sandbox
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Christopher Haster
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #include "mbedtls/debug.h" 00031 #include "mbedtls/ssl.h" 00032 #include "mbedtls/ssl_internal.h" 00033 00034 #include <string.h> 00035 00036 #if defined(MBEDTLS_PLATFORM_C) 00037 #include "mbedtls/platform.h" 00038 #else 00039 #include <stdlib.h> 00040 #define mbedtls_calloc calloc 00041 #define mbedtls_free free 00042 #endif 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include <time.h> 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * struct { 00084 * NameType name_type; 00085 * select (name_type) { 00086 * case host_name: HostName; 00087 * } name; 00088 * } ServerName; 00089 * 00090 * enum { 00091 * host_name(0), (255) 00092 * } NameType; 00093 * 00094 * opaque HostName<1..2^16-1>; 00095 * 00096 * struct { 00097 * ServerName server_name_list<1..2^16-1> 00098 * } ServerNameList; 00099 */ 00100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00102 00103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00105 00106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00108 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00112 00113 memcpy( p, ssl->hostname, hostname_len ); 00114 00115 *olen = hostname_len + 9; 00116 } 00117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00118 00119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00121 unsigned char *buf, 00122 size_t *olen ) 00123 { 00124 unsigned char *p = buf; 00125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00126 00127 *olen = 0; 00128 00129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00130 return; 00131 00132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00133 00134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00135 { 00136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00137 return; 00138 } 00139 00140 /* 00141 * Secure renegotiation 00142 */ 00143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00145 00146 *p++ = 0x00; 00147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00148 *p++ = ssl->verify_data_len & 0xFF; 00149 00150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00151 00152 *olen = 5 + ssl->verify_data_len; 00153 } 00154 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00155 00156 /* 00157 * Only if we handle at least one key exchange that needs signatures. 00158 */ 00159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00162 unsigned char *buf, 00163 size_t *olen ) 00164 { 00165 unsigned char *p = buf; 00166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00167 size_t sig_alg_len = 0; 00168 const int *md; 00169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00170 unsigned char *sig_alg_list = buf + 6; 00171 #endif 00172 00173 *olen = 0; 00174 00175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00176 return; 00177 00178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00179 00180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00181 { 00182 #if defined(MBEDTLS_ECDSA_C) 00183 sig_alg_len += 2; 00184 #endif 00185 #if defined(MBEDTLS_RSA_C) 00186 sig_alg_len += 2; 00187 #endif 00188 } 00189 00190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00191 { 00192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00193 return; 00194 } 00195 00196 /* 00197 * Prepare signature_algorithms extension (TLS 1.2) 00198 */ 00199 sig_alg_len = 0; 00200 00201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00202 { 00203 #if defined(MBEDTLS_ECDSA_C) 00204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00206 #endif 00207 #if defined(MBEDTLS_RSA_C) 00208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00210 #endif 00211 } 00212 00213 /* 00214 * enum { 00215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00216 * sha512(6), (255) 00217 * } HashAlgorithm; 00218 * 00219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00220 * SignatureAlgorithm; 00221 * 00222 * struct { 00223 * HashAlgorithm hash; 00224 * SignatureAlgorithm signature; 00225 * } SignatureAndHashAlgorithm; 00226 * 00227 * SignatureAndHashAlgorithm 00228 * supported_signature_algorithms<2..2^16-2>; 00229 */ 00230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00232 00233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00235 00236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00238 00239 *olen = 6 + sig_alg_len; 00240 } 00241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00243 00244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00252 unsigned char *elliptic_curve_list = p + 6; 00253 size_t elliptic_curve_len = 0; 00254 const mbedtls_ecp_curve_info *info; 00255 #if defined(MBEDTLS_ECP_C) 00256 const mbedtls_ecp_group_id *grp_id; 00257 #else 00258 ((void) ssl); 00259 #endif 00260 00261 *olen = 0; 00262 00263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00264 00265 #if defined(MBEDTLS_ECP_C) 00266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00267 { 00268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00269 #else 00270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00271 { 00272 #endif 00273 elliptic_curve_len += 2; 00274 } 00275 00276 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00277 { 00278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00279 return; 00280 } 00281 00282 elliptic_curve_len = 0; 00283 00284 #if defined(MBEDTLS_ECP_C) 00285 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00286 { 00287 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00288 #else 00289 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00290 { 00291 #endif 00292 00293 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00294 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00295 } 00296 00297 if( elliptic_curve_len == 0 ) 00298 return; 00299 00300 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00301 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00302 00303 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00304 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00305 00306 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00307 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00308 00309 *olen = 6 + elliptic_curve_len; 00310 } 00311 00312 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00313 unsigned char *buf, 00314 size_t *olen ) 00315 { 00316 unsigned char *p = buf; 00317 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00318 00319 *olen = 0; 00320 00321 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00322 00323 if( end < p || (size_t)( end - p ) < 6 ) 00324 { 00325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00326 return; 00327 } 00328 00329 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00330 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00331 00332 *p++ = 0x00; 00333 *p++ = 2; 00334 00335 *p++ = 1; 00336 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00337 00338 *olen = 6; 00339 } 00340 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00341 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00342 00343 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00344 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00345 unsigned char *buf, 00346 size_t *olen ) 00347 { 00348 int ret; 00349 unsigned char *p = buf; 00350 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00351 size_t kkpp_len; 00352 00353 *olen = 0; 00354 00355 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00356 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00357 return; 00358 00359 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00360 00361 if( end - p < 4 ) 00362 { 00363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00364 return; 00365 } 00366 00367 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00368 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00369 00370 /* 00371 * We may need to send ClientHello multiple times for Hello verification. 00372 * We don't want to compute fresh values every time (both for performance 00373 * and consistency reasons), so cache the extension content. 00374 */ 00375 if( ssl->handshake->ecjpake_cache == NULL || 00376 ssl->handshake->ecjpake_cache_len == 0 ) 00377 { 00378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00379 00380 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00381 p + 2, end - p - 2, &kkpp_len, 00382 ssl->conf->f_rng, ssl->conf->p_rng ); 00383 if( ret != 0 ) 00384 { 00385 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00386 return; 00387 } 00388 00389 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00390 if( ssl->handshake->ecjpake_cache == NULL ) 00391 { 00392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00393 return; 00394 } 00395 00396 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00397 ssl->handshake->ecjpake_cache_len = kkpp_len; 00398 } 00399 else 00400 { 00401 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00402 00403 kkpp_len = ssl->handshake->ecjpake_cache_len; 00404 00405 if( (size_t)( end - p - 2 ) < kkpp_len ) 00406 { 00407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00408 return; 00409 } 00410 00411 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00412 } 00413 00414 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00415 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00416 00417 *olen = kkpp_len + 4; 00418 } 00419 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00420 00421 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00422 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00423 unsigned char *buf, 00424 size_t *olen ) 00425 { 00426 unsigned char *p = buf; 00427 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00428 00429 *olen = 0; 00430 00431 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00432 return; 00433 } 00434 00435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00436 00437 if( end < p || (size_t)( end - p ) < 5 ) 00438 { 00439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00440 return; 00441 } 00442 00443 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00444 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00445 00446 *p++ = 0x00; 00447 *p++ = 1; 00448 00449 *p++ = ssl->conf->mfl_code; 00450 00451 *olen = 5; 00452 } 00453 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00454 00455 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00456 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00457 unsigned char *buf, size_t *olen ) 00458 { 00459 unsigned char *p = buf; 00460 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00461 00462 *olen = 0; 00463 00464 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00465 { 00466 return; 00467 } 00468 00469 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00470 00471 if( end < p || (size_t)( end - p ) < 4 ) 00472 { 00473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00474 return; 00475 } 00476 00477 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00478 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00479 00480 *p++ = 0x00; 00481 *p++ = 0x00; 00482 00483 *olen = 4; 00484 } 00485 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00486 00487 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00488 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00489 unsigned char *buf, size_t *olen ) 00490 { 00491 unsigned char *p = buf; 00492 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00493 00494 *olen = 0; 00495 00496 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00497 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00498 { 00499 return; 00500 } 00501 00502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00503 "extension" ) ); 00504 00505 if( end < p || (size_t)( end - p ) < 4 ) 00506 { 00507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00508 return; 00509 } 00510 00511 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00512 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00513 00514 *p++ = 0x00; 00515 *p++ = 0x00; 00516 00517 *olen = 4; 00518 } 00519 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00520 00521 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00522 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00523 unsigned char *buf, size_t *olen ) 00524 { 00525 unsigned char *p = buf; 00526 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00527 00528 *olen = 0; 00529 00530 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00531 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00532 { 00533 return; 00534 } 00535 00536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00537 "extension" ) ); 00538 00539 if( end < p || (size_t)( end - p ) < 4 ) 00540 { 00541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00542 return; 00543 } 00544 00545 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00546 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00547 00548 *p++ = 0x00; 00549 *p++ = 0x00; 00550 00551 *olen = 4; 00552 } 00553 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00554 00555 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00556 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00557 unsigned char *buf, size_t *olen ) 00558 { 00559 unsigned char *p = buf; 00560 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00561 size_t tlen = ssl->session_negotiate->ticket_len; 00562 00563 *olen = 0; 00564 00565 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00566 { 00567 return; 00568 } 00569 00570 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00571 00572 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00573 { 00574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00575 return; 00576 } 00577 00578 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00579 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00580 00581 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00582 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00583 00584 *olen = 4; 00585 00586 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00587 { 00588 return; 00589 } 00590 00591 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00592 00593 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00594 00595 *olen += tlen; 00596 } 00597 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00598 00599 #if defined(MBEDTLS_SSL_ALPN) 00600 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00601 unsigned char *buf, size_t *olen ) 00602 { 00603 unsigned char *p = buf; 00604 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00605 size_t alpnlen = 0; 00606 const char **cur; 00607 00608 *olen = 0; 00609 00610 if( ssl->conf->alpn_list == NULL ) 00611 { 00612 return; 00613 } 00614 00615 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00616 00617 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00618 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00619 00620 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00621 { 00622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00623 return; 00624 } 00625 00626 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00627 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00628 00629 /* 00630 * opaque ProtocolName<1..2^8-1>; 00631 * 00632 * struct { 00633 * ProtocolName protocol_name_list<2..2^16-1> 00634 * } ProtocolNameList; 00635 */ 00636 00637 /* Skip writing extension and list length for now */ 00638 p += 4; 00639 00640 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00641 { 00642 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00643 memcpy( p + 1, *cur, *p ); 00644 p += 1 + *p; 00645 } 00646 00647 *olen = p - buf; 00648 00649 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00650 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00651 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00652 00653 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00654 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00655 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00656 } 00657 #endif /* MBEDTLS_SSL_ALPN */ 00658 00659 /* 00660 * Generate random bytes for ClientHello 00661 */ 00662 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00663 { 00664 int ret; 00665 unsigned char *p = ssl->handshake->randbytes; 00666 #if defined(MBEDTLS_HAVE_TIME) 00667 time_t t; 00668 #endif 00669 00670 /* 00671 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00672 */ 00673 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00674 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00675 ssl->handshake->verify_cookie != NULL ) 00676 { 00677 return( 0 ); 00678 } 00679 #endif 00680 00681 #if defined(MBEDTLS_HAVE_TIME) 00682 t = time( NULL ); 00683 *p++ = (unsigned char)( t >> 24 ); 00684 *p++ = (unsigned char)( t >> 16 ); 00685 *p++ = (unsigned char)( t >> 8 ); 00686 *p++ = (unsigned char)( t ); 00687 00688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00689 #else 00690 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00691 return( ret ); 00692 00693 p += 4; 00694 #endif /* MBEDTLS_HAVE_TIME */ 00695 00696 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00697 return( ret ); 00698 00699 return( 0 ); 00700 } 00701 00702 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00703 { 00704 int ret; 00705 size_t i, n, olen, ext_len = 0; 00706 unsigned char *buf; 00707 unsigned char *p, *q; 00708 unsigned char offer_compress; 00709 const int *ciphersuites; 00710 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00711 00712 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00713 00714 if( ssl->conf->f_rng == NULL ) 00715 { 00716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00717 return( MBEDTLS_ERR_SSL_NO_RNG ); 00718 } 00719 00720 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00721 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00722 #endif 00723 { 00724 ssl->major_ver = ssl->conf->min_major_ver; 00725 ssl->minor_ver = ssl->conf->min_minor_ver; 00726 } 00727 00728 if( ssl->conf->max_major_ver == 0 ) 00729 { 00730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00731 "consider using mbedtls_ssl_config_defaults()" ) ); 00732 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00733 } 00734 00735 /* 00736 * 0 . 0 handshake type 00737 * 1 . 3 handshake length 00738 * 4 . 5 highest version supported 00739 * 6 . 9 current UNIX time 00740 * 10 . 37 random bytes 00741 */ 00742 buf = ssl->out_msg; 00743 p = buf + 4; 00744 00745 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00746 ssl->conf->transport, p ); 00747 p += 2; 00748 00749 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00750 buf[4], buf[5] ) ); 00751 00752 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00753 { 00754 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00755 return( ret ); 00756 } 00757 00758 memcpy( p, ssl->handshake->randbytes, 32 ); 00759 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00760 p += 32; 00761 00762 /* 00763 * 38 . 38 session id length 00764 * 39 . 39+n session id 00765 * 39+n . 39+n DTLS only: cookie length (1 byte) 00766 * 40+n . .. DTSL only: cookie 00767 * .. . .. ciphersuitelist length (2 bytes) 00768 * .. . .. ciphersuitelist 00769 * .. . .. compression methods length (1 byte) 00770 * .. . .. compression methods 00771 * .. . .. extensions length (2 bytes) 00772 * .. . .. extensions 00773 */ 00774 n = ssl->session_negotiate->id_len; 00775 00776 if( n < 16 || n > 32 || 00777 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00778 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00779 #endif 00780 ssl->handshake->resume == 0 ) 00781 { 00782 n = 0; 00783 } 00784 00785 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00786 /* 00787 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00788 * generate and include a Session ID in the TLS ClientHello." 00789 */ 00790 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00791 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00792 #endif 00793 { 00794 if( ssl->session_negotiate->ticket != NULL && 00795 ssl->session_negotiate->ticket_len != 0 ) 00796 { 00797 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00798 00799 if( ret != 0 ) 00800 return( ret ); 00801 00802 ssl->session_negotiate->id_len = n = 32; 00803 } 00804 } 00805 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00806 00807 *p++ = (unsigned char) n; 00808 00809 for( i = 0; i < n; i++ ) 00810 *p++ = ssl->session_negotiate->id[i]; 00811 00812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00813 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00814 00815 /* 00816 * DTLS cookie 00817 */ 00818 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00820 { 00821 if( ssl->handshake->verify_cookie == NULL ) 00822 { 00823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00824 *p++ = 0; 00825 } 00826 else 00827 { 00828 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00829 ssl->handshake->verify_cookie, 00830 ssl->handshake->verify_cookie_len ); 00831 00832 *p++ = ssl->handshake->verify_cookie_len; 00833 memcpy( p, ssl->handshake->verify_cookie, 00834 ssl->handshake->verify_cookie_len ); 00835 p += ssl->handshake->verify_cookie_len; 00836 } 00837 } 00838 #endif 00839 00840 /* 00841 * Ciphersuite list 00842 */ 00843 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00844 00845 /* Skip writing ciphersuite length for now */ 00846 n = 0; 00847 q = p; 00848 p += 2; 00849 00850 for( i = 0; ciphersuites[i] != 0; i++ ) 00851 { 00852 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00853 00854 if( ciphersuite_info == NULL ) 00855 continue; 00856 00857 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00858 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00859 continue; 00860 00861 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00862 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00863 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00864 continue; 00865 #endif 00866 00867 #if defined(MBEDTLS_ARC4_C) 00868 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00869 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00870 continue; 00871 #endif 00872 00873 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00874 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00875 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00876 continue; 00877 #endif 00878 00879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00880 ciphersuites[i] ) ); 00881 00882 n++; 00883 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00884 *p++ = (unsigned char)( ciphersuites[i] ); 00885 } 00886 00887 /* 00888 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00889 */ 00890 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00891 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00892 #endif 00893 { 00894 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00895 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00896 n++; 00897 } 00898 00899 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00900 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00901 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00902 { 00903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00904 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00905 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00906 n++; 00907 } 00908 #endif 00909 00910 *q++ = (unsigned char)( n >> 7 ); 00911 *q++ = (unsigned char)( n << 1 ); 00912 00913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00914 00915 #if defined(MBEDTLS_ZLIB_SUPPORT) 00916 offer_compress = 1; 00917 #else 00918 offer_compress = 0; 00919 #endif 00920 00921 /* 00922 * We don't support compression with DTLS right now: is many records come 00923 * in the same datagram, uncompressing one could overwrite the next one. 00924 * We don't want to add complexity for handling that case unless there is 00925 * an actual need for it. 00926 */ 00927 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00928 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00929 offer_compress = 0; 00930 #endif 00931 00932 if( offer_compress ) 00933 { 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00936 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00937 00938 *p++ = 2; 00939 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00940 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00941 } 00942 else 00943 { 00944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00946 MBEDTLS_SSL_COMPRESS_NULL ) ); 00947 00948 *p++ = 1; 00949 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00950 } 00951 00952 // First write extensions, then the total length 00953 // 00954 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00955 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00956 ext_len += olen; 00957 #endif 00958 00959 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00960 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00961 ext_len += olen; 00962 #endif 00963 00964 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00965 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00966 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00967 ext_len += olen; 00968 #endif 00969 00970 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00971 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00972 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00973 ext_len += olen; 00974 00975 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00976 ext_len += olen; 00977 #endif 00978 00979 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00980 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00985 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00986 ext_len += olen; 00987 #endif 00988 00989 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00990 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00991 ext_len += olen; 00992 #endif 00993 00994 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00995 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01000 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_ALPN) 01005 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01010 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 /* olen unused if all extensions are disabled */ 01015 ((void) olen); 01016 01017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01018 ext_len ) ); 01019 01020 if( ext_len > 0 ) 01021 { 01022 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01023 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01024 p += ext_len; 01025 } 01026 01027 ssl->out_msglen = p - buf; 01028 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01029 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01030 01031 ssl->state++; 01032 01033 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01034 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01035 mbedtls_ssl_send_flight_completed( ssl ); 01036 #endif 01037 01038 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01039 { 01040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01041 return( ret ); 01042 } 01043 01044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01045 01046 return( 0 ); 01047 } 01048 01049 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01050 const unsigned char *buf, 01051 size_t len ) 01052 { 01053 int ret; 01054 01055 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01056 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01057 { 01058 /* Check verify-data in constant-time. The length OTOH is no secret */ 01059 if( len != 1 + ssl->verify_data_len * 2 || 01060 buf[0] != ssl->verify_data_len * 2 || 01061 mbedtls_ssl_safer_memcmp( buf + 1, 01062 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01063 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01064 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01065 { 01066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01067 01068 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01069 return( ret ); 01070 01071 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01072 } 01073 } 01074 else 01075 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01076 { 01077 if( len != 1 || buf[0] != 0x00 ) 01078 { 01079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01080 01081 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01082 return( ret ); 01083 01084 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01085 } 01086 01087 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01088 } 01089 01090 return( 0 ); 01091 } 01092 01093 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01094 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01095 const unsigned char *buf, 01096 size_t len ) 01097 { 01098 /* 01099 * server should use the extension only if we did, 01100 * and if so the server's value should match ours (and len is always 1) 01101 */ 01102 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01103 len != 1 || 01104 buf[0] != ssl->conf->mfl_code ) 01105 { 01106 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01107 } 01108 01109 return( 0 ); 01110 } 01111 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01112 01113 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01114 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01115 const unsigned char *buf, 01116 size_t len ) 01117 { 01118 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01119 len != 0 ) 01120 { 01121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01122 } 01123 01124 ((void) buf); 01125 01126 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01127 01128 return( 0 ); 01129 } 01130 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01131 01132 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01133 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01134 const unsigned char *buf, 01135 size_t len ) 01136 { 01137 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01138 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01139 len != 0 ) 01140 { 01141 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01142 } 01143 01144 ((void) buf); 01145 01146 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01147 01148 return( 0 ); 01149 } 01150 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01151 01152 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01153 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01154 const unsigned char *buf, 01155 size_t len ) 01156 { 01157 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01158 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01159 len != 0 ) 01160 { 01161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01162 } 01163 01164 ((void) buf); 01165 01166 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01167 01168 return( 0 ); 01169 } 01170 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01171 01172 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01173 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01174 const unsigned char *buf, 01175 size_t len ) 01176 { 01177 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01178 len != 0 ) 01179 { 01180 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01181 } 01182 01183 ((void) buf); 01184 01185 ssl->handshake->new_session_ticket = 1; 01186 01187 return( 0 ); 01188 } 01189 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01190 01191 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01192 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01193 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01194 const unsigned char *buf, 01195 size_t len ) 01196 { 01197 size_t list_size; 01198 const unsigned char *p; 01199 01200 list_size = buf[0]; 01201 if( list_size + 1 != len ) 01202 { 01203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01205 } 01206 01207 p = buf + 1; 01208 while( list_size > 0 ) 01209 { 01210 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01211 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01212 { 01213 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01214 ssl->handshake->ecdh_ctx.point_format = p[0]; 01215 #endif 01216 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01217 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01218 #endif 01219 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01220 return( 0 ); 01221 } 01222 01223 list_size--; 01224 p++; 01225 } 01226 01227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01228 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01229 } 01230 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01231 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01232 01233 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01234 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01235 const unsigned char *buf, 01236 size_t len ) 01237 { 01238 int ret; 01239 01240 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01241 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01242 { 01243 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01244 return( 0 ); 01245 } 01246 01247 /* If we got here, we no longer need our cached extension */ 01248 mbedtls_free( ssl->handshake->ecjpake_cache ); 01249 ssl->handshake->ecjpake_cache = NULL; 01250 ssl->handshake->ecjpake_cache_len = 0; 01251 01252 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01253 buf, len ) ) != 0 ) 01254 { 01255 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01256 return( ret ); 01257 } 01258 01259 return( 0 ); 01260 } 01261 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01262 01263 #if defined(MBEDTLS_SSL_ALPN) 01264 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01265 const unsigned char *buf, size_t len ) 01266 { 01267 size_t list_len, name_len; 01268 const char **p; 01269 01270 /* If we didn't send it, the server shouldn't send it */ 01271 if( ssl->conf->alpn_list == NULL ) 01272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01273 01274 /* 01275 * opaque ProtocolName<1..2^8-1>; 01276 * 01277 * struct { 01278 * ProtocolName protocol_name_list<2..2^16-1> 01279 * } ProtocolNameList; 01280 * 01281 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01282 */ 01283 01284 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01285 if( len < 4 ) 01286 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01287 01288 list_len = ( buf[0] << 8 ) | buf[1]; 01289 if( list_len != len - 2 ) 01290 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01291 01292 name_len = buf[2]; 01293 if( name_len != list_len - 1 ) 01294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01295 01296 /* Check that the server chosen protocol was in our list and save it */ 01297 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01298 { 01299 if( name_len == strlen( *p ) && 01300 memcmp( buf + 3, *p, name_len ) == 0 ) 01301 { 01302 ssl->alpn_chosen = *p; 01303 return( 0 ); 01304 } 01305 } 01306 01307 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01308 } 01309 #endif /* MBEDTLS_SSL_ALPN */ 01310 01311 /* 01312 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01313 */ 01314 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01315 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01316 { 01317 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01318 int major_ver, minor_ver; 01319 unsigned char cookie_len; 01320 01321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01322 01323 /* 01324 * struct { 01325 * ProtocolVersion server_version; 01326 * opaque cookie<0..2^8-1>; 01327 * } HelloVerifyRequest; 01328 */ 01329 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01330 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01331 p += 2; 01332 01333 /* 01334 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01335 * even is lower than our min version. 01336 */ 01337 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01338 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01339 major_ver > ssl->conf->max_major_ver || 01340 minor_ver > ssl->conf->max_minor_ver ) 01341 { 01342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01343 01344 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01345 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01346 01347 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01348 } 01349 01350 cookie_len = *p++; 01351 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01352 01353 mbedtls_free( ssl->handshake->verify_cookie ); 01354 01355 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01356 if( ssl->handshake->verify_cookie == NULL ) 01357 { 01358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01359 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01360 } 01361 01362 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01363 ssl->handshake->verify_cookie_len = cookie_len; 01364 01365 /* Start over at ClientHello */ 01366 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01367 mbedtls_ssl_reset_checksum( ssl ); 01368 01369 mbedtls_ssl_recv_flight_completed( ssl ); 01370 01371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01372 01373 return( 0 ); 01374 } 01375 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01376 01377 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01378 { 01379 int ret, i; 01380 size_t n; 01381 size_t ext_len; 01382 unsigned char *buf, *ext; 01383 unsigned char comp; 01384 #if defined(MBEDTLS_ZLIB_SUPPORT) 01385 int accept_comp; 01386 #endif 01387 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01388 int renegotiation_info_seen = 0; 01389 #endif 01390 int handshake_failure = 0; 01391 const mbedtls_ssl_ciphersuite_t *suite_info; 01392 #if defined(MBEDTLS_DEBUG_C) 01393 uint32_t t; 01394 #endif 01395 01396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01397 01398 buf = ssl->in_msg; 01399 01400 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01401 { 01402 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01403 return( ret ); 01404 } 01405 01406 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01407 { 01408 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01409 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01410 { 01411 ssl->renego_records_seen++; 01412 01413 if( ssl->conf->renego_max_records >= 0 && 01414 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01415 { 01416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01417 "but not honored by server" ) ); 01418 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01419 } 01420 01421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01422 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01423 } 01424 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01425 01426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01427 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01428 } 01429 01430 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01431 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01432 { 01433 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01434 { 01435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01437 return( ssl_parse_hello_verify_request( ssl ) ); 01438 } 01439 else 01440 { 01441 /* We made it through the verification process */ 01442 mbedtls_free( ssl->handshake->verify_cookie ); 01443 ssl->handshake->verify_cookie = NULL; 01444 ssl->handshake->verify_cookie_len = 0; 01445 } 01446 } 01447 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01448 01449 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01450 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01451 { 01452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01453 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01454 } 01455 01456 /* 01457 * 0 . 1 server_version 01458 * 2 . 33 random (maybe including 4 bytes of Unix time) 01459 * 34 . 34 session_id length = n 01460 * 35 . 34+n session_id 01461 * 35+n . 36+n cipher_suite 01462 * 37+n . 37+n compression_method 01463 * 01464 * 38+n . 39+n extensions length (optional) 01465 * 40+n . .. extensions 01466 */ 01467 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01468 01469 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01470 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01471 ssl->conf->transport, buf + 0 ); 01472 01473 if( ssl->major_ver < ssl->conf->min_major_ver || 01474 ssl->minor_ver < ssl->conf->min_minor_ver || 01475 ssl->major_ver > ssl->conf->max_major_ver || 01476 ssl->minor_ver > ssl->conf->max_minor_ver ) 01477 { 01478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01479 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01480 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01481 ssl->major_ver, ssl->minor_ver, 01482 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01483 01484 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01485 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01486 01487 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01488 } 01489 01490 #if defined(MBEDTLS_DEBUG_C) 01491 t = ( (uint32_t) buf[2] << 24 ) 01492 | ( (uint32_t) buf[3] << 16 ) 01493 | ( (uint32_t) buf[4] << 8 ) 01494 | ( (uint32_t) buf[5] ); 01495 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01496 #endif 01497 01498 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01499 01500 n = buf[34]; 01501 01502 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01503 01504 if( n > 32 ) 01505 { 01506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01507 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01508 } 01509 01510 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01511 { 01512 ext_len = ( ( buf[38 + n] << 8 ) 01513 | ( buf[39 + n] ) ); 01514 01515 if( ( ext_len > 0 && ext_len < 4 ) || 01516 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01517 { 01518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01519 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01520 } 01521 } 01522 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01523 { 01524 ext_len = 0; 01525 } 01526 else 01527 { 01528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01529 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01530 } 01531 01532 /* ciphersuite (used later) */ 01533 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01534 01535 /* 01536 * Read and check compression 01537 */ 01538 comp = buf[37 + n]; 01539 01540 #if defined(MBEDTLS_ZLIB_SUPPORT) 01541 /* See comments in ssl_write_client_hello() */ 01542 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01543 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01544 accept_comp = 0; 01545 else 01546 #endif 01547 accept_comp = 1; 01548 01549 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01550 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01551 #else /* MBEDTLS_ZLIB_SUPPORT */ 01552 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01553 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01554 { 01555 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01556 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01557 } 01558 01559 /* 01560 * Initialize update checksum functions 01561 */ 01562 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01563 01564 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01565 { 01566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01567 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01568 } 01569 01570 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01571 01572 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01573 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01574 01575 /* 01576 * Check if the session can be resumed 01577 */ 01578 if( ssl->handshake->resume == 0 || n == 0 || 01579 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01580 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01581 #endif 01582 ssl->session_negotiate->ciphersuite != i || 01583 ssl->session_negotiate->compression != comp || 01584 ssl->session_negotiate->id_len != n || 01585 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01586 { 01587 ssl->state++; 01588 ssl->handshake->resume = 0; 01589 #if defined(MBEDTLS_HAVE_TIME) 01590 ssl->session_negotiate->start = time( NULL ); 01591 #endif 01592 ssl->session_negotiate->ciphersuite = i; 01593 ssl->session_negotiate->compression = comp; 01594 ssl->session_negotiate->id_len = n; 01595 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01596 } 01597 else 01598 { 01599 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01600 01601 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01602 { 01603 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01604 return( ret ); 01605 } 01606 } 01607 01608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01609 ssl->handshake->resume ? "a" : "no" ) ); 01610 01611 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01612 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01613 01614 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01615 if( suite_info == NULL 01616 #if defined(MBEDTLS_ARC4_C) 01617 || ( ssl->conf->arc4_disabled && 01618 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01619 #endif 01620 ) 01621 { 01622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01623 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01624 } 01625 01626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01627 01628 i = 0; 01629 while( 1 ) 01630 { 01631 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01632 { 01633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01634 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01635 } 01636 01637 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01638 ssl->session_negotiate->ciphersuite ) 01639 { 01640 break; 01641 } 01642 } 01643 01644 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01645 #if defined(MBEDTLS_ZLIB_SUPPORT) 01646 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01647 #endif 01648 ) 01649 { 01650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01651 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01652 } 01653 ssl->session_negotiate->compression = comp; 01654 01655 ext = buf + 40 + n; 01656 01657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01658 01659 while( ext_len ) 01660 { 01661 unsigned int ext_id = ( ( ext[0] << 8 ) 01662 | ( ext[1] ) ); 01663 unsigned int ext_size = ( ( ext[2] << 8 ) 01664 | ( ext[3] ) ); 01665 01666 if( ext_size + 4 > ext_len ) 01667 { 01668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01669 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01670 } 01671 01672 switch( ext_id ) 01673 { 01674 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01676 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01677 renegotiation_info_seen = 1; 01678 #endif 01679 01680 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01681 ext_size ) ) != 0 ) 01682 return( ret ); 01683 01684 break; 01685 01686 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01687 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01689 01690 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01691 ext + 4, ext_size ) ) != 0 ) 01692 { 01693 return( ret ); 01694 } 01695 01696 break; 01697 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01698 01699 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01700 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01701 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01702 01703 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01704 ext + 4, ext_size ) ) != 0 ) 01705 { 01706 return( ret ); 01707 } 01708 01709 break; 01710 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01711 01712 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01713 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01715 01716 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01717 ext + 4, ext_size ) ) != 0 ) 01718 { 01719 return( ret ); 01720 } 01721 01722 break; 01723 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01724 01725 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01726 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01728 01729 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01730 ext + 4, ext_size ) ) != 0 ) 01731 { 01732 return( ret ); 01733 } 01734 01735 break; 01736 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01737 01738 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01739 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01740 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01741 01742 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01743 ext + 4, ext_size ) ) != 0 ) 01744 { 01745 return( ret ); 01746 } 01747 01748 break; 01749 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01750 01751 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01752 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01753 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01755 01756 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01757 ext + 4, ext_size ) ) != 0 ) 01758 { 01759 return( ret ); 01760 } 01761 01762 break; 01763 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01764 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01765 01766 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01767 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01769 01770 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01771 ext + 4, ext_size ) ) != 0 ) 01772 { 01773 return( ret ); 01774 } 01775 01776 break; 01777 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01778 01779 #if defined(MBEDTLS_SSL_ALPN) 01780 case MBEDTLS_TLS_EXT_ALPN: 01781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01782 01783 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01784 return( ret ); 01785 01786 break; 01787 #endif /* MBEDTLS_SSL_ALPN */ 01788 01789 default: 01790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01791 ext_id ) ); 01792 } 01793 01794 ext_len -= 4 + ext_size; 01795 ext += 4 + ext_size; 01796 01797 if( ext_len > 0 && ext_len < 4 ) 01798 { 01799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01800 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01801 } 01802 } 01803 01804 /* 01805 * Renegotiation security checks 01806 */ 01807 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01808 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01809 { 01810 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01811 handshake_failure = 1; 01812 } 01813 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01814 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01815 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01816 renegotiation_info_seen == 0 ) 01817 { 01818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01819 handshake_failure = 1; 01820 } 01821 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01822 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01823 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01824 { 01825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01826 handshake_failure = 1; 01827 } 01828 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01829 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01830 renegotiation_info_seen == 1 ) 01831 { 01832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01833 handshake_failure = 1; 01834 } 01835 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01836 01837 if( handshake_failure == 1 ) 01838 { 01839 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01840 return( ret ); 01841 01842 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01843 } 01844 01845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01846 01847 return( 0 ); 01848 } 01849 01850 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01851 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01852 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01853 unsigned char *end ) 01854 { 01855 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01856 01857 /* 01858 * Ephemeral DH parameters: 01859 * 01860 * struct { 01861 * opaque dh_p<1..2^16-1>; 01862 * opaque dh_g<1..2^16-1>; 01863 * opaque dh_Ys<1..2^16-1>; 01864 * } ServerDHParams; 01865 */ 01866 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01867 { 01868 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01869 return( ret ); 01870 } 01871 01872 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01873 { 01874 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01875 ssl->handshake->dhm_ctx.len * 8, 01876 ssl->conf->dhm_min_bitlen ) ); 01877 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01878 } 01879 01880 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01881 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01882 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01883 01884 return( ret ); 01885 } 01886 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01887 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01888 01889 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01890 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01891 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01892 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01893 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01894 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01895 { 01896 const mbedtls_ecp_curve_info *curve_info; 01897 01898 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01899 if( curve_info == NULL ) 01900 { 01901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01902 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01903 } 01904 01905 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01906 01907 #if defined(MBEDTLS_ECP_C) 01908 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01909 #else 01910 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01911 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01912 #endif 01913 return( -1 ); 01914 01915 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01916 01917 return( 0 ); 01918 } 01919 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01920 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01921 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01922 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01923 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01924 01925 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01926 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01927 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01928 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 01929 unsigned char **p, 01930 unsigned char *end ) 01931 { 01932 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01933 01934 /* 01935 * Ephemeral ECDH parameters: 01936 * 01937 * struct { 01938 * ECParameters curve_params; 01939 * ECPoint public; 01940 * } ServerECDHParams; 01941 */ 01942 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 01943 (const unsigned char **) p, end ) ) != 0 ) 01944 { 01945 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 01946 return( ret ); 01947 } 01948 01949 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01950 { 01951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01953 } 01954 01955 return( ret ); 01956 } 01957 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01958 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01959 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01960 01961 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01962 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 01963 unsigned char **p, 01964 unsigned char *end ) 01965 { 01966 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01967 size_t len; 01968 ((void) ssl); 01969 01970 /* 01971 * PSK parameters: 01972 * 01973 * opaque psk_identity_hint<0..2^16-1>; 01974 */ 01975 len = (*p)[0] << 8 | (*p)[1]; 01976 *p += 2; 01977 01978 if( (*p) + len > end ) 01979 { 01980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01981 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01982 } 01983 01984 // TODO: Retrieve PSK identity hint and callback to app 01985 // 01986 *p += len; 01987 ret = 0; 01988 01989 return( ret ); 01990 } 01991 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01992 01993 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 01994 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01995 /* 01996 * Generate a pre-master secret and encrypt it with the server's RSA key 01997 */ 01998 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 01999 size_t offset, size_t *olen, 02000 size_t pms_offset ) 02001 { 02002 int ret; 02003 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02004 unsigned char *p = ssl->handshake->premaster + pms_offset; 02005 02006 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02007 { 02008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02009 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02010 } 02011 02012 /* 02013 * Generate (part of) the pre-master as 02014 * struct { 02015 * ProtocolVersion client_version; 02016 * opaque random[46]; 02017 * } PreMasterSecret; 02018 */ 02019 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02020 ssl->conf->transport, p ); 02021 02022 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02023 { 02024 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02025 return( ret ); 02026 } 02027 02028 ssl->handshake->pmslen = 48; 02029 02030 if( ssl->session_negotiate->peer_cert == NULL ) 02031 { 02032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02033 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02034 } 02035 02036 /* 02037 * Now write it out, encrypted 02038 */ 02039 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02040 MBEDTLS_PK_RSA ) ) 02041 { 02042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02043 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02044 } 02045 02046 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02047 p, ssl->handshake->pmslen, 02048 ssl->out_msg + offset + len_bytes, olen, 02049 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02050 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02051 { 02052 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02053 return( ret ); 02054 } 02055 02056 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02057 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02058 if( len_bytes == 2 ) 02059 { 02060 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02061 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02062 *olen += 2; 02063 } 02064 #endif 02065 02066 return( 0 ); 02067 } 02068 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02069 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02070 02071 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02072 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02073 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02074 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02075 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02076 unsigned char **p, 02077 unsigned char *end, 02078 mbedtls_md_type_t *md_alg, 02079 mbedtls_pk_type_t *pk_alg ) 02080 { 02081 ((void) ssl); 02082 *md_alg = MBEDTLS_MD_NONE; 02083 *pk_alg = MBEDTLS_PK_NONE; 02084 02085 /* Only in TLS 1.2 */ 02086 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02087 { 02088 return( 0 ); 02089 } 02090 02091 if( (*p) + 2 > end ) 02092 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02093 02094 /* 02095 * Get hash algorithm 02096 */ 02097 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02098 { 02099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported " 02100 "HashAlgorithm %d", *(p)[0] ) ); 02101 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02102 } 02103 02104 /* 02105 * Get signature algorithm 02106 */ 02107 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02108 { 02109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported " 02110 "SignatureAlgorithm %d", (*p)[1] ) ); 02111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02112 } 02113 02114 /* 02115 * Check if the hash is acceptable 02116 */ 02117 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02118 { 02119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm " 02120 "that was not offered" ) ); 02121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02122 } 02123 02124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02126 *p += 2; 02127 02128 return( 0 ); 02129 } 02130 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02131 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02132 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02133 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02134 02135 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02136 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02137 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02138 { 02139 int ret; 02140 const mbedtls_ecp_keypair *peer_key; 02141 02142 if( ssl->session_negotiate->peer_cert == NULL ) 02143 { 02144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02145 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02146 } 02147 02148 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02149 MBEDTLS_PK_ECKEY ) ) 02150 { 02151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02152 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02153 } 02154 02155 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02156 02157 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02158 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02159 { 02160 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02161 return( ret ); 02162 } 02163 02164 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02165 { 02166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02167 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02168 } 02169 02170 return( ret ); 02171 } 02172 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02173 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02174 02175 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02176 { 02177 int ret; 02178 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02179 unsigned char *p, *end; 02180 02181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02182 02183 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02184 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02185 { 02186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02187 ssl->state++; 02188 return( 0 ); 02189 } 02190 ((void) p); 02191 ((void) end); 02192 #endif 02193 02194 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02195 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02196 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02198 { 02199 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02200 { 02201 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02202 return( ret ); 02203 } 02204 02205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02206 ssl->state++; 02207 return( 0 ); 02208 } 02209 ((void) p); 02210 ((void) end); 02211 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02212 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02213 02214 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02215 { 02216 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02217 return( ret ); 02218 } 02219 02220 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02221 { 02222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02223 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02224 } 02225 02226 /* 02227 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02228 * doesn't use a psk_identity_hint 02229 */ 02230 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02231 { 02232 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02233 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02234 { 02235 ssl->record_read = 1; 02236 goto exit; 02237 } 02238 02239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02240 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02241 } 02242 02243 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02244 end = ssl->in_msg + ssl->in_hslen; 02245 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02246 02247 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02248 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02249 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02250 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02251 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02252 { 02253 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02254 { 02255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02256 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02257 } 02258 } /* FALLTROUGH */ 02259 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02260 02261 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02262 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02263 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02264 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02265 ; /* nothing more to do */ 02266 else 02267 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02268 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02269 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02270 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02271 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02272 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02273 { 02274 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02275 { 02276 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02278 } 02279 } 02280 else 02281 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02282 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02283 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02284 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02285 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02286 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02287 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02288 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02289 { 02290 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02291 { 02292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02293 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02294 } 02295 } 02296 else 02297 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02298 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02299 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02300 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02301 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02302 { 02303 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02304 p, end - p ); 02305 if( ret != 0 ) 02306 { 02307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02308 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02309 } 02310 } 02311 else 02312 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02313 { 02314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02316 } 02317 02318 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02319 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02320 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02321 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02322 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02323 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02324 { 02325 size_t sig_len, hashlen; 02326 unsigned char hash[64]; 02327 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02328 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02329 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02330 size_t params_len = p - params; 02331 02332 /* 02333 * Handle the digitally-signed structure 02334 */ 02335 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02336 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02337 { 02338 if( ssl_parse_signature_algorithm( ssl, &p, end, 02339 &md_alg, &pk_alg ) != 0 ) 02340 { 02341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02342 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02343 } 02344 02345 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02346 { 02347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02348 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02349 } 02350 } 02351 else 02352 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02353 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02354 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02355 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02356 { 02357 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02358 02359 /* Default hash for ECDSA is SHA-1 */ 02360 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02361 md_alg = MBEDTLS_MD_SHA1; 02362 } 02363 else 02364 #endif 02365 { 02366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02367 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02368 } 02369 02370 /* 02371 * Read signature 02372 */ 02373 sig_len = ( p[0] << 8 ) | p[1]; 02374 p += 2; 02375 02376 if( end != p + sig_len ) 02377 { 02378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02379 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02380 } 02381 02382 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02383 02384 /* 02385 * Compute the hash that has been signed 02386 */ 02387 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02388 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02389 if( md_alg == MBEDTLS_MD_NONE ) 02390 { 02391 mbedtls_md5_context mbedtls_md5; 02392 mbedtls_sha1_context mbedtls_sha1; 02393 02394 mbedtls_md5_init( &mbedtls_md5 ); 02395 mbedtls_sha1_init( &mbedtls_sha1 ); 02396 02397 hashlen = 36; 02398 02399 /* 02400 * digitally-signed struct { 02401 * opaque md5_hash[16]; 02402 * opaque sha_hash[20]; 02403 * }; 02404 * 02405 * md5_hash 02406 * MD5(ClientHello.random + ServerHello.random 02407 * + ServerParams); 02408 * sha_hash 02409 * SHA(ClientHello.random + ServerHello.random 02410 * + ServerParams); 02411 */ 02412 mbedtls_md5_starts( &mbedtls_md5 ); 02413 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02414 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 02415 mbedtls_md5_finish( &mbedtls_md5, hash ); 02416 02417 mbedtls_sha1_starts( &mbedtls_sha1 ); 02418 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02419 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 02420 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02421 02422 mbedtls_md5_free( &mbedtls_md5 ); 02423 mbedtls_sha1_free( &mbedtls_sha1 ); 02424 } 02425 else 02426 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02427 MBEDTLS_SSL_PROTO_TLS1_1 */ 02428 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02429 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02430 if( md_alg != MBEDTLS_MD_NONE ) 02431 { 02432 mbedtls_md_context_t ctx; 02433 02434 mbedtls_md_init( &ctx ); 02435 02436 /* Info from md_alg will be used instead */ 02437 hashlen = 0; 02438 02439 /* 02440 * digitally-signed struct { 02441 * opaque client_random[32]; 02442 * opaque server_random[32]; 02443 * ServerDHParams params; 02444 * }; 02445 */ 02446 if( ( ret = mbedtls_md_setup( &ctx, 02447 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 02448 { 02449 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02450 return( ret ); 02451 } 02452 02453 mbedtls_md_starts( &ctx ); 02454 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02455 mbedtls_md_update( &ctx, params, params_len ); 02456 mbedtls_md_finish( &ctx, hash ); 02457 mbedtls_md_free( &ctx ); 02458 } 02459 else 02460 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02461 MBEDTLS_SSL_PROTO_TLS1_2 */ 02462 { 02463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02464 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02465 } 02466 02467 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02468 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02469 02470 if( ssl->session_negotiate->peer_cert == NULL ) 02471 { 02472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02473 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02474 } 02475 02476 /* 02477 * Verify signature 02478 */ 02479 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02480 { 02481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02482 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02483 } 02484 02485 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02486 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02487 { 02488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02489 return( ret ); 02490 } 02491 } 02492 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02493 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02494 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02495 02496 exit: 02497 ssl->state++; 02498 02499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02500 02501 return( 0 ); 02502 } 02503 02504 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02505 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02506 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02507 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02508 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02509 { 02510 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02511 02512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02513 02514 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02515 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02516 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02517 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02518 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02519 { 02520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02521 ssl->state++; 02522 return( 0 ); 02523 } 02524 02525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02527 } 02528 #else 02529 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02530 { 02531 int ret; 02532 unsigned char *buf, *p; 02533 size_t n = 0, m = 0; 02534 size_t cert_type_len = 0, dn_len = 0; 02535 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02536 02537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02538 02539 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02540 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02543 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02544 { 02545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02546 ssl->state++; 02547 return( 0 ); 02548 } 02549 02550 if( ssl->record_read == 0 ) 02551 { 02552 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02553 { 02554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02555 return( ret ); 02556 } 02557 02558 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02559 { 02560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02561 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02562 } 02563 02564 ssl->record_read = 1; 02565 } 02566 02567 ssl->client_auth = 0; 02568 ssl->state++; 02569 02570 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) 02571 ssl->client_auth++; 02572 02573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02574 ssl->client_auth ? "a" : "no" ) ); 02575 02576 if( ssl->client_auth == 0 ) 02577 goto exit; 02578 02579 ssl->record_read = 0; 02580 02581 // TODO: handshake_failure alert for an anonymous server to request 02582 // client authentication 02583 02584 /* 02585 * struct { 02586 * ClientCertificateType certificate_types<1..2^8-1>; 02587 * SignatureAndHashAlgorithm 02588 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02589 * DistinguishedName certificate_authorities<0..2^16-1>; 02590 * } CertificateRequest; 02591 */ 02592 buf = ssl->in_msg; 02593 02594 // Retrieve cert types 02595 // 02596 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02597 n = cert_type_len; 02598 02599 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02600 { 02601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02602 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02603 } 02604 02605 p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1; 02606 while( cert_type_len > 0 ) 02607 { 02608 #if defined(MBEDTLS_RSA_C) 02609 if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN && 02610 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 02611 { 02612 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02613 break; 02614 } 02615 else 02616 #endif 02617 #if defined(MBEDTLS_ECDSA_C) 02618 if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN && 02619 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 02620 { 02621 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02622 break; 02623 } 02624 else 02625 #endif 02626 { 02627 ; /* Unsupported cert type, ignore */ 02628 } 02629 02630 cert_type_len--; 02631 p++; 02632 } 02633 02634 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02635 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02636 { 02637 /* Ignored, see comments about hash in write_certificate_verify */ 02638 // TODO: should check the signature part against our pk_key though 02639 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02640 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02641 02642 m += 2; 02643 n += sig_alg_len; 02644 02645 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02646 { 02647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02648 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02649 } 02650 } 02651 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02652 02653 /* Ignore certificate_authorities, we only have one cert anyway */ 02654 // TODO: should not send cert if no CA matches 02655 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 ) 02656 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) ); 02657 02658 n += dn_len; 02659 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n ) 02660 { 02661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02662 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02663 } 02664 02665 exit: 02666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02667 02668 return( 0 ); 02669 } 02670 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02671 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02672 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02673 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02674 02675 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02676 { 02677 int ret; 02678 02679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02680 02681 if( ssl->record_read == 0 ) 02682 { 02683 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02684 { 02685 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02686 return( ret ); 02687 } 02688 02689 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02690 { 02691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02692 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02693 } 02694 } 02695 ssl->record_read = 0; 02696 02697 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02698 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02699 { 02700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02701 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02702 } 02703 02704 ssl->state++; 02705 02706 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02707 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02708 mbedtls_ssl_recv_flight_completed( ssl ); 02709 #endif 02710 02711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02712 02713 return( 0 ); 02714 } 02715 02716 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02717 { 02718 int ret; 02719 size_t i, n; 02720 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02721 02722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02723 02724 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02725 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02726 { 02727 /* 02728 * DHM key exchange -- send G^X mod P 02729 */ 02730 n = ssl->handshake->dhm_ctx.len; 02731 02732 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02733 ssl->out_msg[5] = (unsigned char)( n ); 02734 i = 6; 02735 02736 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02737 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02738 &ssl->out_msg[i], n, 02739 ssl->conf->f_rng, ssl->conf->p_rng ); 02740 if( ret != 0 ) 02741 { 02742 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02743 return( ret ); 02744 } 02745 02746 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02747 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02748 02749 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02750 ssl->handshake->premaster, 02751 MBEDTLS_PREMASTER_SIZE, 02752 &ssl->handshake->pmslen, 02753 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02754 { 02755 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02756 return( ret ); 02757 } 02758 02759 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02760 } 02761 else 02762 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02763 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02764 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02765 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02766 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02767 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02768 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02769 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02771 { 02772 /* 02773 * ECDH key exchange -- send client public value 02774 */ 02775 i = 4; 02776 02777 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02778 &n, 02779 &ssl->out_msg[i], 1000, 02780 ssl->conf->f_rng, ssl->conf->p_rng ); 02781 if( ret != 0 ) 02782 { 02783 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02784 return( ret ); 02785 } 02786 02787 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02788 02789 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02790 &ssl->handshake->pmslen, 02791 ssl->handshake->premaster, 02792 MBEDTLS_MPI_MAX_SIZE, 02793 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02794 { 02795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02796 return( ret ); 02797 } 02798 02799 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02800 } 02801 else 02802 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02803 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02804 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02805 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02806 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02807 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02808 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02809 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02810 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02811 { 02812 /* 02813 * opaque psk_identity<0..2^16-1>; 02814 */ 02815 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02816 { 02817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02819 } 02820 02821 i = 4; 02822 n = ssl->conf->psk_identity_len; 02823 02824 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02825 { 02826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02827 "SSL buffer too short" ) ); 02828 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02829 } 02830 02831 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02832 ssl->out_msg[i++] = (unsigned char)( n ); 02833 02834 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02835 i += ssl->conf->psk_identity_len; 02836 02837 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02838 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02839 { 02840 n = 0; 02841 } 02842 else 02843 #endif 02844 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02845 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02846 { 02847 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02848 return( ret ); 02849 } 02850 else 02851 #endif 02852 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02853 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02854 { 02855 /* 02856 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02857 */ 02858 n = ssl->handshake->dhm_ctx.len; 02859 02860 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02861 { 02862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02863 " or SSL buffer too short" ) ); 02864 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02865 } 02866 02867 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02868 ssl->out_msg[i++] = (unsigned char)( n ); 02869 02870 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02871 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02872 &ssl->out_msg[i], n, 02873 ssl->conf->f_rng, ssl->conf->p_rng ); 02874 if( ret != 0 ) 02875 { 02876 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02877 return( ret ); 02878 } 02879 } 02880 else 02881 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02882 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02883 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02884 { 02885 /* 02886 * ClientECDiffieHellmanPublic public; 02887 */ 02888 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02889 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02890 ssl->conf->f_rng, ssl->conf->p_rng ); 02891 if( ret != 0 ) 02892 { 02893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02894 return( ret ); 02895 } 02896 02897 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02898 } 02899 else 02900 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02901 { 02902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02903 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02904 } 02905 02906 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02907 ciphersuite_info->key_exchange ) ) != 0 ) 02908 { 02909 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02910 return( ret ); 02911 } 02912 } 02913 else 02914 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02915 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02916 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02917 { 02918 i = 4; 02919 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02920 return( ret ); 02921 } 02922 else 02923 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02924 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02925 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02926 { 02927 i = 4; 02928 02929 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02930 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02931 ssl->conf->f_rng, ssl->conf->p_rng ); 02932 if( ret != 0 ) 02933 { 02934 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02935 return( ret ); 02936 } 02937 02938 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02939 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02940 ssl->conf->f_rng, ssl->conf->p_rng ); 02941 if( ret != 0 ) 02942 { 02943 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02944 return( ret ); 02945 } 02946 } 02947 else 02948 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02949 { 02950 ((void) ciphersuite_info); 02951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02952 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02953 } 02954 02955 ssl->out_msglen = i + n; 02956 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02957 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 02958 02959 ssl->state++; 02960 02961 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02962 { 02963 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02964 return( ret ); 02965 } 02966 02967 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02968 02969 return( 0 ); 02970 } 02971 02972 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02973 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02974 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02975 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02976 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 02977 { 02978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02979 int ret; 02980 02981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02982 02983 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02984 { 02985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02986 return( ret ); 02987 } 02988 02989 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02990 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02991 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02992 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02993 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02994 { 02995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02996 ssl->state++; 02997 return( 0 ); 02998 } 02999 03000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03001 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03002 } 03003 #else 03004 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03005 { 03006 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03007 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03008 size_t n = 0, offset = 0; 03009 unsigned char hash[48]; 03010 unsigned char *hash_start = hash; 03011 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03012 unsigned int hashlen; 03013 03014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03015 03016 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03017 { 03018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03019 return( ret ); 03020 } 03021 03022 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03023 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03024 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03025 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03026 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03027 { 03028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03029 ssl->state++; 03030 return( 0 ); 03031 } 03032 03033 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03034 { 03035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03036 ssl->state++; 03037 return( 0 ); 03038 } 03039 03040 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03041 { 03042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03043 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03044 } 03045 03046 /* 03047 * Make an RSA signature of the handshake digests 03048 */ 03049 ssl->handshake->calc_verify( ssl, hash ); 03050 03051 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03052 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03053 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03054 { 03055 /* 03056 * digitally-signed struct { 03057 * opaque md5_hash[16]; 03058 * opaque sha_hash[20]; 03059 * }; 03060 * 03061 * md5_hash 03062 * MD5(handshake_messages); 03063 * 03064 * sha_hash 03065 * SHA(handshake_messages); 03066 */ 03067 hashlen = 36; 03068 md_alg = MBEDTLS_MD_NONE; 03069 03070 /* 03071 * For ECDSA, default hash is SHA-1 only 03072 */ 03073 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03074 { 03075 hash_start += 16; 03076 hashlen -= 16; 03077 md_alg = MBEDTLS_MD_SHA1; 03078 } 03079 } 03080 else 03081 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03082 MBEDTLS_SSL_PROTO_TLS1_1 */ 03083 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03084 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03085 { 03086 /* 03087 * digitally-signed struct { 03088 * opaque handshake_messages[handshake_messages_length]; 03089 * }; 03090 * 03091 * Taking shortcut here. We assume that the server always allows the 03092 * PRF Hash function and has sent it in the allowed signature 03093 * algorithms list received in the Certificate Request message. 03094 * 03095 * Until we encounter a server that does not, we will take this 03096 * shortcut. 03097 * 03098 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03099 * in order to satisfy 'weird' needs from the server side. 03100 */ 03101 if( ssl->transform_negotiate->ciphersuite_info->mac == 03102 MBEDTLS_MD_SHA384 ) 03103 { 03104 md_alg = MBEDTLS_MD_SHA384; 03105 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03106 } 03107 else 03108 { 03109 md_alg = MBEDTLS_MD_SHA256; 03110 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03111 } 03112 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03113 03114 /* Info from md_alg will be used instead */ 03115 hashlen = 0; 03116 offset = 2; 03117 } 03118 else 03119 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03120 { 03121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03122 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03123 } 03124 03125 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03126 ssl->out_msg + 6 + offset, &n, 03127 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03128 { 03129 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03130 return( ret ); 03131 } 03132 03133 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03134 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03135 03136 ssl->out_msglen = 6 + n + offset; 03137 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03138 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03139 03140 ssl->state++; 03141 03142 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03143 { 03144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03145 return( ret ); 03146 } 03147 03148 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03149 03150 return( ret ); 03151 } 03152 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03153 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03154 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 03155 03156 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03157 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03158 { 03159 int ret; 03160 uint32_t lifetime; 03161 size_t ticket_len; 03162 unsigned char *ticket; 03163 const unsigned char *msg; 03164 03165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03166 03167 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03168 { 03169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03170 return( ret ); 03171 } 03172 03173 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03174 { 03175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03176 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03177 } 03178 03179 /* 03180 * struct { 03181 * uint32 ticket_lifetime_hint; 03182 * opaque ticket<0..2^16-1>; 03183 * } NewSessionTicket; 03184 * 03185 * 0 . 3 ticket_lifetime_hint 03186 * 4 . 5 ticket_len (n) 03187 * 6 . 5+n ticket content 03188 */ 03189 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03190 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03191 { 03192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03193 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03194 } 03195 03196 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03197 03198 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03199 ( msg[2] << 8 ) | ( msg[3] ); 03200 03201 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03202 03203 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03204 { 03205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03206 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03207 } 03208 03209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03210 03211 /* We're not waiting for a NewSessionTicket message any more */ 03212 ssl->handshake->new_session_ticket = 0; 03213 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03214 03215 /* 03216 * Zero-length ticket means the server changed his mind and doesn't want 03217 * to send a ticket after all, so just forget it 03218 */ 03219 if( ticket_len == 0 ) 03220 return( 0 ); 03221 03222 mbedtls_zeroize( ssl->session_negotiate->ticket, 03223 ssl->session_negotiate->ticket_len ); 03224 mbedtls_free( ssl->session_negotiate->ticket ); 03225 ssl->session_negotiate->ticket = NULL; 03226 ssl->session_negotiate->ticket_len = 0; 03227 03228 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03229 { 03230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03231 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03232 } 03233 03234 memcpy( ticket, msg + 6, ticket_len ); 03235 03236 ssl->session_negotiate->ticket = ticket; 03237 ssl->session_negotiate->ticket_len = ticket_len; 03238 ssl->session_negotiate->ticket_lifetime = lifetime; 03239 03240 /* 03241 * RFC 5077 section 3.4: 03242 * "If the client receives a session ticket from the server, then it 03243 * discards any Session ID that was sent in the ServerHello." 03244 */ 03245 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03246 ssl->session_negotiate->id_len = 0; 03247 03248 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03249 03250 return( 0 ); 03251 } 03252 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03253 03254 /* 03255 * SSL handshake -- client side -- single step 03256 */ 03257 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03258 { 03259 int ret = 0; 03260 03261 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03262 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03263 03264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03265 03266 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03267 return( ret ); 03268 03269 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03270 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03271 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03272 { 03273 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03274 return( ret ); 03275 } 03276 #endif 03277 03278 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03279 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03280 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03281 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03282 ssl->handshake->new_session_ticket != 0 ) 03283 { 03284 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03285 } 03286 #endif 03287 03288 switch( ssl->state ) 03289 { 03290 case MBEDTLS_SSL_HELLO_REQUEST: 03291 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03292 break; 03293 03294 /* 03295 * ==> ClientHello 03296 */ 03297 case MBEDTLS_SSL_CLIENT_HELLO: 03298 ret = ssl_write_client_hello( ssl ); 03299 break; 03300 03301 /* 03302 * <== ServerHello 03303 * Certificate 03304 * ( ServerKeyExchange ) 03305 * ( CertificateRequest ) 03306 * ServerHelloDone 03307 */ 03308 case MBEDTLS_SSL_SERVER_HELLO: 03309 ret = ssl_parse_server_hello( ssl ); 03310 break; 03311 03312 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03313 ret = mbedtls_ssl_parse_certificate( ssl ); 03314 break; 03315 03316 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03317 ret = ssl_parse_server_key_exchange( ssl ); 03318 break; 03319 03320 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03321 ret = ssl_parse_certificate_request( ssl ); 03322 break; 03323 03324 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03325 ret = ssl_parse_server_hello_done( ssl ); 03326 break; 03327 03328 /* 03329 * ==> ( Certificate/Alert ) 03330 * ClientKeyExchange 03331 * ( CertificateVerify ) 03332 * ChangeCipherSpec 03333 * Finished 03334 */ 03335 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03336 ret = mbedtls_ssl_write_certificate( ssl ); 03337 break; 03338 03339 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03340 ret = ssl_write_client_key_exchange( ssl ); 03341 break; 03342 03343 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03344 ret = ssl_write_certificate_verify( ssl ); 03345 break; 03346 03347 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03348 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03349 break; 03350 03351 case MBEDTLS_SSL_CLIENT_FINISHED: 03352 ret = mbedtls_ssl_write_finished( ssl ); 03353 break; 03354 03355 /* 03356 * <== ( NewSessionTicket ) 03357 * ChangeCipherSpec 03358 * Finished 03359 */ 03360 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03361 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03362 ret = ssl_parse_new_session_ticket( ssl ); 03363 break; 03364 #endif 03365 03366 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03367 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03368 break; 03369 03370 case MBEDTLS_SSL_SERVER_FINISHED: 03371 ret = mbedtls_ssl_parse_finished( ssl ); 03372 break; 03373 03374 case MBEDTLS_SSL_FLUSH_BUFFERS: 03375 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03376 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03377 break; 03378 03379 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03380 mbedtls_ssl_handshake_wrapup( ssl ); 03381 break; 03382 03383 default: 03384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03385 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03386 } 03387 03388 return( ret ); 03389 } 03390 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 12:52:47 by
1.7.2