake->ecjpake_cache_len; 00409 00410 if( (size_t)( end - p - 2 ) < kkpp_len ) 00411 { 00412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00413 return; 00414 } 00415 00416 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00417 } 00418 00419 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00420 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00421 00422 *olen = kkpp_len + 4; 00423 } 00424 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00425 00426 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00427 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00428 unsigned char *buf, 00429 size_t *olen ) 00430 { 00431 unsigned char *p = buf; 00432 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00433 00434 *olen = 0; 00435 00436 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00437 return; 00438 } 00439 00440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00441 00442 if( end < p || (size_t)( end - p ) < 5 ) 00443 { 00444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00445 return; 00446 } 00447 00448 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00449 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00450 00451 *p++ = 0x00; 00452 *p++ = 1; 00453 00454 *p++ = ssl->conf->mfl_code; 00455 00456 *olen = 5; 00457 } 00458 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00459 00460 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00461 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00462 unsigned char *buf, size_t *olen ) 00463 { 00464 unsigned char *p = buf; 00465 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00466 00467 *olen = 0; 00468 00469 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00470 { 00471 return; 00472 } 00473 00474 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00475 00476 if( end < p || (size_t)( end - p ) < 4 ) 00477 { 00478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00479 return; 00480 } 00481 00482 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00483 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00484 00485 *p++ = 0x00; 00486 *p++ = 0x00; 00487 00488 *olen = 4; 00489 } 00490 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00491 00492 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00493 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00494 unsigned char *buf, size_t *olen ) 00495 { 00496 unsigned char *p = buf; 00497 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00498 00499 *olen = 0; 00500 00501 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00502 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00503 { 00504 return; 00505 } 00506 00507 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00508 "extension" ) ); 00509 00510 if( end < p || (size_t)( end - p ) < 4 ) 00511 { 00512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00513 return; 00514 } 00515 00516 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00517 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00518 00519 *p++ = 0x00; 00520 *p++ = 0x00; 00521 00522 *olen = 4; 00523 } 00524 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00525 00526 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00527 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00528 unsigned char *buf, size_t *olen ) 00529 { 00530 unsigned char *p = buf; 00531 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00532 00533 *olen = 0; 00534 00535 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00536 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00537 { 00538 return; 00539 } 00540 00541 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00542 "extension" ) ); 00543 00544 if( end < p || (size_t)( end - p ) < 4 ) 00545 { 00546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00547 return; 00548 } 00549 00550 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00551 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00552 00553 *p++ = 0x00; 00554 *p++ = 0x00; 00555 00556 *olen = 4; 00557 } 00558 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00559 00560 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00561 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00562 unsigned char *buf, size_t *olen ) 00563 { 00564 unsigned char *p = buf; 00565 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00566 size_t tlen = ssl->session_negotiate->ticket_len; 00567 00568 *olen = 0; 00569 00570 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00571 { 00572 return; 00573 } 00574 00575 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00576 00577 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00578 { 00579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00580 return; 00581 } 00582 00583 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00585 00586 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00587 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00588 00589 *olen = 4; 00590 00591 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00592 { 00593 return; 00594 } 00595 00596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00597 00598 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00599 00600 *olen += tlen; 00601 } 00602 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00603 00604 #if defined(MBEDTLS_SSL_ALPN) 00605 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00606 unsigned char *buf, size_t *olen ) 00607 { 00608 unsigned char *p = buf; 00609 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00610 size_t alpnlen = 0; 00611 const char **cur; 00612 00613 *olen = 0; 00614 00615 if( ssl->conf->alpn_list == NULL ) 00616 { 00617 return; 00618 } 00619 00620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00621 00622 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00623 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00624 00625 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00626 { 00627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00628 return; 00629 } 00630 00631 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00632 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00633 00634 /* 00635 * opaque ProtocolName<1..2^8-1>; 00636 * 00637 * struct { 00638 * ProtocolName protocol_name_list<2..2^16-1> 00639 * } ProtocolNameList; 00640 */ 00641 00642 /* Skip writing extension and list length for now */ 00643 p += 4; 00644 00645 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00646 { 00647 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00648 memcpy( p + 1, *cur, *p ); 00649 p += 1 + *p; 00650 } 00651 00652 *olen = p - buf; 00653 00654 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00655 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00656 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00657 00658 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00659 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00660 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00661 } 00662 #endif /* MBEDTLS_SSL_ALPN */ 00663 00664 /* 00665 * Generate random bytes for ClientHello 00666 */ 00667 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00668 { 00669 int ret; 00670 unsigned char *p = ssl->handshake->randbytes; 00671 #if defined(MBEDTLS_HAVE_TIME) 00672 mbedtls_time_t t; 00673 #endif 00674 00675 /* 00676 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00677 */ 00678 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00679 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00680 ssl->handshake->verify_cookie != NULL ) 00681 { 00682 return( 0 ); 00683 } 00684 #endif 00685 00686 #if defined(MBEDTLS_HAVE_TIME) 00687 t = mbedtls_time( NULL ); 00688 *p++ = (unsigned char)( t >> 24 ); 00689 *p++ = (unsigned char)( t >> 16 ); 00690 *p++ = (unsigned char)( t >> 8 ); 00691 *p++ = (unsigned char)( t ); 00692 00693 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00694 #else 00695 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00696 return( ret ); 00697 00698 p += 4; 00699 #endif /* MBEDTLS_HAVE_TIME */ 00700 00701 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00702 return( ret ); 00703 00704 return( 0 ); 00705 } 00706 00707 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00708 { 00709 int ret; 00710 size_t i, n, olen, ext_len = 0; 00711 unsigned char *buf; 00712 unsigned char *p, *q; 00713 unsigned char offer_compress; 00714 const int *ciphersuites; 00715 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00716 00717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00718 00719 if( ssl->conf->f_rng == NULL ) 00720 { 00721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00722 return( MBEDTLS_ERR_SSL_NO_RNG ); 00723 } 00724 00725 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00726 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00727 #endif 00728 { 00729 ssl->major_ver = ssl->conf->min_major_ver; 00730 ssl->minor_ver = ssl->conf->min_minor_ver; 00731 } 00732 00733 if( ssl->conf->max_major_ver == 0 ) 00734 { 00735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00736 "consider using mbedtls_ssl_config_defaults()" ) ); 00737 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00738 } 00739 00740 /* 00741 * 0 . 0 handshake type 00742 * 1 . 3 handshake length 00743 * 4 . 5 highest version supported 00744 * 6 . 9 current UNIX time 00745 * 10 . 37 random bytes 00746 */ 00747 buf = ssl->out_msg; 00748 p = buf + 4; 00749 00750 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00751 ssl->conf->transport, p ); 00752 p += 2; 00753 00754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00755 buf[4], buf[5] ) ); 00756 00757 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00758 { 00759 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00760 return( ret ); 00761 } 00762 00763 memcpy( p, ssl->handshake->randbytes, 32 ); 00764 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00765 p += 32; 00766 00767 /* 00768 * 38 . 38 session id length 00769 * 39 . 39+n session id 00770 * 39+n . 39+n DTLS only: cookie length (1 byte) 00771 * 40+n . .. DTSL only: cookie 00772 * .. . .. ciphersuitelist length (2 bytes) 00773 * .. . .. ciphersuitelist 00774 * .. . .. compression methods length (1 byte) 00775 * .. . .. compression methods 00776 * .. . .. extensions length (2 bytes) 00777 * .. . .. extensions 00778 */ 00779 n = ssl->session_negotiate->id_len; 00780 00781 if( n < 16 || n > 32 || 00782 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00783 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00784 #endif 00785 ssl->handshake->resume == 0 ) 00786 { 00787 n = 0; 00788 } 00789 00790 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00791 /* 00792 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00793 * generate and include a Session ID in the TLS ClientHello." 00794 */ 00795 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00796 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00797 #endif 00798 { 00799 if( ssl->session_negotiate->ticket != NULL && 00800 ssl->session_negotiate->ticket_len != 0 ) 00801 { 00802 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00803 00804 if( ret != 0 ) 00805 return( ret ); 00806 00807 ssl->session_negotiate->id_len = n = 32; 00808 } 00809 } 00810 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00811 00812 *p++ = (unsigned char) n; 00813 00814 for( i = 0; i < n; i++ ) 00815 *p++ = ssl->session_negotiate->id[i]; 00816 00817 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00818 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00819 00820 /* 00821 * DTLS cookie 00822 */ 00823 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00824 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00825 { 00826 if( ssl->handshake->verify_cookie == NULL ) 00827 { 00828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00829 *p++ = 0; 00830 } 00831 else 00832 { 00833 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00834 ssl->handshake->verify_cookie, 00835 ssl->handshake->verify_cookie_len ); 00836 00837 *p++ = ssl->handshake->verify_cookie_len; 00838 memcpy( p, ssl->handshake->verify_cookie, 00839 ssl->handshake->verify_cookie_len ); 00840 p += ssl->handshake->verify_cookie_len; 00841 } 00842 } 00843 #endif 00844 00845 /* 00846 * Ciphersuite list 00847 */ 00848 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00849 00850 /* Skip writing ciphersuite length for now */ 00851 n = 0; 00852 q = p; 00853 p += 2; 00854 00855 for( i = 0; ciphersuites[i] != 0; i++ ) 00856 { 00857 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00858 00859 if( ciphersuite_info == NULL ) 00860 continue; 00861 00862 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00863 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00864 continue; 00865 00866 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00867 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00868 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00869 continue; 00870 #endif 00871 00872 #if defined(MBEDTLS_ARC4_C) 00873 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00874 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00875 continue; 00876 #endif 00877 00878 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00879 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00880 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00881 continue; 00882 #endif 00883 00884 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00885 ciphersuites[i] ) ); 00886 00887 n++; 00888 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00889 *p++ = (unsigned char)( ciphersuites[i] ); 00890 } 00891 00892 /* 00893 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00894 */ 00895 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00896 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00897 #endif 00898 { 00899 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00900 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00901 n++; 00902 } 00903 00904 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00905 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00906 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00907 { 00908 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00909 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00910 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00911 n++; 00912 } 00913 #endif 00914 00915 *q++ = (unsigned char)( n >> 7 ); 00916 *q++ = (unsigned char)( n << 1 ); 00917 00918 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00919 00920 #if defined(MBEDTLS_ZLIB_SUPPORT) 00921 offer_compress = 1; 00922 #else 00923 offer_compress = 0; 00924 #endif 00925 00926 /* 00927 * We don't support compression with DTLS right now: is many records come 00928 * in the same datagram, uncompressing one could overwrite the next one. 00929 * We don't want to add complexity for handling that case unless there is 00930 * an actual need for it. 00931 */ 00932 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00933 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00934 offer_compress = 0; 00935 #endif 00936 00937 if( offer_compress ) 00938 { 00939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00941 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00942 00943 *p++ = 2; 00944 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00945 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00946 } 00947 else 00948 { 00949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00950 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00951 MBEDTLS_SSL_COMPRESS_NULL ) ); 00952 00953 *p++ = 1; 00954 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00955 } 00956 00957 // First write extensions, then the total length 00958 // 00959 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00960 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00961 ext_len += olen; 00962 #endif 00963 00964 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00965 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00966 ext_len += olen; 00967 #endif 00968 00969 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00970 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00971 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00972 ext_len += olen; 00973 #endif 00974 00975 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00976 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00977 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00978 ext_len += olen; 00979 00980 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00985 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 00986 ext_len += olen; 00987 #endif 00988 00989 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00990 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00991 ext_len += olen; 00992 #endif 00993 00994 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00995 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01000 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01005 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_ALPN) 01010 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01015 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01016 ext_len += olen; 01017 #endif 01018 01019 /* olen unused if all extensions are disabled */ 01020 ((void) olen); 01021 01022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01023 ext_len ) ); 01024 01025 if( ext_len > 0 ) 01026 { 01027 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01028 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01029 p += ext_len; 01030 } 01031 01032 ssl->out_msglen = p - buf; 01033 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01034 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01035 01036 ssl->state++; 01037 01038 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01039 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01040 mbedtls_ssl_send_flight_completed( ssl ); 01041 #endif 01042 01043 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01044 { 01045 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01046 return( ret ); 01047 } 01048 01049 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01050 01051 return( 0 ); 01052 } 01053 01054 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01055 const unsigned char *buf, 01056 size_t len ) 01057 { 01058 int ret; 01059 01060 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01061 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01062 { 01063 /* Check verify-data in constant-time. The length OTOH is no secret */ 01064 if( len != 1 + ssl->verify_data_len * 2 || 01065 buf[0] != ssl->verify_data_len * 2 || 01066 mbedtls_ssl_safer_memcmp( buf + 1, 01067 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01068 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01069 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01070 { 01071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01072 01073 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01074 return( ret ); 01075 01076 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01077 } 01078 } 01079 else 01080 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01081 { 01082 if( len != 1 || buf[0] != 0x00 ) 01083 { 01084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01085 01086 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01087 return( ret ); 01088 01089 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01090 } 01091 01092 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01093 } 01094 01095 return( 0 ); 01096 } 01097 01098 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01099 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01100 const unsigned char *buf, 01101 size_t len ) 01102 { 01103 /* 01104 * server should use the extension only if we did, 01105 * and if so the server's value should match ours (and len is always 1) 01106 */ 01107 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01108 len != 1 || 01109 buf[0] != ssl->conf->mfl_code ) 01110 { 01111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01112 } 01113 01114 return( 0 ); 01115 } 01116 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01117 01118 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01119 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01120 const unsigned char *buf, 01121 size_t len ) 01122 { 01123 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01124 len != 0 ) 01125 { 01126 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01127 } 01128 01129 ((void) buf); 01130 01131 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01132 01133 return( 0 ); 01134 } 01135 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01136 01137 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01138 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01139 const unsigned char *buf, 01140 size_t len ) 01141 { 01142 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01143 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01144 len != 0 ) 01145 { 01146 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01147 } 01148 01149 ((void) buf); 01150 01151 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01152 01153 return( 0 ); 01154 } 01155 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01156 01157 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01158 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01159 const unsigned char *buf, 01160 size_t len ) 01161 { 01162 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01163 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01164 len != 0 ) 01165 { 01166 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01167 } 01168 01169 ((void) buf); 01170 01171 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01172 01173 return( 0 ); 01174 } 01175 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01176 01177 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01178 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01179 const unsigned char *buf, 01180 size_t len ) 01181 { 01182 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01183 len != 0 ) 01184 { 01185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01186 } 01187 01188 ((void) buf); 01189 01190 ssl->handshake->new_session_ticket = 1; 01191 01192 return( 0 ); 01193 } 01194 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01195 01196 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01197 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01198 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01199 const unsigned char *buf, 01200 size_t len ) 01201 { 01202 size_t list_size; 01203 const unsigned char *p; 01204 01205 list_size = buf[0]; 01206 if( list_size + 1 != len ) 01207 { 01208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01209 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01210 } 01211 01212 p = buf + 1; 01213 while( list_size > 0 ) 01214 { 01215 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01216 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01217 { 01218 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01219 ssl->handshake->ecdh_ctx.point_format = p[0]; 01220 #endif 01221 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01222 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01223 #endif 01224 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01225 return( 0 ); 01226 } 01227 01228 list_size--; 01229 p++; 01230 } 01231 01232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01233 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01234 } 01235 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01236 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01237 01238 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01239 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01240 const unsigned char *buf, 01241 size_t len ) 01242 { 01243 int ret; 01244 01245 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01246 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01247 { 01248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01249 return( 0 ); 01250 } 01251 01252 /* If we got here, we no longer need our cached extension */ 01253 mbedtls_free( ssl->handshake->ecjpake_cache ); 01254 ssl->handshake->ecjpake_cache = NULL; 01255 ssl->handshake->ecjpake_cache_len = 0; 01256 01257 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01258 buf, len ) ) != 0 ) 01259 { 01260 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01261 return( ret ); 01262 } 01263 01264 return( 0 ); 01265 } 01266 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01267 01268 #if defined(MBEDTLS_SSL_ALPN) 01269 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01270 const unsigned char *buf, size_t len ) 01271 { 01272 size_t list_len, name_len; 01273 const char **p; 01274 01275 /* If we didn't send it, the server shouldn't send it */ 01276 if( ssl->conf->alpn_list == NULL ) 01277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01278 01279 /* 01280 * opaque ProtocolName<1..2^8-1>; 01281 * 01282 * struct { 01283 * ProtocolName protocol_name_list<2..2^16-1> 01284 * } ProtocolNameList; 01285 * 01286 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01287 */ 01288 01289 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01290 if( len < 4 ) 01291 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01292 01293 list_len = ( buf[0] << 8 ) | buf[1]; 01294 if( list_len != len - 2 ) 01295 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01296 01297 name_len = buf[2]; 01298 if( name_len != list_len - 1 ) 01299 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01300 01301 /* Check that the server chosen protocol was in our list and save it */ 01302 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01303 { 01304 if( name_len == strlen( *p ) && 01305 memcmp( buf + 3, *p, name_len ) == 0 ) 01306 { 01307 ssl->alpn_chosen = *p; 01308 return( 0 ); 01309 } 01310 } 01311 01312 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01313 } 01314 #endif /* MBEDTLS_SSL_ALPN */ 01315 01316 /* 01317 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01318 */ 01319 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01320 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01321 { 01322 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01323 int major_ver, minor_ver; 01324 unsigned char cookie_len; 01325 01326 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01327 01328 /* 01329 * struct { 01330 * ProtocolVersion server_version; 01331 * opaque cookie<0..2^8-1>; 01332 * } HelloVerifyRequest; 01333 */ 01334 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01335 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01336 p += 2; 01337 01338 /* 01339 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01340 * even is lower than our min version. 01341 */ 01342 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01343 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01344 major_ver > ssl->conf->max_major_ver || 01345 minor_ver > ssl->conf->max_minor_ver ) 01346 { 01347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01348 01349 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01350 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01351 01352 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01353 } 01354 01355 cookie_len = *p++; 01356 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01357 01358 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01359 { 01360 MBEDTLS_SSL_DEBUG_MSG( 1, 01361 ( "cookie length does not match incoming message size" ) ); 01362 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01363 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01364 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01365 } 01366 01367 mbedtls_free( ssl->handshake->verify_cookie ); 01368 01369 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01370 if( ssl->handshake->verify_cookie == NULL ) 01371 { 01372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01373 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01374 } 01375 01376 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01377 ssl->handshake->verify_cookie_len = cookie_len; 01378 01379 /* Start over at ClientHello */ 01380 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01381 mbedtls_ssl_reset_checksum( ssl ); 01382 01383 mbedtls_ssl_recv_flight_completed( ssl ); 01384 01385 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01386 01387 return( 0 ); 01388 } 01389 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01390 01391 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01392 { 01393 int ret, i; 01394 size_t n; 01395 size_t ext_len; 01396 unsigned char *buf, *ext; 01397 unsigned char comp; 01398 #if defined(MBEDTLS_ZLIB_SUPPORT) 01399 int accept_comp; 01400 #endif 01401 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01402 int renegotiation_info_seen = 0; 01403 #endif 01404 int handshake_failure = 0; 01405 const mbedtls_ssl_ciphersuite_t *suite_info; 01406 #if defined(MBEDTLS_DEBUG_C) 01407 uint32_t t; 01408 #endif 01409 01410 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01411 01412 buf = ssl->in_msg; 01413 01414 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01415 { 01416 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01417 return( ret ); 01418 } 01419 01420 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01421 { 01422 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01423 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01424 { 01425 ssl->renego_records_seen++; 01426 01427 if( ssl->conf->renego_max_records >= 0 && 01428 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01429 { 01430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01431 "but not honored by server" ) ); 01432 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01433 } 01434 01435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01436 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01437 } 01438 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01439 01440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01441 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01442 } 01443 01444 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01445 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01446 { 01447 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01448 { 01449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01450 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01451 return( ssl_parse_hello_verify_request( ssl ) ); 01452 } 01453 else 01454 { 01455 /* We made it through the verification process */ 01456 mbedtls_free( ssl->handshake->verify_cookie ); 01457 ssl->handshake->verify_cookie = NULL; 01458 ssl->handshake->verify_cookie_len = 0; 01459 } 01460 } 01461 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01462 01463 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01464 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01465 { 01466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01467 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01468 } 01469 01470 /* 01471 * 0 . 1 server_version 01472 * 2 . 33 random (maybe including 4 bytes of Unix time) 01473 * 34 . 34 session_id length = n 01474 * 35 . 34+n session_id 01475 * 35+n . 36+n cipher_suite 01476 * 37+n . 37+n compression_method 01477 * 01478 * 38+n . 39+n extensions length (optional) 01479 * 40+n . .. extensions 01480 */ 01481 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01482 01483 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01484 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01485 ssl->conf->transport, buf + 0 ); 01486 01487 if( ssl->major_ver < ssl->conf->min_major_ver || 01488 ssl->minor_ver < ssl->conf->min_minor_ver || 01489 ssl->major_ver > ssl->conf->max_major_ver || 01490 ssl->minor_ver > ssl->conf->max_minor_ver ) 01491 { 01492 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01493 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01494 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01495 ssl->major_ver, ssl->minor_ver, 01496 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01497 01498 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01499 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01500 01501 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01502 } 01503 01504 #if defined(MBEDTLS_DEBUG_C) 01505 t = ( (uint32_t) buf[2] << 24 ) 01506 | ( (uint32_t) buf[3] << 16 ) 01507 | ( (uint32_t) buf[4] << 8 ) 01508 | ( (uint32_t) buf[5] ); 01509 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01510 #endif 01511 01512 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01513 01514 n = buf[34]; 01515 01516 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01517 01518 if( n > 32 ) 01519 { 01520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01521 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01522 } 01523 01524 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01525 { 01526 ext_len = ( ( buf[38 + n] << 8 ) 01527 | ( buf[39 + n] ) ); 01528 01529 if( ( ext_len > 0 && ext_len < 4 ) || 01530 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01531 { 01532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01533 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01534 } 01535 } 01536 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01537 { 01538 ext_len = 0; 01539 } 01540 else 01541 { 01542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01543 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01544 } 01545 01546 /* ciphersuite (used later) */ 01547 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01548 01549 /* 01550 * Read and check compression 01551 */ 01552 comp = buf[37 + n]; 01553 01554 #if defined(MBEDTLS_ZLIB_SUPPORT) 01555 /* See comments in ssl_write_client_hello() */ 01556 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01557 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01558 accept_comp = 0; 01559 else 01560 #endif 01561 accept_comp = 1; 01562 01563 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01564 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01565 #else /* MBEDTLS_ZLIB_SUPPORT */ 01566 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01567 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01568 { 01569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01570 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01571 } 01572 01573 /* 01574 * Initialize update checksum functions 01575 */ 01576 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01577 01578 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01579 { 01580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01581 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01582 } 01583 01584 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01585 01586 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01587 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01588 01589 /* 01590 * Check if the session can be resumed 01591 */ 01592 if( ssl->handshake->resume == 0 || n == 0 || 01593 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01594 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01595 #endif 01596 ssl->session_negotiate->ciphersuite != i || 01597 ssl->session_negotiate->compression != comp || 01598 ssl->session_negotiate->id_len != n || 01599 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01600 { 01601 ssl->state++; 01602 ssl->handshake->resume = 0; 01603 #if defined(MBEDTLS_HAVE_TIME) 01604 ssl->session_negotiate->start = mbedtls_time( NULL ); 01605 #endif 01606 ssl->session_negotiate->ciphersuite = i; 01607 ssl->session_negotiate->compression = comp; 01608 ssl->session_negotiate->id_len = n; 01609 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01610 } 01611 else 01612 { 01613 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01614 01615 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01616 { 01617 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01618 return( ret ); 01619 } 01620 } 01621 01622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01623 ssl->handshake->resume ? "a" : "no" ) ); 01624 01625 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01627 01628 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01629 if( suite_info == NULL 01630 #if defined(MBEDTLS_ARC4_C) 01631 || ( ssl->conf->arc4_disabled && 01632 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01633 #endif 01634 ) 01635 { 01636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01637 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01638 } 01639 01640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01641 01642 i = 0; 01643 while( 1 ) 01644 { 01645 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01646 { 01647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01648 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01649 } 01650 01651 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01652 ssl->session_negotiate->ciphersuite ) 01653 { 01654 break; 01655 } 01656 } 01657 01658 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01659 #if defined(MBEDTLS_ZLIB_SUPPORT) 01660 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01661 #endif 01662 ) 01663 { 01664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01665 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01666 } 01667 ssl->session_negotiate->compression = comp; 01668 01669 ext = buf + 40 + n; 01670 01671 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01672 01673 while( ext_len ) 01674 { 01675 unsigned int ext_id = ( ( ext[0] << 8 ) 01676 | ( ext[1] ) ); 01677 unsigned int ext_size = ( ( ext[2] << 8 ) 01678 | ( ext[3] ) ); 01679 01680 if( ext_size + 4 > ext_len ) 01681 { 01682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01683 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01684 } 01685 01686 switch( ext_id ) 01687 { 01688 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01689 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01690 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01691 renegotiation_info_seen = 1; 01692 #endif 01693 01694 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01695 ext_size ) ) != 0 ) 01696 return( ret ); 01697 01698 break; 01699 01700 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01701 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01702 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01703 01704 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01705 ext + 4, ext_size ) ) != 0 ) 01706 { 01707 return( ret ); 01708 } 01709 01710 break; 01711 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01712 01713 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01714 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01715 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01716 01717 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01718 ext + 4, ext_size ) ) != 0 ) 01719 { 01720 return( ret ); 01721 } 01722 01723 break; 01724 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01725 01726 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01727 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01729 01730 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01731 ext + 4, ext_size ) ) != 0 ) 01732 { 01733 return( ret ); 01734 } 01735 01736 break; 01737 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01738 01739 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01740 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01742 01743 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01744 ext + 4, ext_size ) ) != 0 ) 01745 { 01746 return( ret ); 01747 } 01748 01749 break; 01750 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01751 01752 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01753 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01755 01756 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01757 ext + 4, ext_size ) ) != 0 ) 01758 { 01759 return( ret ); 01760 } 01761 01762 break; 01763 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01764 01765 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01766 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01767 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01769 01770 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01771 ext + 4, ext_size ) ) != 0 ) 01772 { 01773 return( ret ); 01774 } 01775 01776 break; 01777 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01778 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01779 01780 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01781 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01782 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01783 01784 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01785 ext + 4, ext_size ) ) != 0 ) 01786 { 01787 return( ret ); 01788 } 01789 01790 break; 01791 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01792 01793 #if defined(MBEDTLS_SSL_ALPN) 01794 case MBEDTLS_TLS_EXT_ALPN: 01795 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01796 01797 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01798 return( ret ); 01799 01800 break; 01801 #endif /* MBEDTLS_SSL_ALPN */ 01802 01803 default: 01804 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01805 ext_id ) ); 01806 } 01807 01808 ext_len -= 4 + ext_size; 01809 ext += 4 + ext_size; 01810 01811 if( ext_len > 0 && ext_len < 4 ) 01812 { 01813 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01814 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01815 } 01816 } 01817 01818 /* 01819 * Renegotiation security checks 01820 */ 01821 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01822 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01823 { 01824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01825 handshake_failure = 1; 01826 } 01827 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01828 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01829 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01830 renegotiation_info_seen == 0 ) 01831 { 01832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01833 handshake_failure = 1; 01834 } 01835 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01836 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01837 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01838 { 01839 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01840 handshake_failure = 1; 01841 } 01842 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01843 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01844 renegotiation_info_seen == 1 ) 01845 { 01846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01847 handshake_failure = 1; 01848 } 01849 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01850 01851 if( handshake_failure == 1 ) 01852 { 01853 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01854 return( ret ); 01855 01856 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01857 } 01858 01859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01860 01861 return( 0 ); 01862 } 01863 01864 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01865 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01866 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01867 unsigned char *end ) 01868 { 01869 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01870 01871 /* 01872 * Ephemeral DH parameters: 01873 * 01874 * struct { 01875 * opaque dh_p<1..2^16-1>; 01876 * opaque dh_g<1..2^16-1>; 01877 * opaque dh_Ys<1..2^16-1>; 01878 * } ServerDHParams; 01879 */ 01880 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01881 { 01882 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01883 return( ret ); 01884 } 01885 01886 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01887 { 01888 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01889 ssl->handshake->dhm_ctx.len * 8, 01890 ssl->conf->dhm_min_bitlen ) ); 01891 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01892 } 01893 01894 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01895 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01896 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01897 01898 return( ret ); 01899 } 01900 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01901 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01902 01903 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01904 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01905 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01906 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01907 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01908 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01909 { 01910 const mbedtls_ecp_curve_info *curve_info; 01911 01912 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01913 if( curve_info == NULL ) 01914 { 01915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01916 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01917 } 01918 01919 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01920 01921 #if defined(MBEDTLS_ECP_C) 01922 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01923 #else 01924 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01925 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01926 #endif 01927 return( -1 ); 01928 01929 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01930 01931 return( 0 ); 01932 } 01933 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01934 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01935 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01936 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01937 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01938 01939 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01940 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01941 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01942 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 01943 unsigned char **p, 01944 unsigned char *end ) 01945 { 01946 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01947 01948 /* 01949 * Ephemeral ECDH parameters: 01950 * 01951 * struct { 01952 * ECParameters curve_params; 01953 * ECPoint public; 01954 * } ServerECDHParams; 01955 */ 01956 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 01957 (const unsigned char **) p, end ) ) != 0 ) 01958 { 01959 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 01960 return( ret ); 01961 } 01962 01963 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01964 { 01965 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01966 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01967 } 01968 01969 return( ret ); 01970 } 01971 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01972 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01973 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01974 01975 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01976 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 01977 unsigned char **p, 01978 unsigned char *end ) 01979 { 01980 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01981 size_t len; 01982 ((void) ssl); 01983 01984 /* 01985 * PSK parameters: 01986 * 01987 * opaque psk_identity_hint<0..2^16-1>; 01988 */ 01989 len = (*p)[0] << 8 | (*p)[1]; 01990 *p += 2; 01991 01992 if( (*p) + len > end ) 01993 { 01994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01995 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01996 } 01997 01998 /* 01999 * Note: we currently ignore the PKS identity hint, as we only allow one 02000 * PSK to be provisionned on the client. This could be changed later if 02001 * someone needs that feature. 02002 */ 02003 *p += len; 02004 ret = 0; 02005 02006 return( ret ); 02007 } 02008 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02009 02010 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02011 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02012 /* 02013 * Generate a pre-master secret and encrypt it with the server's RSA key 02014 */ 02015 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02016 size_t offset, size_t *olen, 02017 size_t pms_offset ) 02018 { 02019 int ret; 02020 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02021 unsigned char *p = ssl->handshake->premaster + pms_offset; 02022 02023 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02024 { 02025 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02026 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02027 } 02028 02029 /* 02030 * Generate (part of) the pre-master as 02031 * struct { 02032 * ProtocolVersion client_version; 02033 * opaque random[46]; 02034 * } PreMasterSecret; 02035 */ 02036 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02037 ssl->conf->transport, p ); 02038 02039 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02040 { 02041 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02042 return( ret ); 02043 } 02044 02045 ssl->handshake->pmslen = 48; 02046 02047 if( ssl->session_negotiate->peer_cert == NULL ) 02048 { 02049 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02050 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02051 } 02052 02053 /* 02054 * Now write it out, encrypted 02055 */ 02056 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02057 MBEDTLS_PK_RSA ) ) 02058 { 02059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02060 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02061 } 02062 02063 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02064 p, ssl->handshake->pmslen, 02065 ssl->out_msg + offset + len_bytes, olen, 02066 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02067 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02068 { 02069 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02070 return( ret ); 02071 } 02072 02073 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02074 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02075 if( len_bytes == 2 ) 02076 { 02077 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02078 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02079 *olen += 2; 02080 } 02081 #endif 02082 02083 return( 0 ); 02084 } 02085 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02086 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02087 02088 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02089 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02090 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02091 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02092 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02093 unsigned char **p, 02094 unsigned char *end, 02095 mbedtls_md_type_t *md_alg, 02096 mbedtls_pk_type_t *pk_alg ) 02097 { 02098 ((void) ssl); 02099 *md_alg = MBEDTLS_MD_NONE; 02100 *pk_alg = MBEDTLS_PK_NONE; 02101 02102 /* Only in TLS 1.2 */ 02103 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02104 { 02105 return( 0 ); 02106 } 02107 02108 if( (*p) + 2 > end ) 02109 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02110 02111 /* 02112 * Get hash algorithm 02113 */ 02114 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02115 { 02116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02117 "HashAlgorithm %d", *(p)[0] ) ); 02118 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02119 } 02120 02121 /* 02122 * Get signature algorithm 02123 */ 02124 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02125 { 02126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02127 "SignatureAlgorithm %d", (*p)[1] ) ); 02128 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02129 } 02130 02131 /* 02132 * Check if the hash is acceptable 02133 */ 02134 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02135 { 02136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm " 02137 "that was not offered" ) ); 02138 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02139 } 02140 02141 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02143 *p += 2; 02144 02145 return( 0 ); 02146 } 02147 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02148 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02149 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02150 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02151 02152 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02153 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02154 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02155 { 02156 int ret; 02157 const mbedtls_ecp_keypair *peer_key; 02158 02159 if( ssl->session_negotiate->peer_cert == NULL ) 02160 { 02161 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02162 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02163 } 02164 02165 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02166 MBEDTLS_PK_ECKEY ) ) 02167 { 02168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02169 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02170 } 02171 02172 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02173 02174 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02175 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02176 { 02177 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02178 return( ret ); 02179 } 02180 02181 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02182 { 02183 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02184 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02185 } 02186 02187 return( ret ); 02188 } 02189 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02190 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02191 02192 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02193 { 02194 int ret; 02195 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02196 unsigned char *p, *end; 02197 02198 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02199 02200 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02201 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02202 { 02203 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02204 ssl->state++; 02205 return( 0 ); 02206 } 02207 ((void) p); 02208 ((void) end); 02209 #endif 02210 02211 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02212 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02213 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02214 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02215 { 02216 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02217 { 02218 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02219 return( ret ); 02220 } 02221 02222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02223 ssl->state++; 02224 return( 0 ); 02225 } 02226 ((void) p); 02227 ((void) end); 02228 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02229 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02230 02231 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02232 { 02233 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02234 return( ret ); 02235 } 02236 02237 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02238 { 02239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02240 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02241 } 02242 02243 /* 02244 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02245 * doesn't use a psk_identity_hint 02246 */ 02247 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02248 { 02249 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02250 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02251 { 02252 ssl->record_read = 1; 02253 goto exit; 02254 } 02255 02256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02257 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02258 } 02259 02260 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02261 end = ssl->in_msg + ssl->in_hslen; 02262 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02263 02264 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02265 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02266 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02267 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02268 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02269 { 02270 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02271 { 02272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02273 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02274 } 02275 } /* FALLTROUGH */ 02276 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02277 02278 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02279 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02280 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02281 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02282 ; /* nothing more to do */ 02283 else 02284 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02285 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02286 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02287 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02288 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02289 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02290 { 02291 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02292 { 02293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02295 } 02296 } 02297 else 02298 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02299 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02300 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02301 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02302 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02303 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02304 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02305 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02306 { 02307 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02308 { 02309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02310 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02311 } 02312 } 02313 else 02314 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02315 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02316 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02317 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02318 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02319 { 02320 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02321 p, end - p ); 02322 if( ret != 0 ) 02323 { 02324 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02325 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02326 } 02327 } 02328 else 02329 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02330 { 02331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02332 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02333 } 02334 02335 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02336 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02337 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02338 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02339 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02340 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02341 { 02342 size_t sig_len, hashlen; 02343 unsigned char hash[64]; 02344 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02345 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02346 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02347 size_t params_len = p - params; 02348 02349 /* 02350 * Handle the digitally-signed structure 02351 */ 02352 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02353 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02354 { 02355 if( ssl_parse_signature_algorithm( ssl, &p, end, 02356 &md_alg, &pk_alg ) != 0 ) 02357 { 02358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02359 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02360 } 02361 02362 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02363 { 02364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02365 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02366 } 02367 } 02368 else 02369 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02370 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02371 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02372 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02373 { 02374 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02375 02376 /* Default hash for ECDSA is SHA-1 */ 02377 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02378 md_alg = MBEDTLS_MD_SHA1; 02379 } 02380 else 02381 #endif 02382 { 02383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02384 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02385 } 02386 02387 /* 02388 * Read signature 02389 */ 02390 sig_len = ( p[0] << 8 ) | p[1]; 02391 p += 2; 02392 02393 if( end != p + sig_len ) 02394 { 02395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02396 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02397 } 02398 02399 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02400 02401 /* 02402 * Compute the hash that has been signed 02403 */ 02404 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02405 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02406 if( md_alg == MBEDTLS_MD_NONE ) 02407 { 02408 mbedtls_md5_context mbedtls_md5; 02409 mbedtls_sha1_context mbedtls_sha1; 02410 02411 mbedtls_md5_init( &mbedtls_md5 ); 02412 mbedtls_sha1_init( &mbedtls_sha1 ); 02413 02414 hashlen = 36; 02415 02416 /* 02417 * digitally-signed struct { 02418 * opaque md5_hash[16]; 02419 * opaque sha_hash[20]; 02420 * }; 02421 * 02422 * md5_hash 02423 * MD5(ClientHello.random + ServerHello.random 02424 * + ServerParams); 02425 * sha_hash 02426 * SHA(ClientHello.random + ServerHello.random 02427 * + ServerParams); 02428 */ 02429 mbedtls_md5_starts( &mbedtls_md5 ); 02430 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02431 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 02432 mbedtls_md5_finish( &mbedtls_md5, hash ); 02433 02434 mbedtls_sha1_starts( &mbedtls_sha1 ); 02435 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02436 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 02437 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02438 02439 mbedtls_md5_free( &mbedtls_md5 ); 02440 mbedtls_sha1_free( &mbedtls_sha1 ); 02441 } 02442 else 02443 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02444 MBEDTLS_SSL_PROTO_TLS1_1 */ 02445 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02446 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02447 if( md_alg != MBEDTLS_MD_NONE ) 02448 { 02449 mbedtls_md_context_t ctx; 02450 02451 mbedtls_md_init( &ctx ); 02452 02453 /* Info from md_alg will be used instead */ 02454 hashlen = 0; 02455 02456 /* 02457 * digitally-signed struct { 02458 * opaque client_random[32]; 02459 * opaque server_random[32]; 02460 * ServerDHParams params; 02461 * }; 02462 */ 02463 if( ( ret = mbedtls_md_setup( &ctx, 02464 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 02465 { 02466 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02467 return( ret ); 02468 } 02469 02470 mbedtls_md_starts( &ctx ); 02471 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02472 mbedtls_md_update( &ctx, params, params_len ); 02473 mbedtls_md_finish( &ctx, hash ); 02474 mbedtls_md_free( &ctx ); 02475 } 02476 else 02477 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02478 MBEDTLS_SSL_PROTO_TLS1_2 */ 02479 { 02480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02481 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02482 } 02483 02484 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02485 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02486 02487 if( ssl->session_negotiate->peer_cert == NULL ) 02488 { 02489 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02490 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02491 } 02492 02493 /* 02494 * Verify signature 02495 */ 02496 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02497 { 02498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02499 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02500 } 02501 02502 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02503 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02504 { 02505 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02506 return( ret ); 02507 } 02508 } 02509 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02510 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02511 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02512 02513 exit: 02514 ssl->state++; 02515 02516 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02517 02518 return( 0 ); 02519 } 02520 02521 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02522 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02523 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02524 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02525 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02526 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02527 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02528 { 02529 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02530 02531 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02532 02533 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02534 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02535 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02536 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02537 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02538 { 02539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02540 ssl->state++; 02541 return( 0 ); 02542 } 02543 02544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02545 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02546 } 02547 #else 02548 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02549 { 02550 int ret; 02551 unsigned char *buf; 02552 size_t n = 0; 02553 size_t cert_type_len = 0, dn_len = 0; 02554 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02555 02556 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02557 02558 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02559 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02560 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02561 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02562 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02563 { 02564 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02565 ssl->state++; 02566 return( 0 ); 02567 } 02568 02569 if( ssl->record_read == 0 ) 02570 { 02571 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02572 { 02573 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02574 return( ret ); 02575 } 02576 02577 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02578 { 02579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02580 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02581 } 02582 02583 ssl->record_read = 1; 02584 } 02585 02586 ssl->client_auth = 0; 02587 ssl->state++; 02588 02589 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) 02590 ssl->client_auth++; 02591 02592 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02593 ssl->client_auth ? "a" : "no" ) ); 02594 02595 if( ssl->client_auth == 0 ) 02596 goto exit; 02597 02598 ssl->record_read = 0; 02599 02600 /* 02601 * struct { 02602 * ClientCertificateType certificate_types<1..2^8-1>; 02603 * SignatureAndHashAlgorithm 02604 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02605 * DistinguishedName certificate_authorities<0..2^16-1>; 02606 * } CertificateRequest; 02607 * 02608 * Since we only support a single certificate on clients, let's just 02609 * ignore all the information that's supposed to help us pick a 02610 * certificate. 02611 * 02612 * We could check that our certificate matches the request, and bail out 02613 * if it doesn't, but it's simpler to just send the certificate anyway, 02614 * and give the server the opportunity to decide if it should terminate 02615 * the connection when it doesn't like our certificate. 02616 * 02617 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02618 * point we only have one hash available (see comments in 02619 * write_certificate_verify), so let's just use what we have. 02620 * 02621 * However, we still minimally parse the message to check it is at least 02622 * superficially sane. 02623 */ 02624 buf = ssl->in_msg; 02625 02626 /* certificate_types */ 02627 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02628 n = cert_type_len; 02629 02630 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02631 { 02632 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02633 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02634 } 02635 02636 /* supported_signature_algorithms */ 02637 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02638 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02639 { 02640 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02641 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02642 #if defined(MBEDTLS_DEBUG_C) 02643 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02644 size_t i; 02645 02646 for( i = 0; i < sig_alg_len; i += 2 ) 02647 { 02648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d,%d", sig_alg[i], sig_alg[i + 1] ) ); 02649 } 02650 #endif 02651 02652 n += 2 + sig_alg_len; 02653 02654 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02655 { 02656 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02657 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02658 } 02659 } 02660 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02661 02662 /* certificate_authorities */ 02663 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02664 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02665 02666 n += dn_len; 02667 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02668 { 02669 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02670 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02671 } 02672 02673 exit: 02674 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02675 02676 return( 0 ); 02677 } 02678 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02679 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02680 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 02681 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02682 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 02683 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02684 02685 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02686 { 02687 int ret; 02688 02689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02690 02691 if( ssl->record_read == 0 ) 02692 { 02693 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02694 { 02695 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02696 return( ret ); 02697 } 02698 02699 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02700 { 02701 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02702 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02703 } 02704 } 02705 ssl->record_read = 0; 02706 02707 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02708 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02709 { 02710 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02711 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02712 } 02713 02714 ssl->state++; 02715 02716 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02717 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02718 mbedtls_ssl_recv_flight_completed( ssl ); 02719 #endif 02720 02721 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02722 02723 return( 0 ); 02724 } 02725 02726 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02727 { 02728 int ret; 02729 size_t i, n; 02730 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02731 02732 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02733 02734 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02735 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02736 { 02737 /* 02738 * DHM key exchange -- send G^X mod P 02739 */ 02740 n = ssl->handshake->dhm_ctx.len; 02741 02742 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02743 ssl->out_msg[5] = (unsigned char)( n ); 02744 i = 6; 02745 02746 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02747 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02748 &ssl->out_msg[i], n, 02749 ssl->conf->f_rng, ssl->conf->p_rng ); 02750 if( ret != 0 ) 02751 { 02752 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02753 return( ret ); 02754 } 02755 02756 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02757 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02758 02759 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02760 ssl->handshake->premaster, 02761 MBEDTLS_PREMASTER_SIZE, 02762 &ssl->handshake->pmslen, 02763 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02764 { 02765 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02766 return( ret ); 02767 } 02768 02769 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02770 } 02771 else 02772 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02773 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02774 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02775 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02776 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02777 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02778 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02779 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02780 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02781 { 02782 /* 02783 * ECDH key exchange -- send client public value 02784 */ 02785 i = 4; 02786 02787 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02788 &n, 02789 &ssl->out_msg[i], 1000, 02790 ssl->conf->f_rng, ssl->conf->p_rng ); 02791 if( ret != 0 ) 02792 { 02793 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02794 return( ret ); 02795 } 02796 02797 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02798 02799 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02800 &ssl->handshake->pmslen, 02801 ssl->handshake->premaster, 02802 MBEDTLS_MPI_MAX_SIZE, 02803 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02804 { 02805 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02806 return( ret ); 02807 } 02808 02809 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02810 } 02811 else 02812 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02813 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02814 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02815 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02816 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02817 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02818 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02819 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02820 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02821 { 02822 /* 02823 * opaque psk_identity<0..2^16-1>; 02824 */ 02825 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02826 { 02827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02828 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02829 } 02830 02831 i = 4; 02832 n = ssl->conf->psk_identity_len; 02833 02834 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02835 { 02836 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02837 "SSL buffer too short" ) ); 02838 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02839 } 02840 02841 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02842 ssl->out_msg[i++] = (unsigned char)( n ); 02843 02844 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02845 i += ssl->conf->psk_identity_len; 02846 02847 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02848 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02849 { 02850 n = 0; 02851 } 02852 else 02853 #endif 02854 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02855 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02856 { 02857 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02858 return( ret ); 02859 } 02860 else 02861 #endif 02862 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02863 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02864 { 02865 /* 02866 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02867 */ 02868 n = ssl->handshake->dhm_ctx.len; 02869 02870 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02871 { 02872 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02873 " or SSL buffer too short" ) ); 02874 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02875 } 02876 02877 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02878 ssl->out_msg[i++] = (unsigned char)( n ); 02879 02880 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02881 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02882 &ssl->out_msg[i], n, 02883 ssl->conf->f_rng, ssl->conf->p_rng ); 02884 if( ret != 0 ) 02885 { 02886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02887 return( ret ); 02888 } 02889 } 02890 else 02891 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02892 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02893 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02894 { 02895 /* 02896 * ClientECDiffieHellmanPublic public; 02897 */ 02898 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02899 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02900 ssl->conf->f_rng, ssl->conf->p_rng ); 02901 if( ret != 0 ) 02902 { 02903 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02904 return( ret ); 02905 } 02906 02907 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02908 } 02909 else 02910 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02911 { 02912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02913 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02914 } 02915 02916 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02917 ciphersuite_info->key_exchange ) ) != 0 ) 02918 { 02919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02920 return( ret ); 02921 } 02922 } 02923 else 02924 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02925 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02926 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02927 { 02928 i = 4; 02929 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02930 return( ret ); 02931 } 02932 else 02933 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02934 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02935 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02936 { 02937 i = 4; 02938 02939 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02940 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02941 ssl->conf->f_rng, ssl->conf->p_rng ); 02942 if( ret != 0 ) 02943 { 02944 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02945 return( ret ); 02946 } 02947 02948 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02949 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02950 ssl->conf->f_rng, ssl->conf->p_rng ); 02951 if( ret != 0 ) 02952 { 02953 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02954 return( ret ); 02955 } 02956 } 02957 else 02958 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02959 { 02960 ((void) ciphersuite_info); 02961 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02962 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02963 } 02964 02965 ssl->out_msglen = i + n; 02966 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02967 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 02968 02969 ssl->state++; 02970 02971 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02972 { 02973 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02974 return( ret ); 02975 } 02976 02977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02978 02979 return( 0 ); 02980 } 02981 02982 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02983 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02984 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02985 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02986 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02987 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02988 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 02989 { 02990 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02991 int ret; 02992 02993 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02994 02995 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02996 { 02997 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02998 return( ret ); 02999 } 03000 03001 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03002 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03003 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03004 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03005 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03006 { 03007 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03008 ssl->state++; 03009 return( 0 ); 03010 } 03011 03012 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03013 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03014 } 03015 #else 03016 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03017 { 03018 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03019 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03020 size_t n = 0, offset = 0; 03021 unsigned char hash[48]; 03022 unsigned char *hash_start = hash; 03023 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03024 unsigned int hashlen; 03025 03026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03027 03028 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03029 { 03030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03031 return( ret ); 03032 } 03033 03034 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03035 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03036 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03037 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03038 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03039 { 03040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03041 ssl->state++; 03042 return( 0 ); 03043 } 03044 03045 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03046 { 03047 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03048 ssl->state++; 03049 return( 0 ); 03050 } 03051 03052 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03053 { 03054 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03055 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03056 } 03057 03058 /* 03059 * Make an RSA signature of the handshake digests 03060 */ 03061 ssl->handshake->calc_verify( ssl, hash ); 03062 03063 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03064 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03065 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03066 { 03067 /* 03068 * digitally-signed struct { 03069 * opaque md5_hash[16]; 03070 * opaque sha_hash[20]; 03071 * }; 03072 * 03073 * md5_hash 03074 * MD5(handshake_messages); 03075 * 03076 * sha_hash 03077 * SHA(handshake_messages); 03078 */ 03079 hashlen = 36; 03080 md_alg = MBEDTLS_MD_NONE; 03081 03082 /* 03083 * For ECDSA, default hash is SHA-1 only 03084 */ 03085 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03086 { 03087 hash_start += 16; 03088 hashlen -= 16; 03089 md_alg = MBEDTLS_MD_SHA1; 03090 } 03091 } 03092 else 03093 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03094 MBEDTLS_SSL_PROTO_TLS1_1 */ 03095 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03096 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03097 { 03098 /* 03099 * digitally-signed struct { 03100 * opaque handshake_messages[handshake_messages_length]; 03101 * }; 03102 * 03103 * Taking shortcut here. We assume that the server always allows the 03104 * PRF Hash function and has sent it in the allowed signature 03105 * algorithms list received in the Certificate Request message. 03106 * 03107 * Until we encounter a server that does not, we will take this 03108 * shortcut. 03109 * 03110 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03111 * in order to satisfy 'weird' needs from the server side. 03112 */ 03113 if( ssl->transform_negotiate->ciphersuite_info->mac == 03114 MBEDTLS_MD_SHA384 ) 03115 { 03116 md_alg = MBEDTLS_MD_SHA384; 03117 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03118 } 03119 else 03120 { 03121 md_alg = MBEDTLS_MD_SHA256; 03122 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03123 } 03124 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03125 03126 /* Info from md_alg will be used instead */ 03127 hashlen = 0; 03128 offset = 2; 03129 } 03130 else 03131 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03132 { 03133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03134 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03135 } 03136 03137 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03138 ssl->out_msg + 6 + offset, &n, 03139 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03140 { 03141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03142 return( ret ); 03143 } 03144 03145 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03146 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03147 03148 ssl->out_msglen = 6 + n + offset; 03149 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03150 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03151 03152 ssl->state++; 03153 03154 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03155 { 03156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03157 return( ret ); 03158 } 03159 03160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03161 03162 return( ret ); 03163 } 03164 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03165 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03166 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03167 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03168 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03169 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03170 03171 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03172 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03173 { 03174 int ret; 03175 uint32_t lifetime; 03176 size_t ticket_len; 03177 unsigned char *ticket; 03178 const unsigned char *msg; 03179 03180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03181 03182 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03183 { 03184 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03185 return( ret ); 03186 } 03187 03188 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03189 { 03190 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03191 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03192 } 03193 03194 /* 03195 * struct { 03196 * uint32 ticket_lifetime_hint; 03197 * opaque ticket<0..2^16-1>; 03198 * } NewSessionTicket; 03199 * 03200 * 0 . 3 ticket_lifetime_hint 03201 * 4 . 5 ticket_len (n) 03202 * 6 . 5+n ticket content 03203 */ 03204 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03205 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03206 { 03207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03208 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03209 } 03210 03211 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03212 03213 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03214 ( msg[2] << 8 ) | ( msg[3] ); 03215 03216 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03217 03218 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03219 { 03220 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03221 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03222 } 03223 03224 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03225 03226 /* We're not waiting for a NewSessionTicket message any more */ 03227 ssl->handshake->new_session_ticket = 0; 03228 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03229 03230 /* 03231 * Zero-length ticket means the server changed his mind and doesn't want 03232 * to send a ticket after all, so just forget it 03233 */ 03234 if( ticket_len == 0 ) 03235 return( 0 ); 03236 03237 mbedtls_zeroize( ssl->session_negotiate->ticket, 03238 ssl->session_negotiate->ticket_len ); 03239 mbedtls_free( ssl->session_negotiate->ticket ); 03240 ssl->session_negotiate->ticket = NULL; 03241 ssl->session_negotiate->ticket_len = 0; 03242 03243 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03244 { 03245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03246 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03247 } 03248 03249 memcpy( ticket, msg + 6, ticket_len ); 03250 03251 ssl->session_negotiate->ticket = ticket; 03252 ssl->session_negotiate->ticket_len = ticket_len; 03253 ssl->session_negotiate->ticket_lifetime = lifetime; 03254 03255 /* 03256 * RFC 5077 section 3.4: 03257 * "If the client receives a session ticket from the server, then it 03258 * discards any Session ID that was sent in the ServerHello." 03259 */ 03260 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03261 ssl->session_negotiate->id_len = 0; 03262 03263 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03264 03265 return( 0 ); 03266 } 03267 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03268 03269 /* 03270 * SSL handshake -- client side -- single step 03271 */ 03272 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03273 { 03274 int ret = 0; 03275 03276 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03277 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03278 03279 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03280 03281 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03282 return( ret ); 03283 03284 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03285 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03286 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03287 { 03288 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03289 return( ret ); 03290 } 03291 #endif 03292 03293 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03294 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03295 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03296 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03297 ssl->handshake->new_session_ticket != 0 ) 03298 { 03299 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03300 } 03301 #endif 03302 03303 switch( ssl->state ) 03304 { 03305 case MBEDTLS_SSL_HELLO_REQUEST: 03306 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03307 break; 03308 03309 /* 03310 * ==> ClientHello 03311 */ 03312 case MBEDTLS_SSL_CLIENT_HELLO: 03313 ret = ssl_write_client_hello( ssl ); 03314 break; 03315 03316 /* 03317 * <== ServerHello 03318 * Certificate 03319 * ( ServerKeyExchange ) 03320 * ( CertificateRequest ) 03321 * ServerHelloDone 03322 */ 03323 case MBEDTLS_SSL_SERVER_HELLO: 03324 ret = ssl_parse_server_hello( ssl ); 03325 break; 03326 03327 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03328 ret = mbedtls_ssl_parse_certificate( ssl ); 03329 break; 03330 03331 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03332 ret = ssl_parse_server_key_exchange( ssl ); 03333 break; 03334 03335 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03336 ret = ssl_parse_certificate_request( ssl ); 03337 break; 03338 03339 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03340 ret = ssl_parse_server_hello_done( ssl ); 03341 break; 03342 03343 /* 03344 * ==> ( Certificate/Alert ) 03345 * ClientKeyExchange 03346 * ( CertificateVerify ) 03347 * ChangeCipherSpec 03348 * Finished 03349 */ 03350 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03351 ret = mbedtls_ssl_write_certificate( ssl ); 03352 break; 03353 03354 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03355 ret = ssl_write_client_key_exchange( ssl ); 03356 break; 03357 03358 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03359 ret = ssl_write_certificate_verify( ssl ); 03360 break; 03361 03362 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03363 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03364 break; 03365 03366 case MBEDTLS_SSL_CLIENT_FINISHED: 03367 ret = mbedtls_ssl_write_finished( ssl ); 03368 break; 03369 03370 /* 03371 * <== ( NewSessionTicket ) 03372 * ChangeCipherSpec 03373 * Finished 03374 */ 03375 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03376 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03377 ret = ssl_parse_new_session_ticket( ssl ); 03378 break; 03379 #endif 03380 03381 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03382 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03383 break; 03384 03385 case MBEDTLS_SSL_SERVER_FINISHED: 03386 ret = mbedtls_ssl_parse_finished( ssl ); 03387 break; 03388 03389 case MBEDTLS_SSL_FLUSH_BUFFERS: 03390 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03391 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03392 break; 03393 03394 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03395 mbedtls_ssl_handshake_wrapup( ssl ); 03396 break; 03397 03398 default: 03399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03400 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03401 } 03402 03403 return( ret ); 03404 } 03405 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 11:02:53 by
1.7.2