sandbox
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Christopher Haster
Embed:
(wiki syntax)
Show/hide line numbers
ssl_tls.c
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The SSL 3.0 specification was drafted by Netscape in 1996, 00023 * and became an IETF standard in 1999. 00024 * 00025 * http://wp.netscape.com/eng/ssl3/ 00026 * http://www.ietf.org/rfc/rfc2246.txt 00027 * http://www.ietf.org/rfc/rfc4346.txt 00028 */ 00029 00030 #if !defined(MBEDTLS_CONFIG_FILE) 00031 #include "mbedtls/config.h" 00032 #else 00033 #include MBEDTLS_CONFIG_FILE 00034 #endif 00035 00036 #if defined(MBEDTLS_SSL_TLS_C) 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 00045 defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00046 #include "mbedtls/oid.h" 00047 #endif 00048 00049 #if defined(MBEDTLS_PLATFORM_C) 00050 #include "mbedtls/platform.h" 00051 #else 00052 #include <stdlib.h> 00053 #define mbedtls_calloc calloc 00054 #define mbedtls_free free 00055 #endif 00056 00057 /* Implementation that should never be optimized out by the compiler */ 00058 static void mbedtls_zeroize( void *v, size_t n ) { 00059 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00060 } 00061 00062 /* Length of the "epoch" field in the record header */ 00063 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) 00064 { 00065 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00066 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00067 return( 2 ); 00068 #else 00069 ((void) ssl); 00070 #endif 00071 return( 0 ); 00072 } 00073 00074 /* 00075 * Start a timer. 00076 * Passing millisecs = 0 cancels a running timer. 00077 */ 00078 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 00079 { 00080 if( ssl->f_set_timer == NULL ) 00081 return; 00082 00083 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 00084 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 00085 } 00086 00087 /* 00088 * Return -1 is timer is expired, 0 if it isn't. 00089 */ 00090 static int ssl_check_timer( mbedtls_ssl_context *ssl ) 00091 { 00092 if( ssl->f_get_timer == NULL ) 00093 return( 0 ); 00094 00095 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 00096 { 00097 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 00098 return( -1 ); 00099 } 00100 00101 return( 0 ); 00102 } 00103 00104 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00105 /* 00106 * Double the retransmit timeout value, within the allowed range, 00107 * returning -1 if the maximum value has already been reached. 00108 */ 00109 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 00110 { 00111 uint32_t new_timeout; 00112 00113 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 00114 return( -1 ); 00115 00116 new_timeout = 2 * ssl->handshake->retransmit_timeout; 00117 00118 /* Avoid arithmetic overflow and range overflow */ 00119 if( new_timeout < ssl->handshake->retransmit_timeout || 00120 new_timeout > ssl->conf->hs_timeout_max ) 00121 { 00122 new_timeout = ssl->conf->hs_timeout_max; 00123 } 00124 00125 ssl->handshake->retransmit_timeout = new_timeout; 00126 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00127 ssl->handshake->retransmit_timeout ) ); 00128 00129 return( 0 ); 00130 } 00131 00132 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 00133 { 00134 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 00135 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00136 ssl->handshake->retransmit_timeout ) ); 00137 } 00138 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00139 00140 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00141 /* 00142 * Convert max_fragment_length codes to length. 00143 * RFC 6066 says: 00144 * enum{ 00145 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 00146 * } MaxFragmentLength; 00147 * and we add 0 -> extension unused 00148 */ 00149 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] = 00150 { 00151 MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */ 00152 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */ 00153 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */ 00154 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */ 00155 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */ 00156 }; 00157 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00158 00159 #if defined(MBEDTLS_SSL_CLI_C) 00160 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) 00161 { 00162 mbedtls_ssl_session_free( dst ); 00163 memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); 00164 00165 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00166 if( src->peer_cert != NULL ) 00167 { 00168 int ret; 00169 00170 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); 00171 if( dst->peer_cert == NULL ) 00172 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00173 00174 mbedtls_x509_crt_init( dst->peer_cert ); 00175 00176 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, 00177 src->peer_cert->raw.len ) ) != 0 ) 00178 { 00179 mbedtls_free( dst->peer_cert ); 00180 dst->peer_cert = NULL; 00181 return( ret ); 00182 } 00183 } 00184 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00185 00186 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 00187 if( src->ticket != NULL ) 00188 { 00189 dst->ticket = mbedtls_calloc( 1, src->ticket_len ); 00190 if( dst->ticket == NULL ) 00191 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00192 00193 memcpy( dst->ticket, src->ticket, src->ticket_len ); 00194 } 00195 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 00196 00197 return( 0 ); 00198 } 00199 #endif /* MBEDTLS_SSL_CLI_C */ 00200 00201 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00202 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 00203 const unsigned char *key_enc, const unsigned char *key_dec, 00204 size_t keylen, 00205 const unsigned char *iv_enc, const unsigned char *iv_dec, 00206 size_t ivlen, 00207 const unsigned char *mac_enc, const unsigned char *mac_dec, 00208 size_t maclen ) = NULL; 00209 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 00210 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 00211 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 00212 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 00213 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 00214 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00215 00216 /* 00217 * Key material generation 00218 */ 00219 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00220 static int ssl3_prf( const unsigned char *secret, size_t slen, 00221 const char *label, 00222 const unsigned char *random, size_t rlen, 00223 unsigned char *dstbuf, size_t dlen ) 00224 { 00225 size_t i; 00226 mbedtls_md5_context md5; 00227 mbedtls_sha1_context sha1; 00228 unsigned char padding[16]; 00229 unsigned char sha1sum[20]; 00230 ((void)label); 00231 00232 mbedtls_md5_init( &md5 ); 00233 mbedtls_sha1_init( &sha1 ); 00234 00235 /* 00236 * SSLv3: 00237 * block = 00238 * MD5( secret + SHA1( 'A' + secret + random ) ) + 00239 * MD5( secret + SHA1( 'BB' + secret + random ) ) + 00240 * MD5( secret + SHA1( 'CCC' + secret + random ) ) + 00241 * ... 00242 */ 00243 for( i = 0; i < dlen / 16; i++ ) 00244 { 00245 memset( padding, (unsigned char) ('A' + i), 1 + i ); 00246 00247 mbedtls_sha1_starts( &sha1 ); 00248 mbedtls_sha1_update( &sha1, padding, 1 + i ); 00249 mbedtls_sha1_update( &sha1, secret, slen ); 00250 mbedtls_sha1_update( &sha1, random, rlen ); 00251 mbedtls_sha1_finish( &sha1, sha1sum ); 00252 00253 mbedtls_md5_starts( &md5 ); 00254 mbedtls_md5_update( &md5, secret, slen ); 00255 mbedtls_md5_update( &md5, sha1sum, 20 ); 00256 mbedtls_md5_finish( &md5, dstbuf + i * 16 ); 00257 } 00258 00259 mbedtls_md5_free( &md5 ); 00260 mbedtls_sha1_free( &sha1 ); 00261 00262 mbedtls_zeroize( padding, sizeof( padding ) ); 00263 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 00264 00265 return( 0 ); 00266 } 00267 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00268 00269 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00270 static int tls1_prf( const unsigned char *secret, size_t slen, 00271 const char *label, 00272 const unsigned char *random, size_t rlen, 00273 unsigned char *dstbuf, size_t dlen ) 00274 { 00275 size_t nb, hs; 00276 size_t i, j, k; 00277 const unsigned char *S1, *S2; 00278 unsigned char tmp[128]; 00279 unsigned char h_i[20]; 00280 const mbedtls_md_info_t *md_info; 00281 mbedtls_md_context_t md_ctx; 00282 int ret; 00283 00284 mbedtls_md_init( &md_ctx ); 00285 00286 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00287 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00288 00289 hs = ( slen + 1 ) / 2; 00290 S1 = secret; 00291 S2 = secret + slen - hs; 00292 00293 nb = strlen( label ); 00294 memcpy( tmp + 20, label, nb ); 00295 memcpy( tmp + 20 + nb, random, rlen ); 00296 nb += rlen; 00297 00298 /* 00299 * First compute P_md5(secret,label+random)[0..dlen] 00300 */ 00301 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) 00302 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00303 00304 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00305 return( ret ); 00306 00307 mbedtls_md_hmac_starts( &md_ctx, S1, hs ); 00308 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00309 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00310 00311 for( i = 0; i < dlen; i += 16 ) 00312 { 00313 mbedtls_md_hmac_reset ( &md_ctx ); 00314 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); 00315 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00316 00317 mbedtls_md_hmac_reset ( &md_ctx ); 00318 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); 00319 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00320 00321 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00322 00323 for( j = 0; j < k; j++ ) 00324 dstbuf[i + j] = h_i[j]; 00325 } 00326 00327 mbedtls_md_free( &md_ctx ); 00328 00329 /* 00330 * XOR out with P_sha1(secret,label+random)[0..dlen] 00331 */ 00332 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) 00333 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00334 00335 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00336 return( ret ); 00337 00338 mbedtls_md_hmac_starts( &md_ctx, S2, hs ); 00339 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00340 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00341 00342 for( i = 0; i < dlen; i += 20 ) 00343 { 00344 mbedtls_md_hmac_reset ( &md_ctx ); 00345 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); 00346 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00347 00348 mbedtls_md_hmac_reset ( &md_ctx ); 00349 mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); 00350 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00351 00352 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00353 00354 for( j = 0; j < k; j++ ) 00355 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00356 } 00357 00358 mbedtls_md_free( &md_ctx ); 00359 00360 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00361 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00362 00363 return( 0 ); 00364 } 00365 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ 00366 00367 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00368 static int tls_prf_generic( mbedtls_md_type_t md_type, 00369 const unsigned char *secret, size_t slen, 00370 const char *label, 00371 const unsigned char *random, size_t rlen, 00372 unsigned char *dstbuf, size_t dlen ) 00373 { 00374 size_t nb; 00375 size_t i, j, k, md_len; 00376 unsigned char tmp[128]; 00377 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 00378 const mbedtls_md_info_t *md_info; 00379 mbedtls_md_context_t md_ctx; 00380 int ret; 00381 00382 mbedtls_md_init( &md_ctx ); 00383 00384 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL ) 00385 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00386 00387 md_len = mbedtls_md_get_size( md_info ); 00388 00389 if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) 00390 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00391 00392 nb = strlen( label ); 00393 memcpy( tmp + md_len, label, nb ); 00394 memcpy( tmp + md_len + nb, random, rlen ); 00395 nb += rlen; 00396 00397 /* 00398 * Compute P_<hash>(secret, label + random)[0..dlen] 00399 */ 00400 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00401 return( ret ); 00402 00403 mbedtls_md_hmac_starts( &md_ctx, secret, slen ); 00404 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); 00405 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00406 00407 for( i = 0; i < dlen; i += md_len ) 00408 { 00409 mbedtls_md_hmac_reset ( &md_ctx ); 00410 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); 00411 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00412 00413 mbedtls_md_hmac_reset ( &md_ctx ); 00414 mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); 00415 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00416 00417 k = ( i + md_len > dlen ) ? dlen % md_len : md_len; 00418 00419 for( j = 0; j < k; j++ ) 00420 dstbuf[i + j] = h_i[j]; 00421 } 00422 00423 mbedtls_md_free( &md_ctx ); 00424 00425 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00426 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00427 00428 return( 0 ); 00429 } 00430 00431 #if defined(MBEDTLS_SHA256_C) 00432 static int tls_prf_sha256( const unsigned char *secret, size_t slen, 00433 const char *label, 00434 const unsigned char *random, size_t rlen, 00435 unsigned char *dstbuf, size_t dlen ) 00436 { 00437 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, 00438 label, random, rlen, dstbuf, dlen ) ); 00439 } 00440 #endif /* MBEDTLS_SHA256_C */ 00441 00442 #if defined(MBEDTLS_SHA512_C) 00443 static int tls_prf_sha384( const unsigned char *secret, size_t slen, 00444 const char *label, 00445 const unsigned char *random, size_t rlen, 00446 unsigned char *dstbuf, size_t dlen ) 00447 { 00448 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, 00449 label, random, rlen, dstbuf, dlen ) ); 00450 } 00451 #endif /* MBEDTLS_SHA512_C */ 00452 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00453 00454 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); 00455 00456 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00457 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00458 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); 00459 #endif 00460 00461 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00462 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * ); 00463 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int ); 00464 #endif 00465 00466 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00467 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * ); 00468 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); 00469 #endif 00470 00471 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00472 #if defined(MBEDTLS_SHA256_C) 00473 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); 00474 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * ); 00475 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); 00476 #endif 00477 00478 #if defined(MBEDTLS_SHA512_C) 00479 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); 00480 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * ); 00481 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); 00482 #endif 00483 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00484 00485 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) 00486 { 00487 int ret = 0; 00488 unsigned char tmp[64]; 00489 unsigned char keyblk[256]; 00490 unsigned char *key1; 00491 unsigned char *key2; 00492 unsigned char *mac_enc; 00493 unsigned char *mac_dec; 00494 size_t iv_copy_len; 00495 const mbedtls_cipher_info_t *cipher_info; 00496 const mbedtls_md_info_t *md_info; 00497 00498 mbedtls_ssl_session *session = ssl->session_negotiate; 00499 mbedtls_ssl_transform *transform = ssl->transform_negotiate; 00500 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 00501 00502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00503 00504 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); 00505 if( cipher_info == NULL ) 00506 { 00507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", 00508 transform->ciphersuite_info->cipher ) ); 00509 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00510 } 00511 00512 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); 00513 if( md_info == NULL ) 00514 { 00515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", 00516 transform->ciphersuite_info->mac ) ); 00517 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00518 } 00519 00520 /* 00521 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions 00522 */ 00523 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00524 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00525 { 00526 handshake->tls_prf = ssl3_prf; 00527 handshake->calc_verify = ssl_calc_verify_ssl; 00528 handshake->calc_finished = ssl_calc_finished_ssl; 00529 } 00530 else 00531 #endif 00532 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00533 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 00534 { 00535 handshake->tls_prf = tls1_prf; 00536 handshake->calc_verify = ssl_calc_verify_tls; 00537 handshake->calc_finished = ssl_calc_finished_tls; 00538 } 00539 else 00540 #endif 00541 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00542 #if defined(MBEDTLS_SHA512_C) 00543 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 00544 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 00545 { 00546 handshake->tls_prf = tls_prf_sha384; 00547 handshake->calc_verify = ssl_calc_verify_tls_sha384; 00548 handshake->calc_finished = ssl_calc_finished_tls_sha384; 00549 } 00550 else 00551 #endif 00552 #if defined(MBEDTLS_SHA256_C) 00553 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00554 { 00555 handshake->tls_prf = tls_prf_sha256; 00556 handshake->calc_verify = ssl_calc_verify_tls_sha256; 00557 handshake->calc_finished = ssl_calc_finished_tls_sha256; 00558 } 00559 else 00560 #endif 00561 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00562 { 00563 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00564 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00565 } 00566 00567 /* 00568 * SSLv3: 00569 * master = 00570 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00571 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00572 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00573 * 00574 * TLSv1+: 00575 * master = PRF( premaster, "master secret", randbytes )[0..47] 00576 */ 00577 if( handshake->resume == 0 ) 00578 { 00579 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, 00580 handshake->pmslen ); 00581 00582 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00583 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) 00584 { 00585 unsigned char session_hash[48]; 00586 size_t hash_len; 00587 00588 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) ); 00589 00590 ssl->handshake->calc_verify( ssl, session_hash ); 00591 00592 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00593 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00594 { 00595 #if defined(MBEDTLS_SHA512_C) 00596 if( ssl->transform_negotiate->ciphersuite_info->mac == 00597 MBEDTLS_MD_SHA384 ) 00598 { 00599 hash_len = 48; 00600 } 00601 else 00602 #endif 00603 hash_len = 32; 00604 } 00605 else 00606 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00607 hash_len = 36; 00608 00609 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len ); 00610 00611 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00612 "extended master secret", 00613 session_hash, hash_len, 00614 session->master, 48 ); 00615 if( ret != 0 ) 00616 { 00617 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00618 return( ret ); 00619 } 00620 00621 } 00622 else 00623 #endif 00624 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00625 "master secret", 00626 handshake->randbytes, 64, 00627 session->master, 48 ); 00628 if( ret != 0 ) 00629 { 00630 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00631 return( ret ); 00632 } 00633 00634 mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) ); 00635 } 00636 else 00637 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00638 00639 /* 00640 * Swap the client and server random values. 00641 */ 00642 memcpy( tmp, handshake->randbytes, 64 ); 00643 memcpy( handshake->randbytes, tmp + 32, 32 ); 00644 memcpy( handshake->randbytes + 32, tmp, 32 ); 00645 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00646 00647 /* 00648 * SSLv3: 00649 * key block = 00650 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00651 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00652 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00653 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00654 * ... 00655 * 00656 * TLSv1: 00657 * key block = PRF( master, "key expansion", randbytes ) 00658 */ 00659 ret = handshake->tls_prf( session->master, 48, "key expansion", 00660 handshake->randbytes, 64, keyblk, 256 ); 00661 if( ret != 0 ) 00662 { 00663 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00664 return( ret ); 00665 } 00666 00667 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", 00668 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) ); 00669 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 ); 00670 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); 00671 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00672 00673 mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) ); 00674 00675 /* 00676 * Determine the appropriate key, IV and MAC length. 00677 */ 00678 00679 transform->keylen = cipher_info->key_bitlen / 8; 00680 00681 if( cipher_info->mode == MBEDTLS_MODE_GCM || 00682 cipher_info->mode == MBEDTLS_MODE_CCM ) 00683 { 00684 transform->maclen = 0; 00685 00686 transform->ivlen = 12; 00687 transform->fixed_ivlen = 4; 00688 00689 /* Minimum length is expicit IV + tag */ 00690 transform->minlen = transform->ivlen - transform->fixed_ivlen 00691 + ( transform->ciphersuite_info->flags & 00692 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); 00693 } 00694 else 00695 { 00696 /* Initialize HMAC contexts */ 00697 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || 00698 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) 00699 { 00700 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 00701 return( ret ); 00702 } 00703 00704 /* Get MAC length */ 00705 transform->maclen = mbedtls_md_get_size( md_info ); 00706 00707 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00708 /* 00709 * If HMAC is to be truncated, we shall keep the leftmost bytes, 00710 * (rfc 6066 page 13 or rfc 2104 section 4), 00711 * so we only need to adjust the length here. 00712 */ 00713 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00714 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; 00715 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00716 00717 /* IV length */ 00718 transform->ivlen = cipher_info->iv_size; 00719 00720 /* Minimum length */ 00721 if( cipher_info->mode == MBEDTLS_MODE_STREAM ) 00722 transform->minlen = transform->maclen; 00723 else 00724 { 00725 /* 00726 * GenericBlockCipher: 00727 * 1. if EtM is in use: one block plus MAC 00728 * otherwise: * first multiple of blocklen greater than maclen 00729 * 2. IV except for SSL3 and TLS 1.0 00730 */ 00731 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00732 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 00733 { 00734 transform->minlen = transform->maclen 00735 + cipher_info->block_size; 00736 } 00737 else 00738 #endif 00739 { 00740 transform->minlen = transform->maclen 00741 + cipher_info->block_size 00742 - transform->maclen % cipher_info->block_size; 00743 } 00744 00745 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 00746 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 00747 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) 00748 ; /* No need to adjust minlen */ 00749 else 00750 #endif 00751 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 00752 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || 00753 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00754 { 00755 transform->minlen += transform->ivlen; 00756 } 00757 else 00758 #endif 00759 { 00760 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00761 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00762 } 00763 } 00764 } 00765 00766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00767 transform->keylen, transform->minlen, transform->ivlen, 00768 transform->maclen ) ); 00769 00770 /* 00771 * Finally setup the cipher contexts, IVs and MAC secrets. 00772 */ 00773 #if defined(MBEDTLS_SSL_CLI_C) 00774 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 00775 { 00776 key1 = keyblk + transform->maclen * 2; 00777 key2 = keyblk + transform->maclen * 2 + transform->keylen; 00778 00779 mac_enc = keyblk; 00780 mac_dec = keyblk + transform->maclen; 00781 00782 /* 00783 * This is not used in TLS v1.1. 00784 */ 00785 iv_copy_len = ( transform->fixed_ivlen ) ? 00786 transform->fixed_ivlen : transform->ivlen; 00787 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len ); 00788 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len, 00789 iv_copy_len ); 00790 } 00791 else 00792 #endif /* MBEDTLS_SSL_CLI_C */ 00793 #if defined(MBEDTLS_SSL_SRV_C) 00794 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 00795 { 00796 key1 = keyblk + transform->maclen * 2 + transform->keylen; 00797 key2 = keyblk + transform->maclen * 2; 00798 00799 mac_enc = keyblk + transform->maclen; 00800 mac_dec = keyblk; 00801 00802 /* 00803 * This is not used in TLS v1.1. 00804 */ 00805 iv_copy_len = ( transform->fixed_ivlen ) ? 00806 transform->fixed_ivlen : transform->ivlen; 00807 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len ); 00808 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len, 00809 iv_copy_len ); 00810 } 00811 else 00812 #endif /* MBEDTLS_SSL_SRV_C */ 00813 { 00814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00815 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00816 } 00817 00818 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00819 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00820 { 00821 if( transform->maclen > sizeof transform->mac_enc ) 00822 { 00823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00824 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00825 } 00826 00827 memcpy( transform->mac_enc, mac_enc, transform->maclen ); 00828 memcpy( transform->mac_dec, mac_dec, transform->maclen ); 00829 } 00830 else 00831 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00832 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 00833 defined(MBEDTLS_SSL_PROTO_TLS1_2) 00834 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 00835 { 00836 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); 00837 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); 00838 } 00839 else 00840 #endif 00841 { 00842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00843 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00844 } 00845 00846 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00847 if( mbedtls_ssl_hw_record_init != NULL ) 00848 { 00849 int ret = 0; 00850 00851 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) ); 00852 00853 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen, 00854 transform->iv_enc, transform->iv_dec, 00855 iv_copy_len, 00856 mac_enc, mac_dec, 00857 transform->maclen ) ) != 0 ) 00858 { 00859 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); 00860 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 00861 } 00862 } 00863 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00864 00865 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 00866 if( ssl->conf->f_export_keys != NULL ) 00867 { 00868 ssl->conf->f_export_keys( ssl->conf->p_export_keys, 00869 session->master, keyblk, 00870 transform->maclen, transform->keylen, 00871 iv_copy_len ); 00872 } 00873 #endif 00874 00875 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, 00876 cipher_info ) ) != 0 ) 00877 { 00878 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00879 return( ret ); 00880 } 00881 00882 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, 00883 cipher_info ) ) != 0 ) 00884 { 00885 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00886 return( ret ); 00887 } 00888 00889 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, 00890 cipher_info->key_bitlen, 00891 MBEDTLS_ENCRYPT ) ) != 0 ) 00892 { 00893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00894 return( ret ); 00895 } 00896 00897 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, 00898 cipher_info->key_bitlen, 00899 MBEDTLS_DECRYPT ) ) != 0 ) 00900 { 00901 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00902 return( ret ); 00903 } 00904 00905 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00906 if( cipher_info->mode == MBEDTLS_MODE_CBC ) 00907 { 00908 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, 00909 MBEDTLS_PADDING_NONE ) ) != 0 ) 00910 { 00911 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00912 return( ret ); 00913 } 00914 00915 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, 00916 MBEDTLS_PADDING_NONE ) ) != 0 ) 00917 { 00918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00919 return( ret ); 00920 } 00921 } 00922 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00923 00924 mbedtls_zeroize( keyblk, sizeof( keyblk ) ); 00925 00926 #if defined(MBEDTLS_ZLIB_SUPPORT) 00927 // Initialize compression 00928 // 00929 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 00930 { 00931 if( ssl->compress_buf == NULL ) 00932 { 00933 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) ); 00934 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN ); 00935 if( ssl->compress_buf == NULL ) 00936 { 00937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 00938 MBEDTLS_SSL_BUFFER_LEN ) ); 00939 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00940 } 00941 } 00942 00943 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) ); 00944 00945 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) ); 00946 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) ); 00947 00948 if( deflateInit( &transform->ctx_deflate, 00949 Z_DEFAULT_COMPRESSION ) != Z_OK || 00950 inflateInit( &transform->ctx_inflate ) != Z_OK ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); 00953 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 00954 } 00955 } 00956 #endif /* MBEDTLS_ZLIB_SUPPORT */ 00957 00958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00959 00960 return( 0 ); 00961 } 00962 00963 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00964 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 00965 { 00966 mbedtls_md5_context md5; 00967 mbedtls_sha1_context sha1; 00968 unsigned char pad_1[48]; 00969 unsigned char pad_2[48]; 00970 00971 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) ); 00972 00973 mbedtls_md5_init( &md5 ); 00974 mbedtls_sha1_init( &sha1 ); 00975 00976 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 00977 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 00978 00979 memset( pad_1, 0x36, 48 ); 00980 memset( pad_2, 0x5C, 48 ); 00981 00982 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00983 mbedtls_md5_update( &md5, pad_1, 48 ); 00984 mbedtls_md5_finish( &md5, hash ); 00985 00986 mbedtls_md5_starts( &md5 ); 00987 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00988 mbedtls_md5_update( &md5, pad_2, 48 ); 00989 mbedtls_md5_update( &md5, hash, 16 ); 00990 mbedtls_md5_finish( &md5, hash ); 00991 00992 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00993 mbedtls_sha1_update( &sha1, pad_1, 40 ); 00994 mbedtls_sha1_finish( &sha1, hash + 16 ); 00995 00996 mbedtls_sha1_starts( &sha1 ); 00997 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00998 mbedtls_sha1_update( &sha1, pad_2, 40 ); 00999 mbedtls_sha1_update( &sha1, hash + 16, 20 ); 01000 mbedtls_sha1_finish( &sha1, hash + 16 ); 01001 01002 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01003 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01004 01005 mbedtls_md5_free( &md5 ); 01006 mbedtls_sha1_free( &sha1 ); 01007 01008 return; 01009 } 01010 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01011 01012 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 01013 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 01014 { 01015 mbedtls_md5_context md5; 01016 mbedtls_sha1_context sha1; 01017 01018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); 01019 01020 mbedtls_md5_init( &md5 ); 01021 mbedtls_sha1_init( &sha1 ); 01022 01023 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01024 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01025 01026 mbedtls_md5_finish( &md5, hash ); 01027 mbedtls_sha1_finish( &sha1, hash + 16 ); 01028 01029 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01031 01032 mbedtls_md5_free( &md5 ); 01033 mbedtls_sha1_free( &sha1 ); 01034 01035 return; 01036 } 01037 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 01038 01039 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 01040 #if defined(MBEDTLS_SHA256_C) 01041 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) 01042 { 01043 mbedtls_sha256_context sha256; 01044 01045 mbedtls_sha256_init( &sha256 ); 01046 01047 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); 01048 01049 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 01050 mbedtls_sha256_finish( &sha256, hash ); 01051 01052 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); 01053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01054 01055 mbedtls_sha256_free( &sha256 ); 01056 01057 return; 01058 } 01059 #endif /* MBEDTLS_SHA256_C */ 01060 01061 #if defined(MBEDTLS_SHA512_C) 01062 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) 01063 { 01064 mbedtls_sha512_context sha512; 01065 01066 mbedtls_sha512_init( &sha512 ); 01067 01068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); 01069 01070 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 01071 mbedtls_sha512_finish( &sha512, hash ); 01072 01073 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); 01074 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01075 01076 mbedtls_sha512_free( &sha512 ); 01077 01078 return; 01079 } 01080 #endif /* MBEDTLS_SHA512_C */ 01081 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 01082 01083 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01084 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) 01085 { 01086 unsigned char *p = ssl->handshake->premaster; 01087 unsigned char *end = p + sizeof( ssl->handshake->premaster ); 01088 const unsigned char *psk = ssl->conf->psk; 01089 size_t psk_len = ssl->conf->psk_len; 01090 01091 /* If the psk callback was called, use its result */ 01092 if( ssl->handshake->psk != NULL ) 01093 { 01094 psk = ssl->handshake->psk; 01095 psk_len = ssl->handshake->psk_len; 01096 } 01097 01098 /* 01099 * PMS = struct { 01100 * opaque other_secret<0..2^16-1>; 01101 * opaque psk<0..2^16-1>; 01102 * }; 01103 * with "other_secret" depending on the particular key exchange 01104 */ 01105 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 01106 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) 01107 { 01108 if( end - p < 2 ) 01109 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01110 01111 *(p++) = (unsigned char)( psk_len >> 8 ); 01112 *(p++) = (unsigned char)( psk_len ); 01113 01114 if( end < p || (size_t)( end - p ) < psk_len ) 01115 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01116 01117 memset( p, 0, psk_len ); 01118 p += psk_len; 01119 } 01120 else 01121 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 01122 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01123 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 01124 { 01125 /* 01126 * other_secret already set by the ClientKeyExchange message, 01127 * and is 48 bytes long 01128 */ 01129 *p++ = 0; 01130 *p++ = 48; 01131 p += 48; 01132 } 01133 else 01134 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01135 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01136 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 01137 { 01138 int ret; 01139 size_t len; 01140 01141 /* Write length only when we know the actual value */ 01142 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 01143 p + 2, end - ( p + 2 ), &len, 01144 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01145 { 01146 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 01147 return( ret ); 01148 } 01149 *(p++) = (unsigned char)( len >> 8 ); 01150 *(p++) = (unsigned char)( len ); 01151 p += len; 01152 01153 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 01154 } 01155 else 01156 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01157 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01158 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 01159 { 01160 int ret; 01161 size_t zlen; 01162 01163 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, 01164 p + 2, end - ( p + 2 ), 01165 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01166 { 01167 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 01168 return( ret ); 01169 } 01170 01171 *(p++) = (unsigned char)( zlen >> 8 ); 01172 *(p++) = (unsigned char)( zlen ); 01173 p += zlen; 01174 01175 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 01176 } 01177 else 01178 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01179 { 01180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01181 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01182 } 01183 01184 /* opaque psk<0..2^16-1>; */ 01185 if( end - p < 2 ) 01186 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01187 01188 *(p++) = (unsigned char)( psk_len >> 8 ); 01189 *(p++) = (unsigned char)( psk_len ); 01190 01191 if( end < p || (size_t)( end - p ) < psk_len ) 01192 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01193 01194 memcpy( p, psk, psk_len ); 01195 p += psk_len; 01196 01197 ssl->handshake->pmslen = p - ssl->handshake->premaster; 01198 01199 return( 0 ); 01200 } 01201 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01202 01203 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01204 /* 01205 * SSLv3.0 MAC functions 01206 */ 01207 static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret, 01208 unsigned char *buf, size_t len, 01209 unsigned char *ctr, int type ) 01210 { 01211 unsigned char header[11]; 01212 unsigned char padding[48]; 01213 int padlen; 01214 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 01215 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 01216 01217 /* Only MD5 and SHA-1 supported */ 01218 if( md_type == MBEDTLS_MD_MD5 ) 01219 padlen = 48; 01220 else 01221 padlen = 40; 01222 01223 memcpy( header, ctr, 8 ); 01224 header[ 8] = (unsigned char) type; 01225 header[ 9] = (unsigned char)( len >> 8 ); 01226 header[10] = (unsigned char)( len ); 01227 01228 memset( padding, 0x36, padlen ); 01229 mbedtls_md_starts( md_ctx ); 01230 mbedtls_md_update( md_ctx, secret, md_size ); 01231 mbedtls_md_update( md_ctx, padding, padlen ); 01232 mbedtls_md_update( md_ctx, header, 11 ); 01233 mbedtls_md_update( md_ctx, buf, len ); 01234 mbedtls_md_finish( md_ctx, buf + len ); 01235 01236 memset( padding, 0x5C, padlen ); 01237 mbedtls_md_starts( md_ctx ); 01238 mbedtls_md_update( md_ctx, secret, md_size ); 01239 mbedtls_md_update( md_ctx, padding, padlen ); 01240 mbedtls_md_update( md_ctx, buf + len, md_size ); 01241 mbedtls_md_finish( md_ctx, buf + len ); 01242 } 01243 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01244 01245 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 01246 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01247 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) ) 01248 #define SSL_SOME_MODES_USE_MAC 01249 #endif 01250 01251 /* 01252 * Encryption/decryption functions 01253 */ 01254 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) 01255 { 01256 mbedtls_cipher_mode_t mode; 01257 int auth_done = 0; 01258 01259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 01260 01261 if( ssl->session_out == NULL || ssl->transform_out == NULL ) 01262 { 01263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01264 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01265 } 01266 01267 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); 01268 01269 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 01270 ssl->out_msg, ssl->out_msglen ); 01271 01272 /* 01273 * Add MAC before if needed 01274 */ 01275 #if defined(SSL_SOME_MODES_USE_MAC) 01276 if( mode == MBEDTLS_MODE_STREAM || 01277 ( mode == MBEDTLS_MODE_CBC 01278 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01279 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 01280 #endif 01281 ) ) 01282 { 01283 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01284 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01285 { 01286 ssl_mac( &ssl->transform_out->md_ctx_enc, 01287 ssl->transform_out->mac_enc, 01288 ssl->out_msg, ssl->out_msglen, 01289 ssl->out_ctr, ssl->out_msgtype ); 01290 } 01291 else 01292 #endif 01293 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01294 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01295 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 01296 { 01297 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); 01298 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); 01299 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); 01300 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01301 ssl->out_msg, ssl->out_msglen ); 01302 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01303 ssl->out_msg + ssl->out_msglen ); 01304 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01305 } 01306 else 01307 #endif 01308 { 01309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01310 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01311 } 01312 01313 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", 01314 ssl->out_msg + ssl->out_msglen, 01315 ssl->transform_out->maclen ); 01316 01317 ssl->out_msglen += ssl->transform_out->maclen; 01318 auth_done++; 01319 } 01320 #endif /* AEAD not the only option */ 01321 01322 /* 01323 * Encrypt 01324 */ 01325 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01326 if( mode == MBEDTLS_MODE_STREAM ) 01327 { 01328 int ret; 01329 size_t olen = 0; 01330 01331 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01332 "including %d bytes of padding", 01333 ssl->out_msglen, 0 ) ); 01334 01335 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01336 ssl->transform_out->iv_enc, 01337 ssl->transform_out->ivlen, 01338 ssl->out_msg, ssl->out_msglen, 01339 ssl->out_msg, &olen ) ) != 0 ) 01340 { 01341 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01342 return( ret ); 01343 } 01344 01345 if( ssl->out_msglen != olen ) 01346 { 01347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01348 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01349 } 01350 } 01351 else 01352 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01353 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01354 if( mode == MBEDTLS_MODE_GCM || 01355 mode == MBEDTLS_MODE_CCM ) 01356 { 01357 int ret; 01358 size_t enc_msglen, olen; 01359 unsigned char *enc_msg; 01360 unsigned char add_data[13]; 01361 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & 01362 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01363 01364 memcpy( add_data, ssl->out_ctr, 8 ); 01365 add_data[8] = ssl->out_msgtype; 01366 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01367 ssl->conf->transport, add_data + 9 ); 01368 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; 01369 add_data[12] = ssl->out_msglen & 0xFF; 01370 01371 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01372 add_data, 13 ); 01373 01374 /* 01375 * Generate IV 01376 */ 01377 #if defined(MBEDTLS_SSL_AEAD_RANDOM_IV) 01378 ret = ssl->conf->f_rng( ssl->conf->p_rng, 01379 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01380 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01381 if( ret != 0 ) 01382 return( ret ); 01383 01384 memcpy( ssl->out_iv, 01385 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01386 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01387 #else 01388 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) 01389 { 01390 /* Reminder if we ever add an AEAD mode with a different size */ 01391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01392 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01393 } 01394 01395 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01396 ssl->out_ctr, 8 ); 01397 memcpy( ssl->out_iv, ssl->out_ctr, 8 ); 01398 #endif 01399 01400 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, 01401 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01402 01403 /* 01404 * Fix pointer positions and message length with added IV 01405 */ 01406 enc_msg = ssl->out_msg; 01407 enc_msglen = ssl->out_msglen; 01408 ssl->out_msglen += ssl->transform_out->ivlen - 01409 ssl->transform_out->fixed_ivlen; 01410 01411 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01412 "including %d bytes of padding", 01413 ssl->out_msglen, 0 ) ); 01414 01415 /* 01416 * Encrypt and authenticate 01417 */ 01418 if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, 01419 ssl->transform_out->iv_enc, 01420 ssl->transform_out->ivlen, 01421 add_data, 13, 01422 enc_msg, enc_msglen, 01423 enc_msg, &olen, 01424 enc_msg + enc_msglen, taglen ) ) != 0 ) 01425 { 01426 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 01427 return( ret ); 01428 } 01429 01430 if( olen != enc_msglen ) 01431 { 01432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01433 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01434 } 01435 01436 ssl->out_msglen += taglen; 01437 auth_done++; 01438 01439 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen ); 01440 } 01441 else 01442 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01443 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01444 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01445 if( mode == MBEDTLS_MODE_CBC ) 01446 { 01447 int ret; 01448 unsigned char *enc_msg; 01449 size_t enc_msglen, padlen, olen = 0, i; 01450 01451 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) % 01452 ssl->transform_out->ivlen; 01453 if( padlen == ssl->transform_out->ivlen ) 01454 padlen = 0; 01455 01456 for( i = 0; i <= padlen; i++ ) 01457 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 01458 01459 ssl->out_msglen += padlen + 1; 01460 01461 enc_msglen = ssl->out_msglen; 01462 enc_msg = ssl->out_msg; 01463 01464 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01465 /* 01466 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 01467 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 01468 */ 01469 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01470 { 01471 /* 01472 * Generate IV 01473 */ 01474 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, 01475 ssl->transform_out->ivlen ); 01476 if( ret != 0 ) 01477 return( ret ); 01478 01479 memcpy( ssl->out_iv, ssl->transform_out->iv_enc, 01480 ssl->transform_out->ivlen ); 01481 01482 /* 01483 * Fix pointer positions and message length with added IV 01484 */ 01485 enc_msg = ssl->out_msg; 01486 enc_msglen = ssl->out_msglen; 01487 ssl->out_msglen += ssl->transform_out->ivlen; 01488 } 01489 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01490 01491 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01492 "including %d bytes of IV and %d bytes of padding", 01493 ssl->out_msglen, ssl->transform_out->ivlen, 01494 padlen + 1 ) ); 01495 01496 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01497 ssl->transform_out->iv_enc, 01498 ssl->transform_out->ivlen, 01499 enc_msg, enc_msglen, 01500 enc_msg, &olen ) ) != 0 ) 01501 { 01502 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01503 return( ret ); 01504 } 01505 01506 if( enc_msglen != olen ) 01507 { 01508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01509 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01510 } 01511 01512 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01513 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01514 { 01515 /* 01516 * Save IV in SSL3 and TLS1 01517 */ 01518 memcpy( ssl->transform_out->iv_enc, 01519 ssl->transform_out->cipher_ctx_enc.iv, 01520 ssl->transform_out->ivlen ); 01521 } 01522 #endif 01523 01524 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01525 if( auth_done == 0 ) 01526 { 01527 /* 01528 * MAC(MAC_write_key, seq_num + 01529 * TLSCipherText.type + 01530 * TLSCipherText.version + 01531 * length_of( (IV +) ENC(...) ) + 01532 * IV + // except for TLS 1.0 01533 * ENC(content + padding + padding_length)); 01534 */ 01535 unsigned char pseudo_hdr[13]; 01536 01537 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01538 01539 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 ); 01540 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 ); 01541 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF ); 01542 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF ); 01543 01544 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01545 01546 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 ); 01547 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01548 ssl->out_iv, ssl->out_msglen ); 01549 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01550 ssl->out_iv + ssl->out_msglen ); 01551 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01552 01553 ssl->out_msglen += ssl->transform_out->maclen; 01554 auth_done++; 01555 } 01556 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01557 } 01558 else 01559 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01560 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01561 { 01562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01563 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01564 } 01565 01566 /* Make extra sure authentication was performed, exactly once */ 01567 if( auth_done != 1 ) 01568 { 01569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01570 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01571 } 01572 01573 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 01574 01575 return( 0 ); 01576 } 01577 01578 #define SSL_MAX_MAC_SIZE 48 01579 01580 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) 01581 { 01582 size_t i; 01583 mbedtls_cipher_mode_t mode; 01584 int auth_done = 0; 01585 #if defined(SSL_SOME_MODES_USE_MAC) 01586 size_t padlen = 0, correct = 1; 01587 #endif 01588 01589 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 01590 01591 if( ssl->session_in == NULL || ssl->transform_in == NULL ) 01592 { 01593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01594 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01595 } 01596 01597 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); 01598 01599 if( ssl->in_msglen < ssl->transform_in->minlen ) 01600 { 01601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 01602 ssl->in_msglen, ssl->transform_in->minlen ) ); 01603 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01604 } 01605 01606 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01607 if( mode == MBEDTLS_MODE_STREAM ) 01608 { 01609 int ret; 01610 size_t olen = 0; 01611 01612 padlen = 0; 01613 01614 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01615 ssl->transform_in->iv_dec, 01616 ssl->transform_in->ivlen, 01617 ssl->in_msg, ssl->in_msglen, 01618 ssl->in_msg, &olen ) ) != 0 ) 01619 { 01620 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01621 return( ret ); 01622 } 01623 01624 if( ssl->in_msglen != olen ) 01625 { 01626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01627 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01628 } 01629 } 01630 else 01631 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01632 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01633 if( mode == MBEDTLS_MODE_GCM || 01634 mode == MBEDTLS_MODE_CCM ) 01635 { 01636 int ret; 01637 size_t dec_msglen, olen; 01638 unsigned char *dec_msg; 01639 unsigned char *dec_msg_result; 01640 unsigned char add_data[13]; 01641 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & 01642 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01643 size_t explicit_iv_len = ssl->transform_in->ivlen - 01644 ssl->transform_in->fixed_ivlen; 01645 01646 if( ssl->in_msglen < explicit_iv_len + taglen ) 01647 { 01648 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " 01649 "+ taglen (%d)", ssl->in_msglen, 01650 explicit_iv_len, taglen ) ); 01651 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01652 } 01653 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; 01654 01655 dec_msg = ssl->in_msg; 01656 dec_msg_result = ssl->in_msg; 01657 ssl->in_msglen = dec_msglen; 01658 01659 memcpy( add_data, ssl->in_ctr, 8 ); 01660 add_data[8] = ssl->in_msgtype; 01661 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01662 ssl->conf->transport, add_data + 9 ); 01663 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; 01664 add_data[12] = ssl->in_msglen & 0xFF; 01665 01666 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01667 add_data, 13 ); 01668 01669 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, 01670 ssl->in_iv, 01671 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); 01672 01673 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, 01674 ssl->transform_in->ivlen ); 01675 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); 01676 01677 /* 01678 * Decrypt and authenticate 01679 */ 01680 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, 01681 ssl->transform_in->iv_dec, 01682 ssl->transform_in->ivlen, 01683 add_data, 13, 01684 dec_msg, dec_msglen, 01685 dec_msg_result, &olen, 01686 dec_msg + dec_msglen, taglen ) ) != 0 ) 01687 { 01688 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 01689 01690 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 01691 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01692 01693 return( ret ); 01694 } 01695 auth_done++; 01696 01697 if( olen != dec_msglen ) 01698 { 01699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01700 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01701 } 01702 } 01703 else 01704 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01705 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01706 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01707 if( mode == MBEDTLS_MODE_CBC ) 01708 { 01709 /* 01710 * Decrypt and check the padding 01711 */ 01712 int ret; 01713 unsigned char *dec_msg; 01714 unsigned char *dec_msg_result; 01715 size_t dec_msglen; 01716 size_t minlen = 0; 01717 size_t olen = 0; 01718 01719 /* 01720 * Check immediate ciphertext sanity 01721 */ 01722 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01723 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01724 minlen += ssl->transform_in->ivlen; 01725 #endif 01726 01727 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen || 01728 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 ) 01729 { 01730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) " 01731 "+ 1 ) ( + expl IV )", ssl->in_msglen, 01732 ssl->transform_in->ivlen, 01733 ssl->transform_in->maclen ) ); 01734 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01735 } 01736 01737 dec_msglen = ssl->in_msglen; 01738 dec_msg = ssl->in_msg; 01739 dec_msg_result = ssl->in_msg; 01740 01741 /* 01742 * Authenticate before decrypt if enabled 01743 */ 01744 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01745 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 01746 { 01747 unsigned char computed_mac[SSL_MAX_MAC_SIZE]; 01748 unsigned char pseudo_hdr[13]; 01749 01750 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01751 01752 dec_msglen -= ssl->transform_in->maclen; 01753 ssl->in_msglen -= ssl->transform_in->maclen; 01754 01755 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 ); 01756 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 ); 01757 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF ); 01758 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF ); 01759 01760 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01761 01762 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); 01763 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, 01764 ssl->in_iv, ssl->in_msglen ); 01765 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac ); 01766 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01767 01768 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, 01769 ssl->transform_in->maclen ); 01770 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac, 01771 ssl->transform_in->maclen ); 01772 01773 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac, 01774 ssl->transform_in->maclen ) != 0 ) 01775 { 01776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01777 01778 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01779 } 01780 auth_done++; 01781 } 01782 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01783 01784 /* 01785 * Check length sanity 01786 */ 01787 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 ) 01788 { 01789 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 01790 ssl->in_msglen, ssl->transform_in->ivlen ) ); 01791 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01792 } 01793 01794 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01795 /* 01796 * Initialize for prepended IV for block cipher in TLS v1.1 and up 01797 */ 01798 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01799 { 01800 dec_msglen -= ssl->transform_in->ivlen; 01801 ssl->in_msglen -= ssl->transform_in->ivlen; 01802 01803 for( i = 0; i < ssl->transform_in->ivlen; i++ ) 01804 ssl->transform_in->iv_dec[i] = ssl->in_iv[i]; 01805 } 01806 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01807 01808 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01809 ssl->transform_in->iv_dec, 01810 ssl->transform_in->ivlen, 01811 dec_msg, dec_msglen, 01812 dec_msg_result, &olen ) ) != 0 ) 01813 { 01814 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01815 return( ret ); 01816 } 01817 01818 if( dec_msglen != olen ) 01819 { 01820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01821 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01822 } 01823 01824 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01825 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01826 { 01827 /* 01828 * Save IV in SSL3 and TLS1 01829 */ 01830 memcpy( ssl->transform_in->iv_dec, 01831 ssl->transform_in->cipher_ctx_dec.iv, 01832 ssl->transform_in->ivlen ); 01833 } 01834 #endif 01835 01836 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 01837 01838 if( ssl->in_msglen < ssl->transform_in->maclen + padlen && 01839 auth_done == 0 ) 01840 { 01841 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 01843 ssl->in_msglen, ssl->transform_in->maclen, padlen ) ); 01844 #endif 01845 padlen = 0; 01846 correct = 0; 01847 } 01848 01849 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01850 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01851 { 01852 if( padlen > ssl->transform_in->ivlen ) 01853 { 01854 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 01856 "should be no more than %d", 01857 padlen, ssl->transform_in->ivlen ) ); 01858 #endif 01859 correct = 0; 01860 } 01861 } 01862 else 01863 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01864 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01865 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01866 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01867 { 01868 /* 01869 * TLSv1+: always check the padding up to the first failure 01870 * and fake check up to 256 bytes of padding 01871 */ 01872 size_t pad_count = 0, real_count = 1; 01873 size_t padding_idx = ssl->in_msglen - padlen - 1; 01874 01875 /* 01876 * Padding is guaranteed to be incorrect if: 01877 * 1. padlen >= ssl->in_msglen 01878 * 01879 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN + 01880 * ssl->transform_in->maclen 01881 * 01882 * In both cases we reset padding_idx to a safe value (0) to 01883 * prevent out-of-buffer reads. 01884 */ 01885 correct &= ( ssl->in_msglen >= padlen + 1 ); 01886 correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN + 01887 ssl->transform_in->maclen ); 01888 01889 padding_idx *= correct; 01890 01891 for( i = 1; i <= 256; i++ ) 01892 { 01893 real_count &= ( i <= padlen ); 01894 pad_count += real_count * 01895 ( ssl->in_msg[padding_idx + i] == padlen - 1 ); 01896 } 01897 01898 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ 01899 01900 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01901 if( padlen > 0 && correct == 0 ) 01902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 01903 #endif 01904 padlen &= correct * 0x1FF; 01905 } 01906 else 01907 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01908 MBEDTLS_SSL_PROTO_TLS1_2 */ 01909 { 01910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01911 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01912 } 01913 01914 ssl->in_msglen -= padlen; 01915 } 01916 else 01917 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01918 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01919 { 01920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01921 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01922 } 01923 01924 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 01925 ssl->in_msg, ssl->in_msglen ); 01926 01927 /* 01928 * Authenticate if not done yet. 01929 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 01930 */ 01931 #if defined(SSL_SOME_MODES_USE_MAC) 01932 if( auth_done == 0 ) 01933 { 01934 unsigned char tmp[SSL_MAX_MAC_SIZE]; 01935 01936 ssl->in_msglen -= ssl->transform_in->maclen; 01937 01938 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 01939 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 01940 01941 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen ); 01942 01943 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01944 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01945 { 01946 ssl_mac( &ssl->transform_in->md_ctx_dec, 01947 ssl->transform_in->mac_dec, 01948 ssl->in_msg, ssl->in_msglen, 01949 ssl->in_ctr, ssl->in_msgtype ); 01950 } 01951 else 01952 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01953 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01954 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01955 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01956 { 01957 /* 01958 * Process MAC and always update for padlen afterwards to make 01959 * total time independent of padlen 01960 * 01961 * extra_run compensates MAC check for padlen 01962 * 01963 * Known timing attacks: 01964 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 01965 * 01966 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values 01967 * correctly. (We round down instead of up, so -56 is the correct 01968 * value for our calculations instead of -55) 01969 */ 01970 size_t j, extra_run = 0; 01971 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 - 01972 ( 13 + ssl->in_msglen + 8 ) / 64; 01973 01974 extra_run &= correct * 0xFF; 01975 01976 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 ); 01977 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 ); 01978 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); 01979 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, 01980 ssl->in_msglen ); 01981 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, 01982 ssl->in_msg + ssl->in_msglen ); 01983 /* Call mbedtls_md_process at least once due to cache attacks */ 01984 for( j = 0; j < extra_run + 1; j++ ) 01985 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); 01986 01987 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01988 } 01989 else 01990 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01991 MBEDTLS_SSL_PROTO_TLS1_2 */ 01992 { 01993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01995 } 01996 01997 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen ); 01998 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, 01999 ssl->transform_in->maclen ); 02000 02001 if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen, 02002 ssl->transform_in->maclen ) != 0 ) 02003 { 02004 #if defined(MBEDTLS_SSL_DEBUG_ALL) 02005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 02006 #endif 02007 correct = 0; 02008 } 02009 auth_done++; 02010 02011 /* 02012 * Finally check the correct flag 02013 */ 02014 if( correct == 0 ) 02015 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02016 } 02017 #endif /* SSL_SOME_MODES_USE_MAC */ 02018 02019 /* Make extra sure authentication was performed, exactly once */ 02020 if( auth_done != 1 ) 02021 { 02022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02023 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02024 } 02025 02026 if( ssl->in_msglen == 0 ) 02027 { 02028 ssl->nb_zero++; 02029 02030 /* 02031 * Three or more empty messages may be a DoS attack 02032 * (excessive CPU consumption). 02033 */ 02034 if( ssl->nb_zero > 3 ) 02035 { 02036 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 02037 "messages, possible DoS attack" ) ); 02038 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02039 } 02040 } 02041 else 02042 ssl->nb_zero = 0; 02043 02044 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02045 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02046 { 02047 ; /* in_ctr read from peer, not maintained internally */ 02048 } 02049 else 02050 #endif 02051 { 02052 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02053 if( ++ssl->in_ctr[i - 1] != 0 ) 02054 break; 02055 02056 /* The loop goes to its end iff the counter is wrapping */ 02057 if( i == ssl_ep_len( ssl ) ) 02058 { 02059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 02060 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02061 } 02062 } 02063 02064 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 02065 02066 return( 0 ); 02067 } 02068 02069 #undef MAC_NONE 02070 #undef MAC_PLAINTEXT 02071 #undef MAC_CIPHERTEXT 02072 02073 #if defined(MBEDTLS_ZLIB_SUPPORT) 02074 /* 02075 * Compression/decompression functions 02076 */ 02077 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 02078 { 02079 int ret; 02080 unsigned char *msg_post = ssl->out_msg; 02081 size_t len_pre = ssl->out_msglen; 02082 unsigned char *msg_pre = ssl->compress_buf; 02083 02084 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 02085 02086 if( len_pre == 0 ) 02087 return( 0 ); 02088 02089 memcpy( msg_pre, ssl->out_msg, len_pre ); 02090 02091 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ", 02092 ssl->out_msglen ) ); 02093 02094 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 02095 ssl->out_msg, ssl->out_msglen ); 02096 02097 ssl->transform_out->ctx_deflate.next_in = msg_pre; 02098 ssl->transform_out->ctx_deflate.avail_in = len_pre; 02099 ssl->transform_out->ctx_deflate.next_out = msg_post; 02100 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN; 02101 02102 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 02103 if( ret != Z_OK ) 02104 { 02105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 02106 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02107 } 02108 02109 ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - 02110 ssl->transform_out->ctx_deflate.avail_out; 02111 02112 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", 02113 ssl->out_msglen ) ); 02114 02115 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 02116 ssl->out_msg, ssl->out_msglen ); 02117 02118 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 02119 02120 return( 0 ); 02121 } 02122 02123 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 02124 { 02125 int ret; 02126 unsigned char *msg_post = ssl->in_msg; 02127 size_t len_pre = ssl->in_msglen; 02128 unsigned char *msg_pre = ssl->compress_buf; 02129 02130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 02131 02132 if( len_pre == 0 ) 02133 return( 0 ); 02134 02135 memcpy( msg_pre, ssl->in_msg, len_pre ); 02136 02137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ", 02138 ssl->in_msglen ) ); 02139 02140 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 02141 ssl->in_msg, ssl->in_msglen ); 02142 02143 ssl->transform_in->ctx_inflate.next_in = msg_pre; 02144 ssl->transform_in->ctx_inflate.avail_in = len_pre; 02145 ssl->transform_in->ctx_inflate.next_out = msg_post; 02146 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN; 02147 02148 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 02149 if( ret != Z_OK ) 02150 { 02151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 02152 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02153 } 02154 02155 ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN - 02156 ssl->transform_in->ctx_inflate.avail_out; 02157 02158 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", 02159 ssl->in_msglen ) ); 02160 02161 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 02162 ssl->in_msg, ssl->in_msglen ); 02163 02164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 02165 02166 return( 0 ); 02167 } 02168 #endif /* MBEDTLS_ZLIB_SUPPORT */ 02169 02170 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02171 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); 02172 02173 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02174 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) 02175 { 02176 /* If renegotiation is not enforced, retransmit until we would reach max 02177 * timeout if we were using the usual handshake doubling scheme */ 02178 if( ssl->conf->renego_max_records < 0 ) 02179 { 02180 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 02181 unsigned char doublings = 1; 02182 02183 while( ratio != 0 ) 02184 { 02185 ++doublings; 02186 ratio >>= 1; 02187 } 02188 02189 if( ++ssl->renego_records_seen > doublings ) 02190 { 02191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) ); 02192 return( 0 ); 02193 } 02194 } 02195 02196 return( ssl_write_hello_request( ssl ) ); 02197 } 02198 #endif 02199 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02200 02201 /* 02202 * Fill the input message buffer by appending data to it. 02203 * The amount of data already fetched is in ssl->in_left. 02204 * 02205 * If we return 0, is it guaranteed that (at least) nb_want bytes are 02206 * available (from this read and/or a previous one). Otherwise, an error code 02207 * is returned (possibly EOF or WANT_READ). 02208 * 02209 * With stream transport (TLS) on success ssl->in_left == nb_want, but 02210 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 02211 * since we always read a whole datagram at once. 02212 * 02213 * For DTLS, it is up to the caller to set ssl->next_record_offset when 02214 * they're done reading a record. 02215 */ 02216 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 02217 { 02218 int ret; 02219 size_t len; 02220 02221 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 02222 02223 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 02224 { 02225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02226 "or mbedtls_ssl_set_bio()" ) ); 02227 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02228 } 02229 02230 if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 02231 { 02232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 02233 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02234 } 02235 02236 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02237 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02238 { 02239 uint32_t timeout; 02240 02241 /* Just to be sure */ 02242 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) 02243 { 02244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " 02245 "mbedtls_ssl_set_timer_cb() for DTLS" ) ); 02246 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02247 } 02248 02249 /* 02250 * The point is, we need to always read a full datagram at once, so we 02251 * sometimes read more then requested, and handle the additional data. 02252 * It could be the rest of the current record (while fetching the 02253 * header) and/or some other records in the same datagram. 02254 */ 02255 02256 /* 02257 * Move to the next record in the already read datagram if applicable 02258 */ 02259 if( ssl->next_record_offset != 0 ) 02260 { 02261 if( ssl->in_left < ssl->next_record_offset ) 02262 { 02263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02264 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02265 } 02266 02267 ssl->in_left -= ssl->next_record_offset; 02268 02269 if( ssl->in_left != 0 ) 02270 { 02271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", 02272 ssl->next_record_offset ) ); 02273 memmove( ssl->in_hdr, 02274 ssl->in_hdr + ssl->next_record_offset, 02275 ssl->in_left ); 02276 } 02277 02278 ssl->next_record_offset = 0; 02279 } 02280 02281 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02282 ssl->in_left, nb_want ) ); 02283 02284 /* 02285 * Done if we already have enough data. 02286 */ 02287 if( nb_want <= ssl->in_left) 02288 { 02289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02290 return( 0 ); 02291 } 02292 02293 /* 02294 * A record can't be split accross datagrams. If we need to read but 02295 * are not at the beginning of a new record, the caller did something 02296 * wrong. 02297 */ 02298 if( ssl->in_left != 0 ) 02299 { 02300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02301 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02302 } 02303 02304 /* 02305 * Don't even try to read if time's out already. 02306 * This avoids by-passing the timer when repeatedly receiving messages 02307 * that will end up being dropped. 02308 */ 02309 if( ssl_check_timer( ssl ) != 0 ) 02310 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02311 else 02312 { 02313 len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); 02314 02315 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02316 timeout = ssl->handshake->retransmit_timeout; 02317 else 02318 timeout = ssl->conf->read_timeout; 02319 02320 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); 02321 02322 if( ssl->f_recv_timeout != NULL ) 02323 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 02324 timeout ); 02325 else 02326 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 02327 02328 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02329 02330 if( ret == 0 ) 02331 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02332 } 02333 02334 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 02335 { 02336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 02337 ssl_set_timer( ssl, 0 ); 02338 02339 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02340 { 02341 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 02342 { 02343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 02344 return( MBEDTLS_ERR_SSL_TIMEOUT ); 02345 } 02346 02347 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 02348 { 02349 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 02350 return( ret ); 02351 } 02352 02353 return( MBEDTLS_ERR_SSL_WANT_READ ); 02354 } 02355 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02356 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 02357 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 02358 { 02359 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 02360 { 02361 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 02362 return( ret ); 02363 } 02364 02365 return( MBEDTLS_ERR_SSL_WANT_READ ); 02366 } 02367 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02368 } 02369 02370 if( ret < 0 ) 02371 return( ret ); 02372 02373 ssl->in_left = ret; 02374 } 02375 else 02376 #endif 02377 { 02378 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02379 ssl->in_left, nb_want ) ); 02380 02381 while( ssl->in_left < nb_want ) 02382 { 02383 len = nb_want - ssl->in_left; 02384 02385 if( ssl_check_timer( ssl ) != 0 ) 02386 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02387 else 02388 { 02389 if( ssl->f_recv_timeout != NULL ) 02390 { 02391 ret = ssl->f_recv_timeout( ssl->p_bio, 02392 ssl->in_hdr + ssl->in_left, len, 02393 ssl->conf->read_timeout ); 02394 } 02395 else 02396 { 02397 ret = ssl->f_recv( ssl->p_bio, 02398 ssl->in_hdr + ssl->in_left, len ); 02399 } 02400 } 02401 02402 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02403 ssl->in_left, nb_want ) ); 02404 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02405 02406 if( ret == 0 ) 02407 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02408 02409 if( ret < 0 ) 02410 return( ret ); 02411 02412 ssl->in_left += ret; 02413 } 02414 } 02415 02416 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02417 02418 return( 0 ); 02419 } 02420 02421 /* 02422 * Flush any data not yet written 02423 */ 02424 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 02425 { 02426 int ret; 02427 unsigned char *buf, i; 02428 02429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 02430 02431 if( ssl->f_send == NULL ) 02432 { 02433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02434 "or mbedtls_ssl_set_bio()" ) ); 02435 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02436 } 02437 02438 /* Avoid incrementing counter if data is flushed */ 02439 if( ssl->out_left == 0 ) 02440 { 02441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02442 return( 0 ); 02443 } 02444 02445 while( ssl->out_left > 0 ) 02446 { 02447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 02448 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 02449 02450 buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) + 02451 ssl->out_msglen - ssl->out_left; 02452 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 02453 02454 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 02455 02456 if( ret <= 0 ) 02457 return( ret ); 02458 02459 ssl->out_left -= ret; 02460 } 02461 02462 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02463 if( ++ssl->out_ctr[i - 1] != 0 ) 02464 break; 02465 02466 /* The loop goes to its end iff the counter is wrapping */ 02467 if( i == ssl_ep_len( ssl ) ) 02468 { 02469 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 02470 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02471 } 02472 02473 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02474 02475 return( 0 ); 02476 } 02477 02478 /* 02479 * Functions to handle the DTLS retransmission state machine 02480 */ 02481 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02482 /* 02483 * Append current handshake message to current outgoing flight 02484 */ 02485 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 02486 { 02487 mbedtls_ssl_flight_item *msg; 02488 02489 /* Allocate space for current message */ 02490 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 02491 { 02492 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", 02493 sizeof( mbedtls_ssl_flight_item ) ) ); 02494 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02495 } 02496 02497 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 02498 { 02499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) ); 02500 mbedtls_free( msg ); 02501 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02502 } 02503 02504 /* Copy current handshake message with headers */ 02505 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 02506 msg->len = ssl->out_msglen; 02507 msg->type = ssl->out_msgtype; 02508 msg->next = NULL; 02509 02510 /* Append to the current flight */ 02511 if( ssl->handshake->flight == NULL ) 02512 ssl->handshake->flight = msg; 02513 else 02514 { 02515 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 02516 while( cur->next != NULL ) 02517 cur = cur->next; 02518 cur->next = msg; 02519 } 02520 02521 return( 0 ); 02522 } 02523 02524 /* 02525 * Free the current flight of handshake messages 02526 */ 02527 static void ssl_flight_free( mbedtls_ssl_flight_item *flight ) 02528 { 02529 mbedtls_ssl_flight_item *cur = flight; 02530 mbedtls_ssl_flight_item *next; 02531 02532 while( cur != NULL ) 02533 { 02534 next = cur->next; 02535 02536 mbedtls_free( cur->p ); 02537 mbedtls_free( cur ); 02538 02539 cur = next; 02540 } 02541 } 02542 02543 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 02544 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); 02545 #endif 02546 02547 /* 02548 * Swap transform_out and out_ctr with the alternative ones 02549 */ 02550 static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) 02551 { 02552 mbedtls_ssl_transform *tmp_transform; 02553 unsigned char tmp_out_ctr[8]; 02554 02555 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 02556 { 02557 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 02558 return; 02559 } 02560 02561 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 02562 02563 /* Swap transforms */ 02564 tmp_transform = ssl->transform_out; 02565 ssl->transform_out = ssl->handshake->alt_transform_out; 02566 ssl->handshake->alt_transform_out = tmp_transform; 02567 02568 /* Swap epoch + sequence_number */ 02569 memcpy( tmp_out_ctr, ssl->out_ctr, 8 ); 02570 memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 ); 02571 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 02572 02573 /* Adjust to the newly activated transform */ 02574 if( ssl->transform_out != NULL && 02575 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 02576 { 02577 ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - 02578 ssl->transform_out->fixed_ivlen; 02579 } 02580 else 02581 ssl->out_msg = ssl->out_iv; 02582 02583 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02584 if( mbedtls_ssl_hw_record_activate != NULL ) 02585 { 02586 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 02587 { 02588 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 02589 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02590 } 02591 } 02592 #endif 02593 } 02594 02595 /* 02596 * Retransmit the current flight of messages. 02597 * 02598 * Need to remember the current message in case flush_output returns 02599 * WANT_WRITE, causing us to exit this function and come back later. 02600 * This function must be called until state is no longer SENDING. 02601 */ 02602 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 02603 { 02604 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 02605 02606 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 02607 { 02608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) ); 02609 02610 ssl->handshake->cur_msg = ssl->handshake->flight; 02611 ssl_swap_epochs( ssl ); 02612 02613 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 02614 } 02615 02616 while( ssl->handshake->cur_msg != NULL ) 02617 { 02618 int ret; 02619 mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg; 02620 02621 /* Swap epochs before sending Finished: we can't do it after 02622 * sending ChangeCipherSpec, in case write returns WANT_READ. 02623 * Must be done before copying, may change out_msg pointer */ 02624 if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 02625 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ) 02626 { 02627 ssl_swap_epochs( ssl ); 02628 } 02629 02630 memcpy( ssl->out_msg, cur->p, cur->len ); 02631 ssl->out_msglen = cur->len; 02632 ssl->out_msgtype = cur->type; 02633 02634 ssl->handshake->cur_msg = cur->next; 02635 02636 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 ); 02637 02638 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02639 { 02640 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02641 return( ret ); 02642 } 02643 } 02644 02645 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 02646 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02647 else 02648 { 02649 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02650 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02651 } 02652 02653 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 02654 02655 return( 0 ); 02656 } 02657 02658 /* 02659 * To be called when the last message of an incoming flight is received. 02660 */ 02661 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 02662 { 02663 /* We won't need to resend that one any more */ 02664 ssl_flight_free( ssl->handshake->flight ); 02665 ssl->handshake->flight = NULL; 02666 ssl->handshake->cur_msg = NULL; 02667 02668 /* The next incoming flight will start with this msg_seq */ 02669 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 02670 02671 /* Cancel timer */ 02672 ssl_set_timer( ssl, 0 ); 02673 02674 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02675 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02676 { 02677 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02678 } 02679 else 02680 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 02681 } 02682 02683 /* 02684 * To be called when the last message of an outgoing flight is send. 02685 */ 02686 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 02687 { 02688 ssl_reset_retransmit_timeout( ssl ); 02689 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02690 02691 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02692 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02693 { 02694 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02695 } 02696 else 02697 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02698 } 02699 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02700 02701 /* 02702 * Record layer functions 02703 */ 02704 02705 /* 02706 * Write current record. 02707 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. 02708 */ 02709 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) 02710 { 02711 int ret, done = 0; 02712 size_t len = ssl->out_msglen; 02713 02714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 02715 02716 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02717 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02718 ssl->handshake != NULL && 02719 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 02720 { 02721 ; /* Skip special handshake treatment when resending */ 02722 } 02723 else 02724 #endif 02725 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 02726 { 02727 if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST && 02728 ssl->handshake == NULL ) 02729 { 02730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02731 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02732 } 02733 02734 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 02735 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 02736 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 02737 02738 /* 02739 * DTLS has additional fields in the Handshake layer, 02740 * between the length field and the actual payload: 02741 * uint16 message_seq; 02742 * uint24 fragment_offset; 02743 * uint24 fragment_length; 02744 */ 02745 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02746 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02747 { 02748 /* Make room for the additional DTLS fields */ 02749 memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); 02750 ssl->out_msglen += 8; 02751 len += 8; 02752 02753 /* Write message_seq and update it, except for HelloRequest */ 02754 if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02755 { 02756 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 02757 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 02758 ++( ssl->handshake->out_msg_seq ); 02759 } 02760 else 02761 { 02762 ssl->out_msg[4] = 0; 02763 ssl->out_msg[5] = 0; 02764 } 02765 02766 /* We don't fragment, so frag_offset = 0 and frag_len = len */ 02767 memset( ssl->out_msg + 6, 0x00, 3 ); 02768 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 02769 } 02770 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02771 02772 if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02773 ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); 02774 } 02775 02776 /* Save handshake and CCS messages for resending */ 02777 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02778 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02779 ssl->handshake != NULL && 02780 ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && 02781 ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || 02782 ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) 02783 { 02784 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 02785 { 02786 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 02787 return( ret ); 02788 } 02789 } 02790 #endif 02791 02792 #if defined(MBEDTLS_ZLIB_SUPPORT) 02793 if( ssl->transform_out != NULL && 02794 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 02795 { 02796 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 02797 { 02798 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 02799 return( ret ); 02800 } 02801 02802 len = ssl->out_msglen; 02803 } 02804 #endif /*MBEDTLS_ZLIB_SUPPORT */ 02805 02806 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02807 if( mbedtls_ssl_hw_record_write != NULL ) 02808 { 02809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 02810 02811 ret = mbedtls_ssl_hw_record_write( ssl ); 02812 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 02813 { 02814 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 02815 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02816 } 02817 02818 if( ret == 0 ) 02819 done = 1; 02820 } 02821 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 02822 if( !done ) 02823 { 02824 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 02825 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02826 ssl->conf->transport, ssl->out_hdr + 1 ); 02827 02828 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02829 ssl->out_len[1] = (unsigned char)( len ); 02830 02831 if( ssl->transform_out != NULL ) 02832 { 02833 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 02834 { 02835 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 02836 return( ret ); 02837 } 02838 02839 len = ssl->out_msglen; 02840 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02841 ssl->out_len[1] = (unsigned char)( len ); 02842 } 02843 02844 ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen; 02845 02846 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 02847 "version = [%d:%d], msglen = %d", 02848 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 02849 ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); 02850 02851 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 02852 ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen ); 02853 } 02854 02855 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 02856 { 02857 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 02858 return( ret ); 02859 } 02860 02861 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 02862 02863 return( 0 ); 02864 } 02865 02866 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02867 /* 02868 * Mark bits in bitmask (used for DTLS HS reassembly) 02869 */ 02870 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 02871 { 02872 unsigned int start_bits, end_bits; 02873 02874 start_bits = 8 - ( offset % 8 ); 02875 if( start_bits != 8 ) 02876 { 02877 size_t first_byte_idx = offset / 8; 02878 02879 /* Special case */ 02880 if( len <= start_bits ) 02881 { 02882 for( ; len != 0; len-- ) 02883 mask[first_byte_idx] |= 1 << ( start_bits - len ); 02884 02885 /* Avoid potential issues with offset or len becoming invalid */ 02886 return; 02887 } 02888 02889 offset += start_bits; /* Now offset % 8 == 0 */ 02890 len -= start_bits; 02891 02892 for( ; start_bits != 0; start_bits-- ) 02893 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 02894 } 02895 02896 end_bits = len % 8; 02897 if( end_bits != 0 ) 02898 { 02899 size_t last_byte_idx = ( offset + len ) / 8; 02900 02901 len -= end_bits; /* Now len % 8 == 0 */ 02902 02903 for( ; end_bits != 0; end_bits-- ) 02904 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 02905 } 02906 02907 memset( mask + offset / 8, 0xFF, len / 8 ); 02908 } 02909 02910 /* 02911 * Check that bitmask is full 02912 */ 02913 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 02914 { 02915 size_t i; 02916 02917 for( i = 0; i < len / 8; i++ ) 02918 if( mask[i] != 0xFF ) 02919 return( -1 ); 02920 02921 for( i = 0; i < len % 8; i++ ) 02922 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 02923 return( -1 ); 02924 02925 return( 0 ); 02926 } 02927 02928 /* 02929 * Reassemble fragmented DTLS handshake messages. 02930 * 02931 * Use a temporary buffer for reassembly, divided in two parts: 02932 * - the first holds the reassembled message (including handshake header), 02933 * - the second holds a bitmask indicating which parts of the message 02934 * (excluding headers) have been received so far. 02935 */ 02936 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) 02937 { 02938 unsigned char *msg, *bitmask; 02939 size_t frag_len, frag_off; 02940 size_t msg_len = ssl->in_hslen - 12; /* Without headers */ 02941 02942 if( ssl->handshake == NULL ) 02943 { 02944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); 02945 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02946 } 02947 02948 /* 02949 * For first fragment, check size and allocate buffer 02950 */ 02951 if( ssl->handshake->hs_msg == NULL ) 02952 { 02953 size_t alloc_len; 02954 02955 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", 02956 msg_len ) ); 02957 02958 if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02959 { 02960 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) ); 02961 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02962 } 02963 02964 /* The bitmask needs one bit per byte of message excluding header */ 02965 alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 ); 02966 02967 ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); 02968 if( ssl->handshake->hs_msg == NULL ) 02969 { 02970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); 02971 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02972 } 02973 02974 /* Prepare final header: copy msg_type, length and message_seq, 02975 * then add standardised fragment_offset and fragment_length */ 02976 memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 ); 02977 memset( ssl->handshake->hs_msg + 6, 0, 3 ); 02978 memcpy( ssl->handshake->hs_msg + 9, 02979 ssl->handshake->hs_msg + 1, 3 ); 02980 } 02981 else 02982 { 02983 /* Make sure msg_type and length are consistent */ 02984 if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 ) 02985 { 02986 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) ); 02987 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 02988 } 02989 } 02990 02991 msg = ssl->handshake->hs_msg + 12; 02992 bitmask = msg + msg_len; 02993 02994 /* 02995 * Check and copy current fragment 02996 */ 02997 frag_off = ( ssl->in_msg[6] << 16 ) | 02998 ( ssl->in_msg[7] << 8 ) | 02999 ssl->in_msg[8]; 03000 frag_len = ( ssl->in_msg[9] << 16 ) | 03001 ( ssl->in_msg[10] << 8 ) | 03002 ssl->in_msg[11]; 03003 03004 if( frag_off + frag_len > msg_len ) 03005 { 03006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", 03007 frag_off, frag_len, msg_len ) ); 03008 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03009 } 03010 03011 if( frag_len + 12 > ssl->in_msglen ) 03012 { 03013 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", 03014 frag_len, ssl->in_msglen ) ); 03015 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03016 } 03017 03018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", 03019 frag_off, frag_len ) ); 03020 03021 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 03022 ssl_bitmask_set( bitmask, frag_off, frag_len ); 03023 03024 /* 03025 * Do we have the complete message by now? 03026 * If yes, finalize it, else ask to read the next record. 03027 */ 03028 if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) 03029 { 03030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); 03031 return( MBEDTLS_ERR_SSL_WANT_READ ); 03032 } 03033 03034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); 03035 03036 if( frag_len + 12 < ssl->in_msglen ) 03037 { 03038 /* 03039 * We'got more handshake messages in the same record. 03040 * This case is not handled now because no know implementation does 03041 * that and it's hard to test, so we prefer to fail cleanly for now. 03042 */ 03043 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) ); 03044 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03045 } 03046 03047 if( ssl->in_left > ssl->next_record_offset ) 03048 { 03049 /* 03050 * We've got more data in the buffer after the current record, 03051 * that we don't want to overwrite. Move it before writing the 03052 * reassembled message, and adjust in_left and next_record_offset. 03053 */ 03054 unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset; 03055 unsigned char *new_remain = ssl->in_msg + ssl->in_hslen; 03056 size_t remain_len = ssl->in_left - ssl->next_record_offset; 03057 03058 /* First compute and check new lengths */ 03059 ssl->next_record_offset = new_remain - ssl->in_hdr; 03060 ssl->in_left = ssl->next_record_offset + remain_len; 03061 03062 if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - 03063 (size_t)( ssl->in_hdr - ssl->in_buf ) ) 03064 { 03065 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); 03066 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03067 } 03068 03069 memmove( new_remain, cur_remain, remain_len ); 03070 } 03071 03072 memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen ); 03073 03074 mbedtls_free( ssl->handshake->hs_msg ); 03075 ssl->handshake->hs_msg = NULL; 03076 03077 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", 03078 ssl->in_msg, ssl->in_hslen ); 03079 03080 return( 0 ); 03081 } 03082 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03083 03084 static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 03085 { 03086 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 03087 { 03088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", 03089 ssl->in_msglen ) ); 03090 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03091 } 03092 03093 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( 03094 ( ssl->in_msg[1] << 16 ) | 03095 ( ssl->in_msg[2] << 8 ) | 03096 ssl->in_msg[3] ); 03097 03098 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 03099 " %d, type = %d, hslen = %d", 03100 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 03101 03102 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03103 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03104 { 03105 int ret; 03106 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 03107 03108 /* ssl->handshake is NULL when receiving ClientHello for renego */ 03109 if( ssl->handshake != NULL && 03110 recv_msg_seq != ssl->handshake->in_msg_seq ) 03111 { 03112 /* Retransmit only on last message from previous flight, to avoid 03113 * too many retransmissions. 03114 * Besides, No sane server ever retransmits HelloVerifyRequest */ 03115 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 03116 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 03117 { 03118 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 03119 "message_seq = %d, start_of_flight = %d", 03120 recv_msg_seq, 03121 ssl->handshake->in_flight_start_seq ) ); 03122 03123 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03124 { 03125 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03126 return( ret ); 03127 } 03128 } 03129 else 03130 { 03131 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 03132 "message_seq = %d, expected = %d", 03133 recv_msg_seq, 03134 ssl->handshake->in_msg_seq ) ); 03135 } 03136 03137 return( MBEDTLS_ERR_SSL_WANT_READ ); 03138 } 03139 /* Wait until message completion to increment in_msg_seq */ 03140 03141 /* Reassemble if current message is fragmented or reassembly is 03142 * already in progress */ 03143 if( ssl->in_msglen < ssl->in_hslen || 03144 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 03145 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 || 03146 ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) ) 03147 { 03148 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 03149 03150 if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 ) 03151 { 03152 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret ); 03153 return( ret ); 03154 } 03155 } 03156 } 03157 else 03158 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03159 /* With TLS we don't handle fragmentation (for now) */ 03160 if( ssl->in_msglen < ssl->in_hslen ) 03161 { 03162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 03163 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03164 } 03165 03166 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03167 ssl->handshake != NULL ) 03168 { 03169 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 03170 } 03171 03172 /* Handshake message is complete, increment counter */ 03173 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03174 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03175 ssl->handshake != NULL ) 03176 { 03177 ssl->handshake->in_msg_seq++; 03178 } 03179 #endif 03180 03181 return( 0 ); 03182 } 03183 03184 /* 03185 * DTLS anti-replay: RFC 6347 4.1.2.6 03186 * 03187 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 03188 * Bit n is set iff record number in_window_top - n has been seen. 03189 * 03190 * Usually, in_window_top is the last record number seen and the lsb of 03191 * in_window is set. The only exception is the initial state (record number 0 03192 * not seen yet). 03193 */ 03194 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03195 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 03196 { 03197 ssl->in_window_top = 0; 03198 ssl->in_window = 0; 03199 } 03200 03201 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 03202 { 03203 return( ( (uint64_t) buf[0] << 40 ) | 03204 ( (uint64_t) buf[1] << 32 ) | 03205 ( (uint64_t) buf[2] << 24 ) | 03206 ( (uint64_t) buf[3] << 16 ) | 03207 ( (uint64_t) buf[4] << 8 ) | 03208 ( (uint64_t) buf[5] ) ); 03209 } 03210 03211 /* 03212 * Return 0 if sequence number is acceptable, -1 otherwise 03213 */ 03214 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) 03215 { 03216 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03217 uint64_t bit; 03218 03219 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03220 return( 0 ); 03221 03222 if( rec_seqnum > ssl->in_window_top ) 03223 return( 0 ); 03224 03225 bit = ssl->in_window_top - rec_seqnum; 03226 03227 if( bit >= 64 ) 03228 return( -1 ); 03229 03230 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 03231 return( -1 ); 03232 03233 return( 0 ); 03234 } 03235 03236 /* 03237 * Update replay window on new validated record 03238 */ 03239 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 03240 { 03241 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03242 03243 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03244 return; 03245 03246 if( rec_seqnum > ssl->in_window_top ) 03247 { 03248 /* Update window_top and the contents of the window */ 03249 uint64_t shift = rec_seqnum - ssl->in_window_top; 03250 03251 if( shift >= 64 ) 03252 ssl->in_window = 1; 03253 else 03254 { 03255 ssl->in_window <<= shift; 03256 ssl->in_window |= 1; 03257 } 03258 03259 ssl->in_window_top = rec_seqnum; 03260 } 03261 else 03262 { 03263 /* Mark that number as seen in the current window */ 03264 uint64_t bit = ssl->in_window_top - rec_seqnum; 03265 03266 if( bit < 64 ) /* Always true, but be extra sure */ 03267 ssl->in_window |= (uint64_t) 1 << bit; 03268 } 03269 } 03270 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 03271 03272 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03273 /* Forward declaration */ 03274 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); 03275 03276 /* 03277 * Without any SSL context, check if a datagram looks like a ClientHello with 03278 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 03279 * Both input and output include full DTLS headers. 03280 * 03281 * - if cookie is valid, return 0 03282 * - if ClientHello looks superficially valid but cookie is not, 03283 * fill obuf and set olen, then 03284 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03285 * - otherwise return a specific error code 03286 */ 03287 static int ssl_check_dtls_clihlo_cookie( 03288 mbedtls_ssl_cookie_write_t *f_cookie_write, 03289 mbedtls_ssl_cookie_check_t *f_cookie_check, 03290 void *p_cookie, 03291 const unsigned char *cli_id, size_t cli_id_len, 03292 const unsigned char *in, size_t in_len, 03293 unsigned char *obuf, size_t buf_len, size_t *olen ) 03294 { 03295 size_t sid_len, cookie_len; 03296 unsigned char *p; 03297 03298 if( f_cookie_write == NULL || f_cookie_check == NULL ) 03299 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03300 03301 /* 03302 * Structure of ClientHello with record and handshake headers, 03303 * and expected values. We don't need to check a lot, more checks will be 03304 * done when actually parsing the ClientHello - skipping those checks 03305 * avoids code duplication and does not make cookie forging any easier. 03306 * 03307 * 0-0 ContentType type; copied, must be handshake 03308 * 1-2 ProtocolVersion version; copied 03309 * 3-4 uint16 epoch; copied, must be 0 03310 * 5-10 uint48 sequence_number; copied 03311 * 11-12 uint16 length; (ignored) 03312 * 03313 * 13-13 HandshakeType msg_type; (ignored) 03314 * 14-16 uint24 length; (ignored) 03315 * 17-18 uint16 message_seq; copied 03316 * 19-21 uint24 fragment_offset; copied, must be 0 03317 * 22-24 uint24 fragment_length; (ignored) 03318 * 03319 * 25-26 ProtocolVersion client_version; (ignored) 03320 * 27-58 Random random; (ignored) 03321 * 59-xx SessionID session_id; 1 byte len + sid_len content 03322 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 03323 * ... 03324 * 03325 * Minimum length is 61 bytes. 03326 */ 03327 if( in_len < 61 || 03328 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 03329 in[3] != 0 || in[4] != 0 || 03330 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 03331 { 03332 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03333 } 03334 03335 sid_len = in[59]; 03336 if( sid_len > in_len - 61 ) 03337 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03338 03339 cookie_len = in[60 + sid_len]; 03340 if( cookie_len > in_len - 60 ) 03341 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03342 03343 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 03344 cli_id, cli_id_len ) == 0 ) 03345 { 03346 /* Valid cookie */ 03347 return( 0 ); 03348 } 03349 03350 /* 03351 * If we get here, we've got an invalid cookie, let's prepare HVR. 03352 * 03353 * 0-0 ContentType type; copied 03354 * 1-2 ProtocolVersion version; copied 03355 * 3-4 uint16 epoch; copied 03356 * 5-10 uint48 sequence_number; copied 03357 * 11-12 uint16 length; olen - 13 03358 * 03359 * 13-13 HandshakeType msg_type; hello_verify_request 03360 * 14-16 uint24 length; olen - 25 03361 * 17-18 uint16 message_seq; copied 03362 * 19-21 uint24 fragment_offset; copied 03363 * 22-24 uint24 fragment_length; olen - 25 03364 * 03365 * 25-26 ProtocolVersion server_version; 0xfe 0xff 03366 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 03367 * 03368 * Minimum length is 28. 03369 */ 03370 if( buf_len < 28 ) 03371 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03372 03373 /* Copy most fields and adapt others */ 03374 memcpy( obuf, in, 25 ); 03375 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 03376 obuf[25] = 0xfe; 03377 obuf[26] = 0xff; 03378 03379 /* Generate and write actual cookie */ 03380 p = obuf + 28; 03381 if( f_cookie_write( p_cookie, 03382 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 03383 { 03384 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03385 } 03386 03387 *olen = p - obuf; 03388 03389 /* Go back and fill length fields */ 03390 obuf[27] = (unsigned char)( *olen - 28 ); 03391 03392 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 03393 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 03394 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 03395 03396 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 03397 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 03398 03399 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03400 } 03401 03402 /* 03403 * Handle possible client reconnect with the same UDP quadruplet 03404 * (RFC 6347 Section 4.2.8). 03405 * 03406 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 03407 * that looks like a ClientHello. 03408 * 03409 * - if the input looks like a ClientHello without cookies, 03410 * send back HelloVerifyRequest, then 03411 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03412 * - if the input looks like a ClientHello with a valid cookie, 03413 * reset the session of the current context, and 03414 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 03415 * - if anything goes wrong, return a specific error code 03416 * 03417 * mbedtls_ssl_read_record() will ignore the record if anything else than 03418 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function 03419 * cannot not return 0. 03420 */ 03421 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 03422 { 03423 int ret; 03424 size_t len; 03425 03426 ret = ssl_check_dtls_clihlo_cookie( 03427 ssl->conf->f_cookie_write, 03428 ssl->conf->f_cookie_check, 03429 ssl->conf->p_cookie, 03430 ssl->cli_id, ssl->cli_id_len, 03431 ssl->in_buf, ssl->in_left, 03432 ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); 03433 03434 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 03435 03436 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 03437 { 03438 /* Dont check write errors as we can't do anything here. 03439 * If the error is permanent we'll catch it later, 03440 * if it's not, then hopefully it'll work next time. */ 03441 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 03442 03443 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03444 } 03445 03446 if( ret == 0 ) 03447 { 03448 /* Got a valid cookie, partially reset context */ 03449 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) 03450 { 03451 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 03452 return( ret ); 03453 } 03454 03455 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 03456 } 03457 03458 return( ret ); 03459 } 03460 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03461 03462 /* 03463 * ContentType type; 03464 * ProtocolVersion version; 03465 * uint16 epoch; // DTLS only 03466 * uint48 sequence_number; // DTLS only 03467 * uint16 length; 03468 */ 03469 static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) 03470 { 03471 int ret; 03472 int major_ver, minor_ver; 03473 03474 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) ); 03475 03476 ssl->in_msgtype = ssl->in_hdr[0]; 03477 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 03478 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); 03479 03480 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 03481 "version = [%d:%d], msglen = %d", 03482 ssl->in_msgtype, 03483 major_ver, minor_ver, ssl->in_msglen ) ); 03484 03485 /* Check record type */ 03486 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 03487 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && 03488 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03489 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 03490 { 03491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 03492 03493 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03494 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03495 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 ) 03496 { 03497 return( ret ); 03498 } 03499 03500 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03501 } 03502 03503 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03504 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03505 { 03506 /* Drop unexpected ChangeCipherSpec messages */ 03507 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03508 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 03509 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 03510 { 03511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); 03512 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03513 } 03514 03515 /* Drop unexpected ApplicationData records, 03516 * except at the beginning of renegotiations */ 03517 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 03518 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 03519 #if defined(MBEDTLS_SSL_RENEGOTIATION) 03520 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 03521 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 03522 #endif 03523 ) 03524 { 03525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 03526 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03527 } 03528 } 03529 #endif 03530 03531 /* Check version */ 03532 if( major_ver != ssl->major_ver ) 03533 { 03534 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 03535 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03536 } 03537 03538 if( minor_ver > ssl->conf->max_minor_ver ) 03539 { 03540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 03541 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03542 } 03543 03544 /* Check epoch (and sequence number) with DTLS */ 03545 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03546 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03547 { 03548 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 03549 03550 if( rec_epoch != ssl->in_epoch ) 03551 { 03552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 03553 "expected %d, received %d", 03554 ssl->in_epoch, rec_epoch ) ); 03555 03556 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03557 /* 03558 * Check for an epoch 0 ClientHello. We can't use in_msg here to 03559 * access the first byte of record content (handshake type), as we 03560 * have an active transform (possibly iv_len != 0), so use the 03561 * fact that the record header len is 13 instead. 03562 */ 03563 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03564 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03565 rec_epoch == 0 && 03566 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03567 ssl->in_left > 13 && 03568 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 03569 { 03570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 03571 "from the same port" ) ); 03572 return( ssl_handle_possible_reconnect( ssl ) ); 03573 } 03574 else 03575 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03576 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03577 } 03578 03579 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03580 /* Replay detection only works for the current epoch */ 03581 if( rec_epoch == ssl->in_epoch && 03582 mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 03583 { 03584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 03585 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03586 } 03587 #endif 03588 } 03589 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03590 03591 /* Check length against the size of our buffer */ 03592 if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN 03593 - (size_t)( ssl->in_msg - ssl->in_buf ) ) 03594 { 03595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03596 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03597 } 03598 03599 /* Check length against bounds of the current transform and version */ 03600 if( ssl->transform_in == NULL ) 03601 { 03602 if( ssl->in_msglen < 1 || 03603 ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03604 { 03605 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03606 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03607 } 03608 } 03609 else 03610 { 03611 if( ssl->in_msglen < ssl->transform_in->minlen ) 03612 { 03613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03614 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03615 } 03616 03617 #if defined(MBEDTLS_SSL_PROTO_SSL3) 03618 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03619 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) 03620 { 03621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03622 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03623 } 03624 #endif 03625 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03626 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03627 /* 03628 * TLS encrypted messages can have up to 256 bytes of padding 03629 */ 03630 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && 03631 ssl->in_msglen > ssl->transform_in->minlen + 03632 MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) 03633 { 03634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03635 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03636 } 03637 #endif 03638 } 03639 03640 return( 0 ); 03641 } 03642 03643 /* 03644 * If applicable, decrypt (and decompress) record content 03645 */ 03646 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) 03647 { 03648 int ret, done = 0; 03649 03650 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 03651 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ); 03652 03653 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 03654 if( mbedtls_ssl_hw_record_read != NULL ) 03655 { 03656 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 03657 03658 ret = mbedtls_ssl_hw_record_read( ssl ); 03659 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 03660 { 03661 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 03662 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03663 } 03664 03665 if( ret == 0 ) 03666 done = 1; 03667 } 03668 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 03669 if( !done && ssl->transform_in != NULL ) 03670 { 03671 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 03672 { 03673 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 03674 return( ret ); 03675 } 03676 03677 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 03678 ssl->in_msg, ssl->in_msglen ); 03679 03680 if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03681 { 03682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03683 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03684 } 03685 } 03686 03687 #if defined(MBEDTLS_ZLIB_SUPPORT) 03688 if( ssl->transform_in != NULL && 03689 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 03690 { 03691 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 03692 { 03693 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 03694 return( ret ); 03695 } 03696 03697 // TODO: what's the purpose of these lines? is in_len used? 03698 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 03699 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 03700 } 03701 #endif /* MBEDTLS_ZLIB_SUPPORT */ 03702 03703 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03704 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03705 { 03706 mbedtls_ssl_dtls_replay_update( ssl ); 03707 } 03708 #endif 03709 03710 return( 0 ); 03711 } 03712 03713 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); 03714 03715 /* 03716 * Read a record. 03717 * 03718 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 03719 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 03720 * 03721 */ 03722 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) 03723 { 03724 int ret; 03725 03726 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 03727 03728 if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen ) 03729 { 03730 /* 03731 * Get next Handshake message in the current record 03732 */ 03733 ssl->in_msglen -= ssl->in_hslen; 03734 03735 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 03736 ssl->in_msglen ); 03737 03738 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 03739 ssl->in_msg, ssl->in_msglen ); 03740 03741 if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) 03742 return( ret ); 03743 03744 return( 0 ); 03745 } 03746 03747 ssl->in_hslen = 0; 03748 03749 /* 03750 * Read the record header and parse it 03751 */ 03752 read_record_header: 03753 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 ) 03754 { 03755 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03756 return( ret ); 03757 } 03758 03759 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) 03760 { 03761 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03762 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03763 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) 03764 { 03765 /* Ignore bad record and get next one; drop the whole datagram 03766 * since current header cannot be trusted to find the next record 03767 * in current datagram */ 03768 ssl->next_record_offset = 0; 03769 ssl->in_left = 0; 03770 03771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (header)" ) ); 03772 goto read_record_header; 03773 } 03774 #endif 03775 return( ret ); 03776 } 03777 03778 /* 03779 * Read and optionally decrypt the message contents 03780 */ 03781 if( ( ret = mbedtls_ssl_fetch_input( ssl, 03782 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) 03783 { 03784 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03785 return( ret ); 03786 } 03787 03788 /* Done reading this record, get ready for the next one */ 03789 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03790 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03791 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); 03792 else 03793 #endif 03794 ssl->in_left = 0; 03795 03796 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) 03797 { 03798 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03799 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03800 { 03801 /* Silently discard invalid records */ 03802 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || 03803 ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03804 { 03805 /* Except when waiting for Finished as a bad mac here 03806 * probably means something went wrong in the handshake 03807 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 03808 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 03809 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 03810 { 03811 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03812 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03813 { 03814 mbedtls_ssl_send_alert_message( ssl, 03815 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03816 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03817 } 03818 #endif 03819 return( ret ); 03820 } 03821 03822 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 03823 if( ssl->conf->badmac_limit != 0 && 03824 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 03825 { 03826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 03827 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 03828 } 03829 #endif 03830 03831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 03832 goto read_record_header; 03833 } 03834 03835 return( ret ); 03836 } 03837 else 03838 #endif 03839 { 03840 /* Error out (and send alert) on invalid records */ 03841 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03842 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03843 { 03844 mbedtls_ssl_send_alert_message( ssl, 03845 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03846 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03847 } 03848 #endif 03849 return( ret ); 03850 } 03851 } 03852 03853 /* 03854 * When we sent the last flight of the handshake, we MUST respond to a 03855 * retransmit of the peer's previous flight with a retransmit. (In 03856 * practice, only the Finished message will make it, other messages 03857 * including CCS use the old transform so they're dropped as invalid.) 03858 * 03859 * If the record we received is not a handshake message, however, it 03860 * means the peer received our last flight so we can clean up 03861 * handshake info. 03862 * 03863 * This check needs to be done before prepare_handshake() due to an edge 03864 * case: if the client immediately requests renegotiation, this 03865 * finishes the current handshake first, avoiding the new ClientHello 03866 * being mistaken for an ancient message in the current handshake. 03867 */ 03868 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03869 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03870 ssl->handshake != NULL && 03871 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 03872 { 03873 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03874 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 03875 { 03876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) ); 03877 03878 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03879 { 03880 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03881 return( ret ); 03882 } 03883 03884 return( MBEDTLS_ERR_SSL_WANT_READ ); 03885 } 03886 else 03887 { 03888 ssl_handshake_wrapup_free_hs_transform( ssl ); 03889 } 03890 } 03891 #endif 03892 03893 /* 03894 * Handle particular types of records 03895 */ 03896 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 03897 { 03898 if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) 03899 return( ret ); 03900 } 03901 03902 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 03903 { 03904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 03905 ssl->in_msg[0], ssl->in_msg[1] ) ); 03906 03907 /* 03908 * Ignore non-fatal alerts, except close_notify and no_renegotiation 03909 */ 03910 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 03911 { 03912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 03913 ssl->in_msg[1] ) ); 03914 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 03915 } 03916 03917 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03918 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 03919 { 03920 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 03921 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 03922 } 03923 03924 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 03925 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03926 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 03927 { 03928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 03929 /* Will be handled when trying to parse ServerHello */ 03930 return( 0 ); 03931 } 03932 #endif 03933 03934 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 03935 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03936 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03937 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03938 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 03939 { 03940 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 03941 /* Will be handled in mbedtls_ssl_parse_certificate() */ 03942 return( 0 ); 03943 } 03944 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 03945 03946 /* Silently ignore: fetch new message */ 03947 goto read_record_header; 03948 } 03949 03950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 03951 03952 return( 0 ); 03953 } 03954 03955 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 03956 { 03957 int ret; 03958 03959 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03960 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03961 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) 03962 { 03963 return( ret ); 03964 } 03965 03966 return( 0 ); 03967 } 03968 03969 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 03970 unsigned char level, 03971 unsigned char message ) 03972 { 03973 int ret; 03974 03975 if( ssl == NULL || ssl->conf == NULL ) 03976 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03977 03978 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 03979 03980 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 03981 ssl->out_msglen = 2; 03982 ssl->out_msg[0] = level; 03983 ssl->out_msg[1] = message; 03984 03985 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03986 { 03987 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03988 return( ret ); 03989 } 03990 03991 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 03992 03993 return( 0 ); 03994 } 03995 03996 /* 03997 * Handshake functions 03998 */ 03999 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 04000 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ 04001 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 04002 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 04003 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ 04004 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 04005 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 04006 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04007 { 04008 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04009 04010 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04011 04012 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04013 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04014 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04015 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04016 { 04017 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04018 ssl->state++; 04019 return( 0 ); 04020 } 04021 04022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04023 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04024 } 04025 04026 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04027 { 04028 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04029 04030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04031 04032 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04033 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04034 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04035 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04036 { 04037 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04038 ssl->state++; 04039 return( 0 ); 04040 } 04041 04042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04043 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04044 } 04045 #else 04046 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04047 { 04048 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04049 size_t i, n; 04050 const mbedtls_x509_crt *crt; 04051 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04052 04053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04054 04055 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04056 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04057 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04058 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04059 { 04060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04061 ssl->state++; 04062 return( 0 ); 04063 } 04064 04065 #if defined(MBEDTLS_SSL_CLI_C) 04066 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 04067 { 04068 if( ssl->client_auth == 0 ) 04069 { 04070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04071 ssl->state++; 04072 return( 0 ); 04073 } 04074 04075 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04076 /* 04077 * If using SSLv3 and got no cert, send an Alert message 04078 * (otherwise an empty Certificate message will be sent). 04079 */ 04080 if( mbedtls_ssl_own_cert( ssl ) == NULL && 04081 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04082 { 04083 ssl->out_msglen = 2; 04084 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04085 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 04086 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT; 04087 04088 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 04089 goto write_msg; 04090 } 04091 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04092 } 04093 #endif /* MBEDTLS_SSL_CLI_C */ 04094 #if defined(MBEDTLS_SSL_SRV_C) 04095 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 04096 { 04097 if( mbedtls_ssl_own_cert( ssl ) == NULL ) 04098 { 04099 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 04100 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); 04101 } 04102 } 04103 #endif 04104 04105 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); 04106 04107 /* 04108 * 0 . 0 handshake type 04109 * 1 . 3 handshake length 04110 * 4 . 6 length of all certs 04111 * 7 . 9 length of cert. 1 04112 * 10 . n-1 peer certificate 04113 * n . n+2 length of cert. 2 04114 * n+3 . ... upper level cert, etc. 04115 */ 04116 i = 7; 04117 crt = mbedtls_ssl_own_cert( ssl ); 04118 04119 while( crt != NULL ) 04120 { 04121 n = crt->raw.len; 04122 if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) 04123 { 04124 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 04125 i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 04126 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); 04127 } 04128 04129 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 04130 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 04131 ssl->out_msg[i + 2] = (unsigned char)( n ); 04132 04133 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 04134 i += n; crt = crt->next; 04135 } 04136 04137 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 04138 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 04139 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 04140 04141 ssl->out_msglen = i; 04142 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04143 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 04144 04145 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 04146 write_msg: 04147 #endif 04148 04149 ssl->state++; 04150 04151 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04152 { 04153 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04154 return( ret ); 04155 } 04156 04157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 04158 04159 return( ret ); 04160 } 04161 04162 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04163 { 04164 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04165 size_t i, n; 04166 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04167 int authmode = ssl->conf->authmode; 04168 04169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04170 04171 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04172 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04173 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04174 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04175 { 04176 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04177 ssl->state++; 04178 return( 0 ); 04179 } 04180 04181 #if defined(MBEDTLS_SSL_SRV_C) 04182 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04183 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04184 { 04185 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04186 ssl->state++; 04187 return( 0 ); 04188 } 04189 04190 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04191 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 04192 authmode = ssl->handshake->sni_authmode; 04193 #endif 04194 04195 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04196 authmode == MBEDTLS_SSL_VERIFY_NONE ) 04197 { 04198 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 04199 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04200 ssl->state++; 04201 return( 0 ); 04202 } 04203 #endif 04204 04205 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04206 { 04207 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04208 return( ret ); 04209 } 04210 04211 ssl->state++; 04212 04213 #if defined(MBEDTLS_SSL_SRV_C) 04214 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04215 /* 04216 * Check if the client sent an empty certificate 04217 */ 04218 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04219 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04220 { 04221 if( ssl->in_msglen == 2 && 04222 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && 04223 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04224 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04225 { 04226 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 04227 04228 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04229 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04230 return( 0 ); 04231 else 04232 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04233 } 04234 } 04235 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04236 04237 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 04238 defined(MBEDTLS_SSL_PROTO_TLS1_2) 04239 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04240 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 04241 { 04242 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && 04243 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04244 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 04245 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) 04246 { 04247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 04248 04249 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04250 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04251 return( 0 ); 04252 else 04253 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04254 } 04255 } 04256 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 04257 MBEDTLS_SSL_PROTO_TLS1_2 */ 04258 #endif /* MBEDTLS_SSL_SRV_C */ 04259 04260 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 04261 { 04262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04263 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04264 } 04265 04266 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || 04267 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) 04268 { 04269 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04270 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04271 } 04272 04273 i = mbedtls_ssl_hs_hdr_len( ssl ); 04274 04275 /* 04276 * Same message structure as in mbedtls_ssl_write_certificate() 04277 */ 04278 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2]; 04279 04280 if( ssl->in_msg[i] != 0 || 04281 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) ) 04282 { 04283 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04284 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04285 } 04286 04287 /* In case we tried to reuse a session but it failed */ 04288 if( ssl->session_negotiate->peer_cert != NULL ) 04289 { 04290 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); 04291 mbedtls_free( ssl->session_negotiate->peer_cert ); 04292 } 04293 04294 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, 04295 sizeof( mbedtls_x509_crt ) ) ) == NULL ) 04296 { 04297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 04298 sizeof( mbedtls_x509_crt ) ) ); 04299 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 04300 } 04301 04302 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); 04303 04304 i += 3; 04305 04306 while( i < ssl->in_hslen ) 04307 { 04308 if( ssl->in_msg[i] != 0 ) 04309 { 04310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04311 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04312 } 04313 04314 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 04315 | (unsigned int) ssl->in_msg[i + 2]; 04316 i += 3; 04317 04318 if( n < 128 || i + n > ssl->in_hslen ) 04319 { 04320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04321 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04322 } 04323 04324 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, 04325 ssl->in_msg + i, n ); 04326 if( ret != 0 ) 04327 { 04328 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); 04329 return( ret ); 04330 } 04331 04332 i += n; 04333 } 04334 04335 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); 04336 04337 /* 04338 * On client, make sure the server cert doesn't change during renego to 04339 * avoid "triple handshake" attack: https://secure-resumption.com/ 04340 */ 04341 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 04342 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 04343 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04344 { 04345 if( ssl->session->peer_cert == NULL ) 04346 { 04347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); 04348 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04349 } 04350 04351 if( ssl->session->peer_cert->raw.len != 04352 ssl->session_negotiate->peer_cert->raw.len || 04353 memcmp( ssl->session->peer_cert->raw.p, 04354 ssl->session_negotiate->peer_cert->raw.p, 04355 ssl->session->peer_cert->raw.len ) != 0 ) 04356 { 04357 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) ); 04358 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04359 } 04360 } 04361 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 04362 04363 if( authmode != MBEDTLS_SSL_VERIFY_NONE ) 04364 { 04365 mbedtls_x509_crt *ca_chain; 04366 mbedtls_x509_crl *ca_crl; 04367 04368 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04369 if( ssl->handshake->sni_ca_chain != NULL ) 04370 { 04371 ca_chain = ssl->handshake->sni_ca_chain; 04372 ca_crl = ssl->handshake->sni_ca_crl; 04373 } 04374 else 04375 #endif 04376 { 04377 ca_chain = ssl->conf->ca_chain; 04378 ca_crl = ssl->conf->ca_crl; 04379 } 04380 04381 if( ca_chain == NULL ) 04382 { 04383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 04384 return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED ); 04385 } 04386 04387 /* 04388 * Main check: verify certificate 04389 */ 04390 ret = mbedtls_x509_crt_verify_with_profile( 04391 ssl->session_negotiate->peer_cert, 04392 ca_chain, ca_crl, 04393 ssl->conf->cert_profile, 04394 ssl->hostname, 04395 &ssl->session_negotiate->verify_result, 04396 ssl->conf->f_vrfy, ssl->conf->p_vrfy ); 04397 04398 if( ret != 0 ) 04399 { 04400 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 04401 } 04402 04403 /* 04404 * Secondary checks: always done, but change 'ret' only if it was 0 04405 */ 04406 04407 #if defined(MBEDTLS_ECP_C) 04408 { 04409 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; 04410 04411 /* If certificate uses an EC key, make sure the curve is OK */ 04412 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && 04413 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id ) != 0 ) 04414 { 04415 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); 04416 if( ret == 0 ) 04417 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04418 } 04419 } 04420 #endif /* MBEDTLS_ECP_C */ 04421 04422 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, 04423 ciphersuite_info, 04424 ! ssl->conf->endpoint, 04425 &ssl->session_negotiate->verify_result ) != 0 ) 04426 { 04427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); 04428 if( ret == 0 ) 04429 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04430 } 04431 04432 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04433 ret = 0; 04434 } 04435 04436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 04437 04438 return( ret ); 04439 } 04440 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 04441 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 04442 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 04443 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 04444 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 04445 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 04446 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 04447 04448 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 04449 { 04450 int ret; 04451 04452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 04453 04454 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 04455 ssl->out_msglen = 1; 04456 ssl->out_msg[0] = 1; 04457 04458 ssl->state++; 04459 04460 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04461 { 04462 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04463 return( ret ); 04464 } 04465 04466 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 04467 04468 return( 0 ); 04469 } 04470 04471 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 04472 { 04473 int ret; 04474 04475 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 04476 04477 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04478 { 04479 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04480 return( ret ); 04481 } 04482 04483 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 04484 { 04485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04486 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04487 } 04488 04489 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 04490 { 04491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04492 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 04493 } 04494 04495 /* 04496 * Switch to our negotiated transform and session parameters for inbound 04497 * data. 04498 */ 04499 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 04500 ssl->transform_in = ssl->transform_negotiate; 04501 ssl->session_in = ssl->session_negotiate; 04502 04503 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04504 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04505 { 04506 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 04507 ssl_dtls_replay_reset( ssl ); 04508 #endif 04509 04510 /* Increment epoch */ 04511 if( ++ssl->in_epoch == 0 ) 04512 { 04513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 04514 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 04515 } 04516 } 04517 else 04518 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04519 memset( ssl->in_ctr, 0, 8 ); 04520 04521 /* 04522 * Set the in_msg pointer to the correct location based on IV length 04523 */ 04524 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04525 { 04526 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen - 04527 ssl->transform_negotiate->fixed_ivlen; 04528 } 04529 else 04530 ssl->in_msg = ssl->in_iv; 04531 04532 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 04533 if( mbedtls_ssl_hw_record_activate != NULL ) 04534 { 04535 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 04536 { 04537 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 04538 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 04539 } 04540 } 04541 #endif 04542 04543 ssl->state++; 04544 04545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 04546 04547 return( 0 ); 04548 } 04549 04550 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 04551 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) 04552 { 04553 ((void) ciphersuite_info); 04554 04555 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04556 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04557 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 04558 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; 04559 else 04560 #endif 04561 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04562 #if defined(MBEDTLS_SHA512_C) 04563 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 04564 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 04565 else 04566 #endif 04567 #if defined(MBEDTLS_SHA256_C) 04568 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) 04569 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 04570 else 04571 #endif 04572 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04573 { 04574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04575 return; 04576 } 04577 } 04578 04579 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) 04580 { 04581 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04582 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04583 mbedtls_md5_starts( &ssl->handshake->fin_md5 ); 04584 mbedtls_sha1_starts( &ssl->handshake->fin_sha1 ); 04585 #endif 04586 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04587 #if defined(MBEDTLS_SHA256_C) 04588 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); 04589 #endif 04590 #if defined(MBEDTLS_SHA512_C) 04591 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); 04592 #endif 04593 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04594 } 04595 04596 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, 04597 const unsigned char *buf, size_t len ) 04598 { 04599 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04600 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04601 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04602 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04603 #endif 04604 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04605 #if defined(MBEDTLS_SHA256_C) 04606 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04607 #endif 04608 #if defined(MBEDTLS_SHA512_C) 04609 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04610 #endif 04611 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04612 } 04613 04614 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04615 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04616 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, 04617 const unsigned char *buf, size_t len ) 04618 { 04619 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04620 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04621 } 04622 #endif 04623 04624 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04625 #if defined(MBEDTLS_SHA256_C) 04626 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, 04627 const unsigned char *buf, size_t len ) 04628 { 04629 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04630 } 04631 #endif 04632 04633 #if defined(MBEDTLS_SHA512_C) 04634 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, 04635 const unsigned char *buf, size_t len ) 04636 { 04637 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04638 } 04639 #endif 04640 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04641 04642 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04643 static void ssl_calc_finished_ssl( 04644 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04645 { 04646 const char *sender; 04647 mbedtls_md5_context md5; 04648 mbedtls_sha1_context sha1; 04649 04650 unsigned char padbuf[48]; 04651 unsigned char md5sum[16]; 04652 unsigned char sha1sum[20]; 04653 04654 mbedtls_ssl_session *session = ssl->session_negotiate; 04655 if( !session ) 04656 session = ssl->session; 04657 04658 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) ); 04659 04660 mbedtls_md5_init( &md5 ); 04661 mbedtls_sha1_init( &sha1 ); 04662 04663 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04664 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04665 04666 /* 04667 * SSLv3: 04668 * hash = 04669 * MD5( master + pad2 + 04670 * MD5( handshake + sender + master + pad1 ) ) 04671 * + SHA1( master + pad2 + 04672 * SHA1( handshake + sender + master + pad1 ) ) 04673 */ 04674 04675 #if !defined(MBEDTLS_MD5_ALT) 04676 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04677 md5.state , sizeof( md5.state ) ); 04678 #endif 04679 04680 #if !defined(MBEDTLS_SHA1_ALT) 04681 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04682 sha1.state , sizeof( sha1.state ) ); 04683 #endif 04684 04685 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT" 04686 : "SRVR"; 04687 04688 memset( padbuf, 0x36, 48 ); 04689 04690 mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 ); 04691 mbedtls_md5_update( &md5, session->master, 48 ); 04692 mbedtls_md5_update( &md5, padbuf, 48 ); 04693 mbedtls_md5_finish( &md5, md5sum ); 04694 04695 mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 ); 04696 mbedtls_sha1_update( &sha1, session->master, 48 ); 04697 mbedtls_sha1_update( &sha1, padbuf, 40 ); 04698 mbedtls_sha1_finish( &sha1, sha1sum ); 04699 04700 memset( padbuf, 0x5C, 48 ); 04701 04702 mbedtls_md5_starts( &md5 ); 04703 mbedtls_md5_update( &md5, session->master, 48 ); 04704 mbedtls_md5_update( &md5, padbuf, 48 ); 04705 mbedtls_md5_update( &md5, md5sum, 16 ); 04706 mbedtls_md5_finish( &md5, buf ); 04707 04708 mbedtls_sha1_starts( &sha1 ); 04709 mbedtls_sha1_update( &sha1, session->master, 48 ); 04710 mbedtls_sha1_update( &sha1, padbuf , 40 ); 04711 mbedtls_sha1_update( &sha1, sha1sum, 20 ); 04712 mbedtls_sha1_finish( &sha1, buf + 16 ); 04713 04714 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); 04715 04716 mbedtls_md5_free( &md5 ); 04717 mbedtls_sha1_free( &sha1 ); 04718 04719 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04720 mbedtls_zeroize( md5sum, sizeof( md5sum ) ); 04721 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 04722 04723 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04724 } 04725 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04726 04727 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 04728 static void ssl_calc_finished_tls( 04729 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04730 { 04731 int len = 12; 04732 const char *sender; 04733 mbedtls_md5_context md5; 04734 mbedtls_sha1_context sha1; 04735 unsigned char padbuf[36]; 04736 04737 mbedtls_ssl_session *session = ssl->session_negotiate; 04738 if( !session ) 04739 session = ssl->session; 04740 04741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); 04742 04743 mbedtls_md5_init( &md5 ); 04744 mbedtls_sha1_init( &sha1 ); 04745 04746 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04747 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04748 04749 /* 04750 * TLSv1: 04751 * hash = PRF( master, finished_label, 04752 * MD5( handshake ) + SHA1( handshake ) )[0..11] 04753 */ 04754 04755 #if !defined(MBEDTLS_MD5_ALT) 04756 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04757 md5.state , sizeof( md5.state ) ); 04758 #endif 04759 04760 #if !defined(MBEDTLS_SHA1_ALT) 04761 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04762 sha1.state , sizeof( sha1.state ) ); 04763 #endif 04764 04765 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04766 ? "client finished" 04767 : "server finished"; 04768 04769 mbedtls_md5_finish( &md5, padbuf ); 04770 mbedtls_sha1_finish( &sha1, padbuf + 16 ); 04771 04772 ssl->handshake->tls_prf( session->master, 48, sender, 04773 padbuf, 36, buf, len ); 04774 04775 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04776 04777 mbedtls_md5_free( &md5 ); 04778 mbedtls_sha1_free( &sha1 ); 04779 04780 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04781 04782 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04783 } 04784 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 04785 04786 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04787 #if defined(MBEDTLS_SHA256_C) 04788 static void ssl_calc_finished_tls_sha256( 04789 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04790 { 04791 int len = 12; 04792 const char *sender; 04793 mbedtls_sha256_context sha256; 04794 unsigned char padbuf[32]; 04795 04796 mbedtls_ssl_session *session = ssl->session_negotiate; 04797 if( !session ) 04798 session = ssl->session; 04799 04800 mbedtls_sha256_init( &sha256 ); 04801 04802 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); 04803 04804 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 04805 04806 /* 04807 * TLSv1.2: 04808 * hash = PRF( master, finished_label, 04809 * Hash( handshake ) )[0.11] 04810 */ 04811 04812 #if !defined(MBEDTLS_SHA256_ALT) 04813 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) 04814 sha256.state , sizeof( sha256.state ) ); 04815 #endif 04816 04817 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04818 ? "client finished" 04819 : "server finished"; 04820 04821 mbedtls_sha256_finish( &sha256, padbuf ); 04822 04823 ssl->handshake->tls_prf( session->master, 48, sender, 04824 padbuf, 32, buf, len ); 04825 04826 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04827 04828 mbedtls_sha256_free( &sha256 ); 04829 04830 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04831 04832 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04833 } 04834 #endif /* MBEDTLS_SHA256_C */ 04835 04836 #if defined(MBEDTLS_SHA512_C) 04837 static void ssl_calc_finished_tls_sha384( 04838 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04839 { 04840 int len = 12; 04841 const char *sender; 04842 mbedtls_sha512_context sha512; 04843 unsigned char padbuf[48]; 04844 04845 mbedtls_ssl_session *session = ssl->session_negotiate; 04846 if( !session ) 04847 session = ssl->session; 04848 04849 mbedtls_sha512_init( &sha512 ); 04850 04851 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); 04852 04853 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 04854 04855 /* 04856 * TLSv1.2: 04857 * hash = PRF( master, finished_label, 04858 * Hash( handshake ) )[0.11] 04859 */ 04860 04861 #if !defined(MBEDTLS_SHA512_ALT) 04862 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) 04863 sha512.state , sizeof( sha512.state ) ); 04864 #endif 04865 04866 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04867 ? "client finished" 04868 : "server finished"; 04869 04870 mbedtls_sha512_finish( &sha512, padbuf ); 04871 04872 ssl->handshake->tls_prf( session->master, 48, sender, 04873 padbuf, 48, buf, len ); 04874 04875 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04876 04877 mbedtls_sha512_free( &sha512 ); 04878 04879 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04880 04881 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04882 } 04883 #endif /* MBEDTLS_SHA512_C */ 04884 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04885 04886 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) 04887 { 04888 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) ); 04889 04890 /* 04891 * Free our handshake params 04892 */ 04893 mbedtls_ssl_handshake_free( ssl->handshake ); 04894 mbedtls_free( ssl->handshake ); 04895 ssl->handshake = NULL; 04896 04897 /* 04898 * Free the previous transform and swith in the current one 04899 */ 04900 if( ssl->transform ) 04901 { 04902 mbedtls_ssl_transform_free( ssl->transform ); 04903 mbedtls_free( ssl->transform ); 04904 } 04905 ssl->transform = ssl->transform_negotiate; 04906 ssl->transform_negotiate = NULL; 04907 04908 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) ); 04909 } 04910 04911 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) 04912 { 04913 int resume = ssl->handshake->resume; 04914 04915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); 04916 04917 #if defined(MBEDTLS_SSL_RENEGOTIATION) 04918 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04919 { 04920 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 04921 ssl->renego_records_seen = 0; 04922 } 04923 #endif 04924 04925 /* 04926 * Free the previous session and switch in the current one 04927 */ 04928 if( ssl->session ) 04929 { 04930 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 04931 /* RFC 7366 3.1: keep the EtM state */ 04932 ssl->session_negotiate->encrypt_then_mac = 04933 ssl->session->encrypt_then_mac; 04934 #endif 04935 04936 mbedtls_ssl_session_free( ssl->session ); 04937 mbedtls_free( ssl->session ); 04938 } 04939 ssl->session = ssl->session_negotiate; 04940 ssl->session_negotiate = NULL; 04941 04942 /* 04943 * Add cache entry 04944 */ 04945 if( ssl->conf->f_set_cache != NULL && 04946 ssl->session->id_len != 0 && 04947 resume == 0 ) 04948 { 04949 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) 04950 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); 04951 } 04952 04953 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04954 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04955 ssl->handshake->flight != NULL ) 04956 { 04957 /* Cancel handshake timer */ 04958 ssl_set_timer( ssl, 0 ); 04959 04960 /* Keep last flight around in case we need to resend it: 04961 * we need the handshake and transform structures for that */ 04962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); 04963 } 04964 else 04965 #endif 04966 ssl_handshake_wrapup_free_hs_transform( ssl ); 04967 04968 ssl->state++; 04969 04970 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); 04971 } 04972 04973 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) 04974 { 04975 int ret, hash_len; 04976 04977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 04978 04979 /* 04980 * Set the out_msg pointer to the correct location based on IV length 04981 */ 04982 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04983 { 04984 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen - 04985 ssl->transform_negotiate->fixed_ivlen; 04986 } 04987 else 04988 ssl->out_msg = ssl->out_iv; 04989 04990 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); 04991 04992 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63) 04993 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; 04994 04995 #if defined(MBEDTLS_SSL_RENEGOTIATION) 04996 ssl->verify_data_len = hash_len; 04997 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); 04998 #endif 04999 05000 ssl->out_msglen = 4 + hash_len; 05001 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 05002 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 05003 05004 /* 05005 * In case of session resuming, invert the client and server 05006 * ChangeCipherSpec messages order. 05007 */ 05008 if( ssl->handshake->resume != 0 ) 05009 { 05010 #if defined(MBEDTLS_SSL_CLI_C) 05011 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05012 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05013 #endif 05014 #if defined(MBEDTLS_SSL_SRV_C) 05015 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05016 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05017 #endif 05018 } 05019 else 05020 ssl->state++; 05021 05022 /* 05023 * Switch to our negotiated transform and session parameters for outbound 05024 * data. 05025 */ 05026 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); 05027 05028 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05029 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05030 { 05031 unsigned char i; 05032 05033 /* Remember current epoch settings for resending */ 05034 ssl->handshake->alt_transform_out = ssl->transform_out; 05035 memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); 05036 05037 /* Set sequence_number to zero */ 05038 memset( ssl->out_ctr + 2, 0, 6 ); 05039 05040 /* Increment epoch */ 05041 for( i = 2; i > 0; i-- ) 05042 if( ++ssl->out_ctr[i - 1] != 0 ) 05043 break; 05044 05045 /* The loop goes to its end iff the counter is wrapping */ 05046 if( i == 0 ) 05047 { 05048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 05049 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 05050 } 05051 } 05052 else 05053 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 05054 memset( ssl->out_ctr, 0, 8 ); 05055 05056 ssl->transform_out = ssl->transform_negotiate; 05057 ssl->session_out = ssl->session_negotiate; 05058 05059 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05060 if( mbedtls_ssl_hw_record_activate != NULL ) 05061 { 05062 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 05063 { 05064 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 05065 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05066 } 05067 } 05068 #endif 05069 05070 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05071 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05072 mbedtls_ssl_send_flight_completed( ssl ); 05073 #endif 05074 05075 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 05076 { 05077 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 05078 return( ret ); 05079 } 05080 05081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 05082 05083 return( 0 ); 05084 } 05085 05086 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05087 #define SSL_MAX_HASH_LEN 36 05088 #else 05089 #define SSL_MAX_HASH_LEN 12 05090 #endif 05091 05092 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) 05093 { 05094 int ret; 05095 unsigned int hash_len; 05096 unsigned char buf[SSL_MAX_HASH_LEN]; 05097 05098 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 05099 05100 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); 05101 05102 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 05103 { 05104 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 05105 return( ret ); 05106 } 05107 05108 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 05109 { 05110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05111 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 05112 } 05113 05114 /* There is currently no ciphersuite using another length with TLS 1.2 */ 05115 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05116 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 05117 hash_len = 36; 05118 else 05119 #endif 05120 hash_len = 12; 05121 05122 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || 05123 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) 05124 { 05125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05126 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05127 } 05128 05129 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), 05130 buf, hash_len ) != 0 ) 05131 { 05132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05133 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05134 } 05135 05136 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05137 ssl->verify_data_len = hash_len; 05138 memcpy( ssl->peer_verify_data, buf, hash_len ); 05139 #endif 05140 05141 if( ssl->handshake->resume != 0 ) 05142 { 05143 #if defined(MBEDTLS_SSL_CLI_C) 05144 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05145 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05146 #endif 05147 #if defined(MBEDTLS_SSL_SRV_C) 05148 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05149 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05150 #endif 05151 } 05152 else 05153 ssl->state++; 05154 05155 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05156 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05157 mbedtls_ssl_recv_flight_completed( ssl ); 05158 #endif 05159 05160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 05161 05162 return( 0 ); 05163 } 05164 05165 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) 05166 { 05167 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); 05168 05169 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 05170 defined(MBEDTLS_SSL_PROTO_TLS1_1) 05171 mbedtls_md5_init( &handshake->fin_md5 ); 05172 mbedtls_sha1_init( &handshake->fin_sha1 ); 05173 mbedtls_md5_starts( &handshake->fin_md5 ); 05174 mbedtls_sha1_starts( &handshake->fin_sha1 ); 05175 #endif 05176 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05177 #if defined(MBEDTLS_SHA256_C) 05178 mbedtls_sha256_init( &handshake->fin_sha256 ); 05179 mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); 05180 #endif 05181 #if defined(MBEDTLS_SHA512_C) 05182 mbedtls_sha512_init( &handshake->fin_sha512 ); 05183 mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); 05184 #endif 05185 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05186 05187 handshake->update_checksum = ssl_update_checksum_start; 05188 handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1; 05189 05190 #if defined(MBEDTLS_DHM_C) 05191 mbedtls_dhm_init( &handshake->dhm_ctx ); 05192 #endif 05193 #if defined(MBEDTLS_ECDH_C) 05194 mbedtls_ecdh_init( &handshake->ecdh_ctx ); 05195 #endif 05196 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05197 mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); 05198 #if defined(MBEDTLS_SSL_CLI_C) 05199 handshake->ecjpake_cache = NULL; 05200 handshake->ecjpake_cache_len = 0; 05201 #endif 05202 #endif 05203 05204 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05205 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 05206 #endif 05207 } 05208 05209 static void ssl_transform_init( mbedtls_ssl_transform *transform ) 05210 { 05211 memset( transform, 0, sizeof(mbedtls_ssl_transform) ); 05212 05213 mbedtls_cipher_init( &transform->cipher_ctx_enc ); 05214 mbedtls_cipher_init( &transform->cipher_ctx_dec ); 05215 05216 mbedtls_md_init( &transform->md_ctx_enc ); 05217 mbedtls_md_init( &transform->md_ctx_dec ); 05218 } 05219 05220 void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) 05221 { 05222 memset( session, 0, sizeof(mbedtls_ssl_session) ); 05223 } 05224 05225 static int ssl_handshake_init( mbedtls_ssl_context *ssl ) 05226 { 05227 /* Clear old handshake information if present */ 05228 if( ssl->transform_negotiate ) 05229 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 05230 if( ssl->session_negotiate ) 05231 mbedtls_ssl_session_free( ssl->session_negotiate ); 05232 if( ssl->handshake ) 05233 mbedtls_ssl_handshake_free( ssl->handshake ); 05234 05235 /* 05236 * Either the pointers are now NULL or cleared properly and can be freed. 05237 * Now allocate missing structures. 05238 */ 05239 if( ssl->transform_negotiate == NULL ) 05240 { 05241 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); 05242 } 05243 05244 if( ssl->session_negotiate == NULL ) 05245 { 05246 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) ); 05247 } 05248 05249 if( ssl->handshake == NULL ) 05250 { 05251 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) ); 05252 } 05253 05254 /* All pointers should exist and can be directly freed without issue */ 05255 if( ssl->handshake == NULL || 05256 ssl->transform_negotiate == NULL || 05257 ssl->session_negotiate == NULL ) 05258 { 05259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); 05260 05261 mbedtls_free( ssl->handshake ); 05262 mbedtls_free( ssl->transform_negotiate ); 05263 mbedtls_free( ssl->session_negotiate ); 05264 05265 ssl->handshake = NULL; 05266 ssl->transform_negotiate = NULL; 05267 ssl->session_negotiate = NULL; 05268 05269 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05270 } 05271 05272 /* Initialize structures */ 05273 mbedtls_ssl_session_init( ssl->session_negotiate ); 05274 ssl_transform_init( ssl->transform_negotiate ); 05275 ssl_handshake_params_init( ssl->handshake ); 05276 05277 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05278 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05279 { 05280 ssl->handshake->alt_transform_out = ssl->transform_out; 05281 05282 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05283 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 05284 else 05285 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 05286 05287 ssl_set_timer( ssl, 0 ); 05288 } 05289 #endif 05290 05291 return( 0 ); 05292 } 05293 05294 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05295 /* Dummy cookie callbacks for defaults */ 05296 static int ssl_cookie_write_dummy( void *ctx, 05297 unsigned char **p, unsigned char *end, 05298 const unsigned char *cli_id, size_t cli_id_len ) 05299 { 05300 ((void) ctx); 05301 ((void) p); 05302 ((void) end); 05303 ((void) cli_id); 05304 ((void) cli_id_len); 05305 05306 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05307 } 05308 05309 static int ssl_cookie_check_dummy( void *ctx, 05310 const unsigned char *cookie, size_t cookie_len, 05311 const unsigned char *cli_id, size_t cli_id_len ) 05312 { 05313 ((void) ctx); 05314 ((void) cookie); 05315 ((void) cookie_len); 05316 ((void) cli_id); 05317 ((void) cli_id_len); 05318 05319 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05320 } 05321 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 05322 05323 /* 05324 * Initialize an SSL context 05325 */ 05326 void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) 05327 { 05328 memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); 05329 } 05330 05331 /* 05332 * Setup an SSL context 05333 */ 05334 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, 05335 const mbedtls_ssl_config *conf ) 05336 { 05337 int ret; 05338 const size_t len = MBEDTLS_SSL_BUFFER_LEN; 05339 05340 ssl->conf = conf; 05341 05342 /* 05343 * Prepare base structures 05344 */ 05345 if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || 05346 ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) 05347 { 05348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); 05349 mbedtls_free( ssl->in_buf ); 05350 ssl->in_buf = NULL; 05351 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05352 } 05353 05354 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05355 if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05356 { 05357 ssl->out_hdr = ssl->out_buf; 05358 ssl->out_ctr = ssl->out_buf + 3; 05359 ssl->out_len = ssl->out_buf + 11; 05360 ssl->out_iv = ssl->out_buf + 13; 05361 ssl->out_msg = ssl->out_buf + 13; 05362 05363 ssl->in_hdr = ssl->in_buf; 05364 ssl->in_ctr = ssl->in_buf + 3; 05365 ssl->in_len = ssl->in_buf + 11; 05366 ssl->in_iv = ssl->in_buf + 13; 05367 ssl->in_msg = ssl->in_buf + 13; 05368 } 05369 else 05370 #endif 05371 { 05372 ssl->out_ctr = ssl->out_buf; 05373 ssl->out_hdr = ssl->out_buf + 8; 05374 ssl->out_len = ssl->out_buf + 11; 05375 ssl->out_iv = ssl->out_buf + 13; 05376 ssl->out_msg = ssl->out_buf + 13; 05377 05378 ssl->in_ctr = ssl->in_buf; 05379 ssl->in_hdr = ssl->in_buf + 8; 05380 ssl->in_len = ssl->in_buf + 11; 05381 ssl->in_iv = ssl->in_buf + 13; 05382 ssl->in_msg = ssl->in_buf + 13; 05383 } 05384 05385 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05386 return( ret ); 05387 05388 return( 0 ); 05389 } 05390 05391 /* 05392 * Reset an initialized and used SSL context for re-use while retaining 05393 * all application-set variables, function pointers and data. 05394 * 05395 * If partial is non-zero, keep data in the input buffer and client ID. 05396 * (Use when a DTLS client reconnects from the same port.) 05397 */ 05398 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) 05399 { 05400 int ret; 05401 05402 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 05403 05404 /* Cancel any possibly running timer */ 05405 ssl_set_timer( ssl, 0 ); 05406 05407 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05408 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 05409 ssl->renego_records_seen = 0; 05410 05411 ssl->verify_data_len = 0; 05412 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05413 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05414 #endif 05415 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 05416 05417 ssl->in_offt = NULL; 05418 05419 ssl->in_msg = ssl->in_buf + 13; 05420 ssl->in_msgtype = 0; 05421 ssl->in_msglen = 0; 05422 if( partial == 0 ) 05423 ssl->in_left = 0; 05424 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05425 ssl->next_record_offset = 0; 05426 ssl->in_epoch = 0; 05427 #endif 05428 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05429 ssl_dtls_replay_reset( ssl ); 05430 #endif 05431 05432 ssl->in_hslen = 0; 05433 ssl->nb_zero = 0; 05434 ssl->record_read = 0; 05435 05436 ssl->out_msg = ssl->out_buf + 13; 05437 ssl->out_msgtype = 0; 05438 ssl->out_msglen = 0; 05439 ssl->out_left = 0; 05440 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 05441 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) 05442 ssl->split_done = 0; 05443 #endif 05444 05445 ssl->transform_in = NULL; 05446 ssl->transform_out = NULL; 05447 05448 memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05449 if( partial == 0 ) 05450 memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05451 05452 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05453 if( mbedtls_ssl_hw_record_reset != NULL ) 05454 { 05455 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) ); 05456 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 ) 05457 { 05458 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret ); 05459 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05460 } 05461 } 05462 #endif 05463 05464 if( ssl->transform ) 05465 { 05466 mbedtls_ssl_transform_free( ssl->transform ); 05467 mbedtls_free( ssl->transform ); 05468 ssl->transform = NULL; 05469 } 05470 05471 if( ssl->session ) 05472 { 05473 mbedtls_ssl_session_free( ssl->session ); 05474 mbedtls_free( ssl->session ); 05475 ssl->session = NULL; 05476 } 05477 05478 #if defined(MBEDTLS_SSL_ALPN) 05479 ssl->alpn_chosen = NULL; 05480 #endif 05481 05482 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05483 if( partial == 0 ) 05484 { 05485 mbedtls_free( ssl->cli_id ); 05486 ssl->cli_id = NULL; 05487 ssl->cli_id_len = 0; 05488 } 05489 #endif 05490 05491 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05492 return( ret ); 05493 05494 return( 0 ); 05495 } 05496 05497 /* 05498 * Reset an initialized and used SSL context for re-use while retaining 05499 * all application-set variables, function pointers and data. 05500 */ 05501 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) 05502 { 05503 return( ssl_session_reset_int( ssl, 0 ) ); 05504 } 05505 05506 /* 05507 * SSL set accessors 05508 */ 05509 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) 05510 { 05511 conf->endpoint = endpoint; 05512 } 05513 05514 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) 05515 { 05516 conf->transport = transport; 05517 } 05518 05519 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05520 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) 05521 { 05522 conf->anti_replay = mode; 05523 } 05524 #endif 05525 05526 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 05527 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) 05528 { 05529 conf->badmac_limit = limit; 05530 } 05531 #endif 05532 05533 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05534 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) 05535 { 05536 conf->hs_timeout_min = min; 05537 conf->hs_timeout_max = max; 05538 } 05539 #endif 05540 05541 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) 05542 { 05543 conf->authmode = authmode; 05544 } 05545 05546 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05547 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, 05548 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 05549 void *p_vrfy ) 05550 { 05551 conf->f_vrfy = f_vrfy; 05552 conf->p_vrfy = p_vrfy; 05553 } 05554 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05555 05556 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, 05557 int (*f_rng)(void *, unsigned char *, size_t), 05558 void *p_rng ) 05559 { 05560 conf->f_rng = f_rng; 05561 conf->p_rng = p_rng; 05562 } 05563 05564 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, 05565 void (*f_dbg)(void *, int, const char *, int, const char *), 05566 void *p_dbg ) 05567 { 05568 conf->f_dbg = f_dbg; 05569 conf->p_dbg = p_dbg; 05570 } 05571 05572 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, 05573 void *p_bio, 05574 int (*f_send)(void *, const unsigned char *, size_t), 05575 int (*f_recv)(void *, unsigned char *, size_t), 05576 int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t) ) 05577 { 05578 ssl->p_bio = p_bio; 05579 ssl->f_send = f_send; 05580 ssl->f_recv = f_recv; 05581 ssl->f_recv_timeout = f_recv_timeout; 05582 } 05583 05584 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) 05585 { 05586 conf->read_timeout = timeout; 05587 } 05588 05589 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, 05590 void *p_timer, 05591 void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms), 05592 int (*f_get_timer)(void *) ) 05593 { 05594 ssl->p_timer = p_timer; 05595 ssl->f_set_timer = f_set_timer; 05596 ssl->f_get_timer = f_get_timer; 05597 05598 /* Make sure we start with no timer running */ 05599 ssl_set_timer( ssl, 0 ); 05600 } 05601 05602 #if defined(MBEDTLS_SSL_SRV_C) 05603 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, 05604 void *p_cache, 05605 int (*f_get_cache)(void *, mbedtls_ssl_session *), 05606 int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) 05607 { 05608 conf->p_cache = p_cache; 05609 conf->f_get_cache = f_get_cache; 05610 conf->f_set_cache = f_set_cache; 05611 } 05612 #endif /* MBEDTLS_SSL_SRV_C */ 05613 05614 #if defined(MBEDTLS_SSL_CLI_C) 05615 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) 05616 { 05617 int ret; 05618 05619 if( ssl == NULL || 05620 session == NULL || 05621 ssl->session_negotiate == NULL || 05622 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 05623 { 05624 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05625 } 05626 05627 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) 05628 return( ret ); 05629 05630 ssl->handshake->resume = 1; 05631 05632 return( 0 ); 05633 } 05634 #endif /* MBEDTLS_SSL_CLI_C */ 05635 05636 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, 05637 const int *ciphersuites ) 05638 { 05639 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; 05640 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; 05641 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; 05642 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; 05643 } 05644 05645 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, 05646 const int *ciphersuites, 05647 int major, int minor ) 05648 { 05649 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) 05650 return; 05651 05652 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) 05653 return; 05654 05655 conf->ciphersuite_list [minor] = ciphersuites; 05656 } 05657 05658 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05659 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, 05660 const mbedtls_x509_crt_profile *profile ) 05661 { 05662 conf->cert_profile = profile; 05663 } 05664 05665 /* Append a new keycert entry to a (possibly empty) list */ 05666 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, 05667 mbedtls_x509_crt *cert, 05668 mbedtls_pk_context *key ) 05669 { 05670 mbedtls_ssl_key_cert *new; 05671 05672 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) ); 05673 if( new == NULL ) 05674 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05675 05676 new->cert = cert; 05677 new->key = key; 05678 new->next = NULL; 05679 05680 /* Update head is the list was null, else add to the end */ 05681 if( *head == NULL ) 05682 { 05683 *head = new; 05684 } 05685 else 05686 { 05687 mbedtls_ssl_key_cert *cur = *head; 05688 while( cur->next != NULL ) 05689 cur = cur->next; 05690 cur->next = new; 05691 } 05692 05693 return( 0 ); 05694 } 05695 05696 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, 05697 mbedtls_x509_crt *own_cert, 05698 mbedtls_pk_context *pk_key ) 05699 { 05700 return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) ); 05701 } 05702 05703 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, 05704 mbedtls_x509_crt *ca_chain, 05705 mbedtls_x509_crl *ca_crl ) 05706 { 05707 conf->ca_chain = ca_chain; 05708 conf->ca_crl = ca_crl; 05709 } 05710 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05711 05712 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05713 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, 05714 mbedtls_x509_crt *own_cert, 05715 mbedtls_pk_context *pk_key ) 05716 { 05717 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, 05718 own_cert, pk_key ) ); 05719 } 05720 05721 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, 05722 mbedtls_x509_crt *ca_chain, 05723 mbedtls_x509_crl *ca_crl ) 05724 { 05725 ssl->handshake->sni_ca_chain = ca_chain; 05726 ssl->handshake->sni_ca_crl = ca_crl; 05727 } 05728 05729 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, 05730 int authmode ) 05731 { 05732 ssl->handshake->sni_authmode = authmode; 05733 } 05734 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 05735 05736 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05737 /* 05738 * Set EC J-PAKE password for current handshake 05739 */ 05740 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, 05741 const unsigned char *pw, 05742 size_t pw_len ) 05743 { 05744 mbedtls_ecjpake_role role; 05745 05746 if( ssl->handshake == NULL && ssl->conf == NULL ) 05747 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05748 05749 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05750 role = MBEDTLS_ECJPAKE_SERVER; 05751 else 05752 role = MBEDTLS_ECJPAKE_CLIENT; 05753 05754 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, 05755 role, 05756 MBEDTLS_MD_SHA256, 05757 MBEDTLS_ECP_DP_SECP256R1 , 05758 pw, pw_len ) ); 05759 } 05760 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 05761 05762 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 05763 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, 05764 const unsigned char *psk, size_t psk_len, 05765 const unsigned char *psk_identity, size_t psk_identity_len ) 05766 { 05767 if( psk == NULL || psk_identity == NULL ) 05768 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05769 05770 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 05771 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05772 05773 /* Identity len will be encoded on two bytes */ 05774 if( ( psk_identity_len >> 16 ) != 0 || 05775 psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 05776 { 05777 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05778 } 05779 05780 if( conf->psk != NULL || conf->psk_identity != NULL ) 05781 { 05782 mbedtls_free( conf->psk ); 05783 mbedtls_free( conf->psk_identity ); 05784 conf->psk = NULL; 05785 conf->psk_identity = NULL; 05786 } 05787 05788 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || 05789 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL ) 05790 { 05791 mbedtls_free( conf->psk ); 05792 mbedtls_free( conf->psk_identity ); 05793 conf->psk = NULL; 05794 conf->psk_identity = NULL; 05795 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05796 } 05797 05798 conf->psk_len = psk_len; 05799 conf->psk_identity_len = psk_identity_len; 05800 05801 memcpy( conf->psk , psk, conf->psk_len ); 05802 memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len ); 05803 05804 return( 0 ); 05805 } 05806 05807 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, 05808 const unsigned char *psk, size_t psk_len ) 05809 { 05810 if( psk == NULL || ssl->handshake == NULL ) 05811 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05812 05813 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 05814 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05815 05816 if( ssl->handshake->psk != NULL ) 05817 mbedtls_free( ssl->handshake->psk ); 05818 05819 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) 05820 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05821 05822 ssl->handshake->psk_len = psk_len; 05823 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); 05824 05825 return( 0 ); 05826 } 05827 05828 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, 05829 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 05830 size_t), 05831 void *p_psk ) 05832 { 05833 conf->f_psk = f_psk; 05834 conf->p_psk = p_psk; 05835 } 05836 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 05837 05838 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 05839 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) 05840 { 05841 int ret; 05842 05843 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 || 05844 ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 ) 05845 { 05846 mbedtls_mpi_free( &conf->dhm_P ); 05847 mbedtls_mpi_free( &conf->dhm_G ); 05848 return( ret ); 05849 } 05850 05851 return( 0 ); 05852 } 05853 05854 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) 05855 { 05856 int ret; 05857 05858 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P ) ) != 0 || 05859 ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G ) ) != 0 ) 05860 { 05861 mbedtls_mpi_free( &conf->dhm_P ); 05862 mbedtls_mpi_free( &conf->dhm_G ); 05863 return( ret ); 05864 } 05865 05866 return( 0 ); 05867 } 05868 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 05869 05870 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 05871 /* 05872 * Set the minimum length for Diffie-Hellman parameters 05873 */ 05874 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, 05875 unsigned int bitlen ) 05876 { 05877 conf->dhm_min_bitlen = bitlen; 05878 } 05879 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 05880 05881 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 05882 /* 05883 * Set allowed/preferred hashes for handshake signatures 05884 */ 05885 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, 05886 const int *hashes ) 05887 { 05888 conf->sig_hashes = hashes; 05889 } 05890 #endif 05891 05892 #if defined(MBEDTLS_ECP_C) 05893 /* 05894 * Set the allowed elliptic curves 05895 */ 05896 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, 05897 const mbedtls_ecp_group_id *curve_list ) 05898 { 05899 conf->curve_list = curve_list; 05900 } 05901 #endif 05902 05903 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05904 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) 05905 { 05906 size_t hostname_len; 05907 05908 if( hostname == NULL ) 05909 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05910 05911 hostname_len = strlen( hostname ); 05912 05913 if( hostname_len + 1 == 0 ) 05914 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05915 05916 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) 05917 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05918 05919 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); 05920 05921 if( ssl->hostname == NULL ) 05922 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05923 05924 memcpy( ssl->hostname, hostname, hostname_len ); 05925 05926 ssl->hostname[hostname_len] = '\0'; 05927 05928 return( 0 ); 05929 } 05930 #endif 05931 05932 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05933 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, 05934 int (*f_sni)(void *, mbedtls_ssl_context *, 05935 const unsigned char *, size_t), 05936 void *p_sni ) 05937 { 05938 conf->f_sni = f_sni; 05939 conf->p_sni = p_sni; 05940 } 05941 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 05942 05943 #if defined(MBEDTLS_SSL_ALPN) 05944 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) 05945 { 05946 size_t cur_len, tot_len; 05947 const char **p; 05948 05949 /* 05950 * "Empty strings MUST NOT be included and byte strings MUST NOT be 05951 * truncated". Check lengths now rather than later. 05952 */ 05953 tot_len = 0; 05954 for( p = protos; *p != NULL; p++ ) 05955 { 05956 cur_len = strlen( *p ); 05957 tot_len += cur_len; 05958 05959 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 ) 05960 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05961 } 05962 05963 conf->alpn_list = protos; 05964 05965 return( 0 ); 05966 } 05967 05968 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) 05969 { 05970 return( ssl->alpn_chosen ); 05971 } 05972 #endif /* MBEDTLS_SSL_ALPN */ 05973 05974 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) 05975 { 05976 conf->max_major_ver = major; 05977 conf->max_minor_ver = minor; 05978 } 05979 05980 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) 05981 { 05982 conf->min_major_ver = major; 05983 conf->min_minor_ver = minor; 05984 } 05985 05986 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) 05987 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) 05988 { 05989 conf->fallback = fallback; 05990 } 05991 #endif 05992 05993 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 05994 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) 05995 { 05996 conf->encrypt_then_mac = etm; 05997 } 05998 #endif 05999 06000 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 06001 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) 06002 { 06003 conf->extended_ms = ems; 06004 } 06005 #endif 06006 06007 #if defined(MBEDTLS_ARC4_C) 06008 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) 06009 { 06010 conf->arc4_disabled = arc4; 06011 } 06012 #endif 06013 06014 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06015 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) 06016 { 06017 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 06018 mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06019 { 06020 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06021 } 06022 06023 conf->mfl_code = mfl_code; 06024 06025 return( 0 ); 06026 } 06027 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06028 06029 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 06030 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) 06031 { 06032 conf->trunc_hmac = truncate; 06033 } 06034 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 06035 06036 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06037 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) 06038 { 06039 conf->cbc_record_splitting = split; 06040 } 06041 #endif 06042 06043 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) 06044 { 06045 conf->allow_legacy_renegotiation = allow_legacy; 06046 } 06047 06048 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06049 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) 06050 { 06051 conf->disable_renegotiation = renegotiation; 06052 } 06053 06054 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) 06055 { 06056 conf->renego_max_records = max_records; 06057 } 06058 06059 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, 06060 const unsigned char period[8] ) 06061 { 06062 memcpy( conf->renego_period , period, 8 ); 06063 } 06064 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06065 06066 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 06067 #if defined(MBEDTLS_SSL_CLI_C) 06068 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) 06069 { 06070 conf->session_tickets = use_tickets; 06071 } 06072 #endif 06073 06074 #if defined(MBEDTLS_SSL_SRV_C) 06075 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, 06076 mbedtls_ssl_ticket_write_t *f_ticket_write, 06077 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 06078 void *p_ticket ) 06079 { 06080 conf->f_ticket_write = f_ticket_write; 06081 conf->f_ticket_parse = f_ticket_parse; 06082 conf->p_ticket = p_ticket; 06083 } 06084 #endif 06085 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 06086 06087 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 06088 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, 06089 mbedtls_ssl_export_keys_t *f_export_keys, 06090 void *p_export_keys ) 06091 { 06092 conf->f_export_keys = f_export_keys; 06093 conf->p_export_keys = p_export_keys; 06094 } 06095 #endif 06096 06097 /* 06098 * SSL get accessors 06099 */ 06100 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 06101 { 06102 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 06103 } 06104 06105 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) 06106 { 06107 if( ssl->session != NULL ) 06108 return( ssl->session->verify_result ); 06109 06110 if( ssl->session_negotiate != NULL ) 06111 return( ssl->session_negotiate->verify_result ); 06112 06113 return( 0xFFFFFFFF ); 06114 } 06115 06116 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) 06117 { 06118 if( ssl == NULL || ssl->session == NULL ) 06119 return( NULL ); 06120 06121 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 06122 } 06123 06124 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) 06125 { 06126 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06127 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06128 { 06129 switch( ssl->minor_ver ) 06130 { 06131 case MBEDTLS_SSL_MINOR_VERSION_2: 06132 return( "DTLSv1.0" ); 06133 06134 case MBEDTLS_SSL_MINOR_VERSION_3: 06135 return( "DTLSv1.2" ); 06136 06137 default: 06138 return( "unknown (DTLS)" ); 06139 } 06140 } 06141 #endif 06142 06143 switch( ssl->minor_ver ) 06144 { 06145 case MBEDTLS_SSL_MINOR_VERSION_0: 06146 return( "SSLv3.0" ); 06147 06148 case MBEDTLS_SSL_MINOR_VERSION_1: 06149 return( "TLSv1.0" ); 06150 06151 case MBEDTLS_SSL_MINOR_VERSION_2: 06152 return( "TLSv1.1" ); 06153 06154 case MBEDTLS_SSL_MINOR_VERSION_3: 06155 return( "TLSv1.2" ); 06156 06157 default: 06158 return( "unknown" ); 06159 } 06160 } 06161 06162 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 06163 { 06164 size_t transform_expansion; 06165 const mbedtls_ssl_transform *transform = ssl->transform_out; 06166 06167 #if defined(MBEDTLS_ZLIB_SUPPORT) 06168 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 06169 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 06170 #endif 06171 06172 if( transform == NULL ) 06173 return( (int) mbedtls_ssl_hdr_len( ssl ) ); 06174 06175 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 06176 { 06177 case MBEDTLS_MODE_GCM: 06178 case MBEDTLS_MODE_CCM: 06179 case MBEDTLS_MODE_STREAM: 06180 transform_expansion = transform->minlen; 06181 break; 06182 06183 case MBEDTLS_MODE_CBC: 06184 transform_expansion = transform->maclen 06185 + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); 06186 break; 06187 06188 default: 06189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06191 } 06192 06193 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); 06194 } 06195 06196 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06197 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) 06198 { 06199 size_t max_len; 06200 06201 /* 06202 * Assume mfl_code is correct since it was checked when set 06203 */ 06204 max_len = mfl_code_to_length[ssl->conf->mfl_code]; 06205 06206 /* 06207 * Check if a smaller max length was negotiated 06208 */ 06209 if( ssl->session_out != NULL && 06210 mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) 06211 { 06212 max_len = mfl_code_to_length[ssl->session_out->mfl_code]; 06213 } 06214 06215 return max_len; 06216 } 06217 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06218 06219 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06220 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) 06221 { 06222 if( ssl == NULL || ssl->session == NULL ) 06223 return( NULL ); 06224 06225 return( ssl->session->peer_cert ); 06226 } 06227 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06228 06229 #if defined(MBEDTLS_SSL_CLI_C) 06230 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) 06231 { 06232 if( ssl == NULL || 06233 dst == NULL || 06234 ssl->session == NULL || 06235 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 06236 { 06237 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06238 } 06239 06240 return( ssl_session_copy( dst, ssl->session ) ); 06241 } 06242 #endif /* MBEDTLS_SSL_CLI_C */ 06243 06244 /* 06245 * Perform a single step of the SSL handshake 06246 */ 06247 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) 06248 { 06249 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06250 06251 if( ssl == NULL || ssl->conf == NULL ) 06252 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06253 06254 #if defined(MBEDTLS_SSL_CLI_C) 06255 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06256 ret = mbedtls_ssl_handshake_client_step( ssl ); 06257 #endif 06258 #if defined(MBEDTLS_SSL_SRV_C) 06259 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06260 ret = mbedtls_ssl_handshake_server_step( ssl ); 06261 #endif 06262 06263 return( ret ); 06264 } 06265 06266 /* 06267 * Perform the SSL handshake 06268 */ 06269 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) 06270 { 06271 int ret = 0; 06272 06273 if( ssl == NULL || ssl->conf == NULL ) 06274 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06275 06276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 06277 06278 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06279 { 06280 ret = mbedtls_ssl_handshake_step( ssl ); 06281 06282 if( ret != 0 ) 06283 break; 06284 } 06285 06286 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 06287 06288 return( ret ); 06289 } 06290 06291 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06292 #if defined(MBEDTLS_SSL_SRV_C) 06293 /* 06294 * Write HelloRequest to request renegotiation on server 06295 */ 06296 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ) 06297 { 06298 int ret; 06299 06300 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); 06301 06302 ssl->out_msglen = 4; 06303 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 06304 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 06305 06306 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06307 { 06308 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06309 return( ret ); 06310 } 06311 06312 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); 06313 06314 return( 0 ); 06315 } 06316 #endif /* MBEDTLS_SSL_SRV_C */ 06317 06318 /* 06319 * Actually renegotiate current connection, triggered by either: 06320 * - any side: calling mbedtls_ssl_renegotiate(), 06321 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 06322 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 06323 * the initial handshake is completed. 06324 * If the handshake doesn't complete due to waiting for I/O, it will continue 06325 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 06326 */ 06327 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) 06328 { 06329 int ret; 06330 06331 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); 06332 06333 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 06334 return( ret ); 06335 06336 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 06337 * the ServerHello will have message_seq = 1" */ 06338 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06339 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06340 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06341 { 06342 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06343 ssl->handshake->out_msg_seq = 1; 06344 else 06345 ssl->handshake->in_msg_seq = 1; 06346 } 06347 #endif 06348 06349 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 06350 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 06351 06352 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06353 { 06354 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06355 return( ret ); 06356 } 06357 06358 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) ); 06359 06360 return( 0 ); 06361 } 06362 06363 /* 06364 * Renegotiate current connection on client, 06365 * or request renegotiation on server 06366 */ 06367 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) 06368 { 06369 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06370 06371 if( ssl == NULL || ssl->conf == NULL ) 06372 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06373 06374 #if defined(MBEDTLS_SSL_SRV_C) 06375 /* On server, just send the request */ 06376 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06377 { 06378 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06379 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06380 06381 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06382 06383 /* Did we already try/start sending HelloRequest? */ 06384 if( ssl->out_left != 0 ) 06385 return( mbedtls_ssl_flush_output( ssl ) ); 06386 06387 return( ssl_write_hello_request( ssl ) ); 06388 } 06389 #endif /* MBEDTLS_SSL_SRV_C */ 06390 06391 #if defined(MBEDTLS_SSL_CLI_C) 06392 /* 06393 * On client, either start the renegotiation process or, 06394 * if already in progress, continue the handshake 06395 */ 06396 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 06397 { 06398 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06399 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06400 06401 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) 06402 { 06403 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06404 return( ret ); 06405 } 06406 } 06407 else 06408 { 06409 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06410 { 06411 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06412 return( ret ); 06413 } 06414 } 06415 #endif /* MBEDTLS_SSL_CLI_C */ 06416 06417 return( ret ); 06418 } 06419 06420 /* 06421 * Check record counters and renegotiate if they're above the limit. 06422 */ 06423 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 06424 { 06425 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 06426 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 06427 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 06428 { 06429 return( 0 ); 06430 } 06431 06432 if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 && 06433 memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 ) 06434 { 06435 return( 0 ); 06436 } 06437 06438 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 06439 return( mbedtls_ssl_renegotiate( ssl ) ); 06440 } 06441 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06442 06443 /* 06444 * Receive application data decrypted from the SSL layer 06445 */ 06446 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 06447 { 06448 int ret, record_read = 0; 06449 size_t n; 06450 06451 if( ssl == NULL || ssl->conf == NULL ) 06452 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06453 06454 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 06455 06456 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06457 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06458 { 06459 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06460 return( ret ); 06461 06462 if( ssl->handshake != NULL && 06463 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 06464 { 06465 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 06466 return( ret ); 06467 } 06468 } 06469 #endif 06470 06471 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06472 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 06473 { 06474 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06475 return( ret ); 06476 } 06477 #endif 06478 06479 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06480 { 06481 ret = mbedtls_ssl_handshake( ssl ); 06482 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ) 06483 { 06484 record_read = 1; 06485 } 06486 else if( ret != 0 ) 06487 { 06488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06489 return( ret ); 06490 } 06491 } 06492 06493 if( ssl->in_offt == NULL ) 06494 { 06495 /* Start timer if not already running */ 06496 if( ssl->f_get_timer != NULL && 06497 ssl->f_get_timer( ssl->p_timer ) == -1 ) 06498 { 06499 ssl_set_timer( ssl, ssl->conf->read_timeout ); 06500 } 06501 06502 if( ! record_read ) 06503 { 06504 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06505 { 06506 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06507 return( 0 ); 06508 06509 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06510 return( ret ); 06511 } 06512 } 06513 06514 if( ssl->in_msglen == 0 && 06515 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06516 { 06517 /* 06518 * OpenSSL sends empty messages to randomize the IV 06519 */ 06520 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06521 { 06522 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06523 return( 0 ); 06524 06525 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06526 return( ret ); 06527 } 06528 } 06529 06530 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06531 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 06532 { 06533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 06534 06535 #if defined(MBEDTLS_SSL_CLI_C) 06536 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 06537 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 06538 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 06539 { 06540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 06541 06542 /* With DTLS, drop the packet (probably from last handshake) */ 06543 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06544 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06545 return( MBEDTLS_ERR_SSL_WANT_READ ); 06546 #endif 06547 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06548 } 06549 06550 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06551 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 06552 { 06553 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 06554 06555 /* With DTLS, drop the packet (probably from last handshake) */ 06556 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06557 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06558 return( MBEDTLS_ERR_SSL_WANT_READ ); 06559 #endif 06560 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06561 } 06562 #endif 06563 06564 if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 06565 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 06566 ssl->conf->allow_legacy_renegotiation == 06567 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) 06568 { 06569 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 06570 06571 #if defined(MBEDTLS_SSL_PROTO_SSL3) 06572 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 06573 { 06574 /* 06575 * SSLv3 does not have a "no_renegotiation" alert 06576 */ 06577 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 06578 return( ret ); 06579 } 06580 else 06581 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 06582 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 06583 defined(MBEDTLS_SSL_PROTO_TLS1_2) 06584 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 06585 { 06586 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06587 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06588 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 06589 { 06590 return( ret ); 06591 } 06592 } 06593 else 06594 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 06595 MBEDTLS_SSL_PROTO_TLS1_2 */ 06596 { 06597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06598 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06599 } 06600 } 06601 else 06602 { 06603 /* DTLS clients need to know renego is server-initiated */ 06604 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06605 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06606 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06607 { 06608 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06609 } 06610 #endif 06611 ret = ssl_start_renegotiation( ssl ); 06612 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ) 06613 { 06614 record_read = 1; 06615 } 06616 else if( ret != 0 ) 06617 { 06618 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06619 return( ret ); 06620 } 06621 } 06622 06623 /* If a non-handshake record was read during renego, fallthrough, 06624 * else tell the user they should call mbedtls_ssl_read() again */ 06625 if( ! record_read ) 06626 return( MBEDTLS_ERR_SSL_WANT_READ ); 06627 } 06628 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06629 { 06630 06631 if( ssl->conf->renego_max_records >= 0 ) 06632 { 06633 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 06634 { 06635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 06636 "but not honored by client" ) ); 06637 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06638 } 06639 } 06640 } 06641 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06642 06643 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 06644 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 06645 { 06646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 06647 return( MBEDTLS_ERR_SSL_WANT_READ ); 06648 } 06649 06650 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06651 { 06652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 06653 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06654 } 06655 06656 ssl->in_offt = ssl->in_msg; 06657 06658 /* We're going to return something now, cancel timer, 06659 * except if handshake (renegotiation) is in progress */ 06660 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 06661 ssl_set_timer( ssl, 0 ); 06662 06663 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06664 /* If we requested renego but received AppData, resend HelloRequest. 06665 * Do it now, after setting in_offt, to avoid taking this branch 06666 * again if ssl_write_hello_request() returns WANT_WRITE */ 06667 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 06668 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06669 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06670 { 06671 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 06672 { 06673 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 06674 return( ret ); 06675 } 06676 } 06677 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 06678 #endif 06679 } 06680 06681 n = ( len < ssl->in_msglen ) 06682 ? len : ssl->in_msglen; 06683 06684 memcpy( buf, ssl->in_offt, n ); 06685 ssl->in_msglen -= n; 06686 06687 if( ssl->in_msglen == 0 ) 06688 /* all bytes consumed */ 06689 ssl->in_offt = NULL; 06690 else 06691 /* more data available */ 06692 ssl->in_offt += n; 06693 06694 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 06695 06696 return( (int) n ); 06697 } 06698 06699 /* 06700 * Send application data to be encrypted by the SSL layer, 06701 * taking care of max fragment length and buffer size 06702 */ 06703 static int ssl_write_real( mbedtls_ssl_context *ssl, 06704 const unsigned char *buf, size_t len ) 06705 { 06706 int ret; 06707 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06708 size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); 06709 06710 if( len > max_len ) 06711 { 06712 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06713 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06714 { 06715 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 06716 "maximum fragment length: %d > %d", 06717 len, max_len ) ); 06718 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06719 } 06720 else 06721 #endif 06722 len = max_len; 06723 } 06724 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06725 06726 if( ssl->out_left != 0 ) 06727 { 06728 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06729 { 06730 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 06731 return( ret ); 06732 } 06733 } 06734 else 06735 { 06736 ssl->out_msglen = len; 06737 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 06738 memcpy( ssl->out_msg, buf, len ); 06739 06740 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06741 { 06742 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06743 return( ret ); 06744 } 06745 } 06746 06747 return( (int) len ); 06748 } 06749 06750 /* 06751 * Write application data, doing 1/n-1 splitting if necessary. 06752 * 06753 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 06754 * then the caller will call us again with the same arguments, so 06755 * remember wether we already did the split or not. 06756 */ 06757 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06758 static int ssl_write_split( mbedtls_ssl_context *ssl, 06759 const unsigned char *buf, size_t len ) 06760 { 06761 int ret; 06762 06763 if( ssl->conf->cbc_record_splitting == 06764 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 06765 len <= 1 || 06766 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 06767 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 06768 != MBEDTLS_MODE_CBC ) 06769 { 06770 return( ssl_write_real( ssl, buf, len ) ); 06771 } 06772 06773 if( ssl->split_done == 0 ) 06774 { 06775 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 06776 return( ret ); 06777 ssl->split_done = 1; 06778 } 06779 06780 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 06781 return( ret ); 06782 ssl->split_done = 0; 06783 06784 return( ret + 1 ); 06785 } 06786 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 06787 06788 /* 06789 * Write application data (public-facing wrapper) 06790 */ 06791 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 06792 { 06793 int ret; 06794 06795 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 06796 06797 if( ssl == NULL || ssl->conf == NULL ) 06798 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06799 06800 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06801 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 06802 { 06803 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06804 return( ret ); 06805 } 06806 #endif 06807 06808 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06809 { 06810 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06811 { 06812 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06813 return( ret ); 06814 } 06815 } 06816 06817 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06818 ret = ssl_write_split( ssl, buf, len ); 06819 #else 06820 ret = ssl_write_real( ssl, buf, len ); 06821 #endif 06822 06823 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 06824 06825 return( ret ); 06826 } 06827 06828 /* 06829 * Notify the peer that the connection is being closed 06830 */ 06831 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 06832 { 06833 int ret; 06834 06835 if( ssl == NULL || ssl->conf == NULL ) 06836 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06837 06838 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 06839 06840 if( ssl->out_left != 0 ) 06841 return( mbedtls_ssl_flush_output( ssl ) ); 06842 06843 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 06844 { 06845 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06846 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06847 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 06848 { 06849 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 06850 return( ret ); 06851 } 06852 } 06853 06854 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 06855 06856 return( 0 ); 06857 } 06858 06859 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 06860 { 06861 if( transform == NULL ) 06862 return; 06863 06864 #if defined(MBEDTLS_ZLIB_SUPPORT) 06865 deflateEnd( &transform->ctx_deflate ); 06866 inflateEnd( &transform->ctx_inflate ); 06867 #endif 06868 06869 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 06870 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 06871 06872 mbedtls_md_free( &transform->md_ctx_enc ); 06873 mbedtls_md_free( &transform->md_ctx_dec ); 06874 06875 mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 06876 } 06877 06878 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06879 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert ) 06880 { 06881 mbedtls_ssl_key_cert *cur = key_cert, *next; 06882 06883 while( cur != NULL ) 06884 { 06885 next = cur->next; 06886 mbedtls_free( cur ); 06887 cur = next; 06888 } 06889 } 06890 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06891 06892 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) 06893 { 06894 if( handshake == NULL ) 06895 return; 06896 06897 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 06898 defined(MBEDTLS_SSL_PROTO_TLS1_1) 06899 mbedtls_md5_free( &handshake->fin_md5 ); 06900 mbedtls_sha1_free( &handshake->fin_sha1 ); 06901 #endif 06902 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 06903 #if defined(MBEDTLS_SHA256_C) 06904 mbedtls_sha256_free( &handshake->fin_sha256 ); 06905 #endif 06906 #if defined(MBEDTLS_SHA512_C) 06907 mbedtls_sha512_free( &handshake->fin_sha512 ); 06908 #endif 06909 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 06910 06911 #if defined(MBEDTLS_DHM_C) 06912 mbedtls_dhm_free( &handshake->dhm_ctx ); 06913 #endif 06914 #if defined(MBEDTLS_ECDH_C) 06915 mbedtls_ecdh_free( &handshake->ecdh_ctx ); 06916 #endif 06917 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06918 mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); 06919 #if defined(MBEDTLS_SSL_CLI_C) 06920 mbedtls_free( handshake->ecjpake_cache ); 06921 handshake->ecjpake_cache = NULL; 06922 handshake->ecjpake_cache_len = 0; 06923 #endif 06924 #endif 06925 06926 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 06927 /* explicit void pointer cast for buggy MS compiler */ 06928 mbedtls_free( (void *) handshake->curves ); 06929 #endif 06930 06931 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 06932 if( handshake->psk != NULL ) 06933 { 06934 mbedtls_zeroize( handshake->psk, handshake->psk_len ); 06935 mbedtls_free( handshake->psk ); 06936 } 06937 #endif 06938 06939 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 06940 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06941 /* 06942 * Free only the linked list wrapper, not the keys themselves 06943 * since the belong to the SNI callback 06944 */ 06945 if( handshake->sni_key_cert != NULL ) 06946 { 06947 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next; 06948 06949 while( cur != NULL ) 06950 { 06951 next = cur->next; 06952 mbedtls_free( cur ); 06953 cur = next; 06954 } 06955 } 06956 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06957 06958 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06959 mbedtls_free( handshake->verify_cookie ); 06960 mbedtls_free( handshake->hs_msg ); 06961 ssl_flight_free( handshake->flight ); 06962 #endif 06963 06964 mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) ); 06965 } 06966 06967 void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) 06968 { 06969 if( session == NULL ) 06970 return; 06971 06972 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06973 if( session->peer_cert != NULL ) 06974 { 06975 mbedtls_x509_crt_free( session->peer_cert ); 06976 mbedtls_free( session->peer_cert ); 06977 } 06978 #endif 06979 06980 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 06981 mbedtls_free( session->ticket ); 06982 #endif 06983 06984 mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) ); 06985 } 06986 06987 /* 06988 * Free an SSL context 06989 */ 06990 void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) 06991 { 06992 if( ssl == NULL ) 06993 return; 06994 06995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) ); 06996 06997 if( ssl->out_buf != NULL ) 06998 { 06999 mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN ); 07000 mbedtls_free( ssl->out_buf ); 07001 } 07002 07003 if( ssl->in_buf != NULL ) 07004 { 07005 mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN ); 07006 mbedtls_free( ssl->in_buf ); 07007 } 07008 07009 #if defined(MBEDTLS_ZLIB_SUPPORT) 07010 if( ssl->compress_buf != NULL ) 07011 { 07012 mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN ); 07013 mbedtls_free( ssl->compress_buf ); 07014 } 07015 #endif 07016 07017 if( ssl->transform ) 07018 { 07019 mbedtls_ssl_transform_free( ssl->transform ); 07020 mbedtls_free( ssl->transform ); 07021 } 07022 07023 if( ssl->handshake ) 07024 { 07025 mbedtls_ssl_handshake_free( ssl->handshake ); 07026 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 07027 mbedtls_ssl_session_free( ssl->session_negotiate ); 07028 07029 mbedtls_free( ssl->handshake ); 07030 mbedtls_free( ssl->transform_negotiate ); 07031 mbedtls_free( ssl->session_negotiate ); 07032 } 07033 07034 if( ssl->session ) 07035 { 07036 mbedtls_ssl_session_free( ssl->session ); 07037 mbedtls_free( ssl->session ); 07038 } 07039 07040 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07041 if( ssl->hostname != NULL ) 07042 { 07043 mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 07044 mbedtls_free( ssl->hostname ); 07045 } 07046 #endif 07047 07048 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 07049 if( mbedtls_ssl_hw_record_finish != NULL ) 07050 { 07051 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) ); 07052 mbedtls_ssl_hw_record_finish( ssl ); 07053 } 07054 #endif 07055 07056 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07057 mbedtls_free( ssl->cli_id ); 07058 #endif 07059 07060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); 07061 07062 /* Actually clear after last debug message */ 07063 mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); 07064 } 07065 07066 /* 07067 * Initialze mbedtls_ssl_config 07068 */ 07069 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) 07070 { 07071 memset( conf, 0, sizeof( mbedtls_ssl_config ) ); 07072 } 07073 07074 static int ssl_preset_suiteb_ciphersuites[] = { 07075 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 07076 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 07077 0 07078 }; 07079 07080 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07081 static int ssl_preset_suiteb_hashes[] = { 07082 MBEDTLS_MD_SHA256, 07083 MBEDTLS_MD_SHA384, 07084 MBEDTLS_MD_NONE 07085 }; 07086 #endif 07087 07088 #if defined(MBEDTLS_ECP_C) 07089 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { 07090 MBEDTLS_ECP_DP_SECP256R1 , 07091 MBEDTLS_ECP_DP_SECP384R1 , 07092 MBEDTLS_ECP_DP_NONE 07093 }; 07094 #endif 07095 07096 /* 07097 * Load default in mbedtls_ssl_config 07098 */ 07099 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, 07100 int endpoint, int transport, int preset ) 07101 { 07102 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07103 int ret; 07104 #endif 07105 07106 /* Use the functions here so that they are covered in tests, 07107 * but otherwise access member directly for efficiency */ 07108 mbedtls_ssl_conf_endpoint( conf, endpoint ); 07109 mbedtls_ssl_conf_transport( conf, transport ); 07110 07111 /* 07112 * Things that are common to all presets 07113 */ 07114 #if defined(MBEDTLS_SSL_CLI_C) 07115 if( endpoint == MBEDTLS_SSL_IS_CLIENT ) 07116 { 07117 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 07118 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 07119 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 07120 #endif 07121 } 07122 #endif 07123 07124 #if defined(MBEDTLS_ARC4_C) 07125 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; 07126 #endif 07127 07128 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 07129 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 07130 #endif 07131 07132 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 07133 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 07134 #endif 07135 07136 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07137 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; 07138 #endif 07139 07140 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07141 conf->f_cookie_write = ssl_cookie_write_dummy; 07142 conf->f_cookie_check = ssl_cookie_check_dummy; 07143 #endif 07144 07145 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 07146 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 07147 #endif 07148 07149 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07150 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 07151 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 07152 #endif 07153 07154 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07155 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 07156 memset( conf->renego_period , 0xFF, 7 ); 07157 conf->renego_period [7] = 0x00; 07158 #endif 07159 07160 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07161 if( endpoint == MBEDTLS_SSL_IS_SERVER ) 07162 { 07163 if( ( ret = mbedtls_ssl_conf_dh_param( conf, 07164 MBEDTLS_DHM_RFC5114_MODP_2048_P, 07165 MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) 07166 { 07167 return( ret ); 07168 } 07169 } 07170 #endif 07171 07172 /* 07173 * Preset-specific defaults 07174 */ 07175 switch( preset ) 07176 { 07177 /* 07178 * NSA Suite B 07179 */ 07180 case MBEDTLS_SSL_PRESET_SUITEB: 07181 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07182 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */ 07183 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07184 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07185 07186 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07187 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07188 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07189 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07190 ssl_preset_suiteb_ciphersuites; 07191 07192 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07193 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 07194 #endif 07195 07196 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07197 conf->sig_hashes = ssl_preset_suiteb_hashes; 07198 #endif 07199 07200 #if defined(MBEDTLS_ECP_C) 07201 conf->curve_list = ssl_preset_suiteb_curves; 07202 #endif 07203 break; 07204 07205 /* 07206 * Default 07207 */ 07208 default: 07209 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07210 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ 07211 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07212 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07213 07214 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07215 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07216 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; 07217 #endif 07218 07219 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07220 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07221 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07222 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07223 mbedtls_ssl_list_ciphersuites(); 07224 07225 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07226 conf->cert_profile = &mbedtls_x509_crt_profile_default; 07227 #endif 07228 07229 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07230 conf->sig_hashes = mbedtls_md_list(); 07231 #endif 07232 07233 #if defined(MBEDTLS_ECP_C) 07234 conf->curve_list = mbedtls_ecp_grp_id_list(); 07235 #endif 07236 07237 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 07238 conf->dhm_min_bitlen = 1024; 07239 #endif 07240 } 07241 07242 return( 0 ); 07243 } 07244 07245 /* 07246 * Free mbedtls_ssl_config 07247 */ 07248 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) 07249 { 07250 #if defined(MBEDTLS_DHM_C) 07251 mbedtls_mpi_free( &conf->dhm_P ); 07252 mbedtls_mpi_free( &conf->dhm_G ); 07253 #endif 07254 07255 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07256 if( conf->psk != NULL ) 07257 { 07258 mbedtls_zeroize( conf->psk , conf->psk_len ); 07259 mbedtls_zeroize( conf->psk_identity , conf->psk_identity_len ); 07260 mbedtls_free( conf->psk ); 07261 mbedtls_free( conf->psk_identity ); 07262 conf->psk_len = 0; 07263 conf->psk_identity_len = 0; 07264 } 07265 #endif 07266 07267 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07268 ssl_key_cert_free( conf->key_cert ); 07269 #endif 07270 07271 mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); 07272 } 07273 07274 #if defined(MBEDTLS_PK_C) && \ 07275 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) 07276 /* 07277 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 07278 */ 07279 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ) 07280 { 07281 #if defined(MBEDTLS_RSA_C) 07282 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) ) 07283 return( MBEDTLS_SSL_SIG_RSA ); 07284 #endif 07285 #if defined(MBEDTLS_ECDSA_C) 07286 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) ) 07287 return( MBEDTLS_SSL_SIG_ECDSA ); 07288 #endif 07289 return( MBEDTLS_SSL_SIG_ANON ); 07290 } 07291 07292 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) 07293 { 07294 switch( sig ) 07295 { 07296 #if defined(MBEDTLS_RSA_C) 07297 case MBEDTLS_SSL_SIG_RSA: 07298 return( MBEDTLS_PK_RSA ); 07299 #endif 07300 #if defined(MBEDTLS_ECDSA_C) 07301 case MBEDTLS_SSL_SIG_ECDSA: 07302 return( MBEDTLS_PK_ECDSA ); 07303 #endif 07304 default: 07305 return( MBEDTLS_PK_NONE ); 07306 } 07307 } 07308 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ 07309 07310 /* 07311 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 07312 */ 07313 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) 07314 { 07315 switch( hash ) 07316 { 07317 #if defined(MBEDTLS_MD5_C) 07318 case MBEDTLS_SSL_HASH_MD5: 07319 return( MBEDTLS_MD_MD5 ); 07320 #endif 07321 #if defined(MBEDTLS_SHA1_C) 07322 case MBEDTLS_SSL_HASH_SHA1: 07323 return( MBEDTLS_MD_SHA1 ); 07324 #endif 07325 #if defined(MBEDTLS_SHA256_C) 07326 case MBEDTLS_SSL_HASH_SHA224: 07327 return( MBEDTLS_MD_SHA224 ); 07328 case MBEDTLS_SSL_HASH_SHA256: 07329 return( MBEDTLS_MD_SHA256 ); 07330 #endif 07331 #if defined(MBEDTLS_SHA512_C) 07332 case MBEDTLS_SSL_HASH_SHA384: 07333 return( MBEDTLS_MD_SHA384 ); 07334 case MBEDTLS_SSL_HASH_SHA512: 07335 return( MBEDTLS_MD_SHA512 ); 07336 #endif 07337 default: 07338 return( MBEDTLS_MD_NONE ); 07339 } 07340 } 07341 07342 /* 07343 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 07344 */ 07345 unsigned char mbedtls_ssl_hash_from_md_alg( int md ) 07346 { 07347 switch( md ) 07348 { 07349 #if defined(MBEDTLS_MD5_C) 07350 case MBEDTLS_MD_MD5: 07351 return( MBEDTLS_SSL_HASH_MD5 ); 07352 #endif 07353 #if defined(MBEDTLS_SHA1_C) 07354 case MBEDTLS_MD_SHA1: 07355 return( MBEDTLS_SSL_HASH_SHA1 ); 07356 #endif 07357 #if defined(MBEDTLS_SHA256_C) 07358 case MBEDTLS_MD_SHA224: 07359 return( MBEDTLS_SSL_HASH_SHA224 ); 07360 case MBEDTLS_MD_SHA256: 07361 return( MBEDTLS_SSL_HASH_SHA256 ); 07362 #endif 07363 #if defined(MBEDTLS_SHA512_C) 07364 case MBEDTLS_MD_SHA384: 07365 return( MBEDTLS_SSL_HASH_SHA384 ); 07366 case MBEDTLS_MD_SHA512: 07367 return( MBEDTLS_SSL_HASH_SHA512 ); 07368 #endif 07369 default: 07370 return( MBEDTLS_SSL_HASH_NONE ); 07371 } 07372 } 07373 07374 #if defined(MBEDTLS_ECP_C) 07375 /* 07376 * Check if a curve proposed by the peer is in our list. 07377 * Return 0 if we're willing to use it, -1 otherwise. 07378 */ 07379 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) 07380 { 07381 const mbedtls_ecp_group_id *gid; 07382 07383 if( ssl->conf->curve_list == NULL ) 07384 return( -1 ); 07385 07386 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 07387 if( *gid == grp_id ) 07388 return( 0 ); 07389 07390 return( -1 ); 07391 } 07392 #endif /* MBEDTLS_ECP_C */ 07393 07394 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07395 /* 07396 * Check if a hash proposed by the peer is in our list. 07397 * Return 0 if we're willing to use it, -1 otherwise. 07398 */ 07399 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 07400 mbedtls_md_type_t md ) 07401 { 07402 const int *cur; 07403 07404 if( ssl->conf->sig_hashes == NULL ) 07405 return( -1 ); 07406 07407 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 07408 if( *cur == (int) md ) 07409 return( 0 ); 07410 07411 return( -1 ); 07412 } 07413 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07414 07415 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07416 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 07417 const mbedtls_ssl_ciphersuite_t *ciphersuite, 07418 int cert_endpoint, 07419 uint32_t *flags ) 07420 { 07421 int ret = 0; 07422 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07423 int usage = 0; 07424 #endif 07425 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07426 const char *ext_oid; 07427 size_t ext_len; 07428 #endif 07429 07430 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ 07431 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07432 ((void) cert); 07433 ((void) cert_endpoint); 07434 ((void) flags); 07435 #endif 07436 07437 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07438 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07439 { 07440 /* Server part of the key exchange */ 07441 switch( ciphersuite->key_exchange ) 07442 { 07443 case MBEDTLS_KEY_EXCHANGE_RSA: 07444 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 07445 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 07446 break; 07447 07448 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 07449 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 07450 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 07451 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07452 break; 07453 07454 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 07455 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 07456 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 07457 break; 07458 07459 /* Don't use default: we want warnings when adding new values */ 07460 case MBEDTLS_KEY_EXCHANGE_NONE: 07461 case MBEDTLS_KEY_EXCHANGE_PSK: 07462 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 07463 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 07464 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 07465 usage = 0; 07466 } 07467 } 07468 else 07469 { 07470 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 07471 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07472 } 07473 07474 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 ) 07475 { 07476 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 07477 ret = -1; 07478 } 07479 #else 07480 ((void) ciphersuite); 07481 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ 07482 07483 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07484 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07485 { 07486 ext_oid = MBEDTLS_OID_SERVER_AUTH; 07487 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); 07488 } 07489 else 07490 { 07491 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 07492 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); 07493 } 07494 07495 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) 07496 { 07497 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 07498 ret = -1; 07499 } 07500 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 07501 07502 return( ret ); 07503 } 07504 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07505 07506 /* 07507 * Convert version numbers to/from wire format 07508 * and, for DTLS, to/from TLS equivalent. 07509 * 07510 * For TLS this is the identity. 07511 * For DTLS, use one complement (v -> 255 - v, and then map as follows: 07512 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 07513 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 07514 */ 07515 void mbedtls_ssl_write_version( int major, int minor, int transport, 07516 unsigned char ver[2] ) 07517 { 07518 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07519 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07520 { 07521 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 07522 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07523 07524 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 07525 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 07526 } 07527 else 07528 #else 07529 ((void) transport); 07530 #endif 07531 { 07532 ver[0] = (unsigned char) major; 07533 ver[1] = (unsigned char) minor; 07534 } 07535 } 07536 07537 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 07538 const unsigned char ver[2] ) 07539 { 07540 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07541 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07542 { 07543 *major = 255 - ver[0] + 2; 07544 *minor = 255 - ver[1] + 1; 07545 07546 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 07547 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07548 } 07549 else 07550 #else 07551 ((void) transport); 07552 #endif 07553 { 07554 *major = ver[0]; 07555 *minor = ver[1]; 07556 } 07557 } 07558 07559 #endif /* MBEDTLS_SSL_TLS_C */
Generated on Tue Jul 12 2022 12:52:49 by
1.7.2