Knight KE
/
Game_Master
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 #include "mbedtls/platform_util.h" 00052 #endif 00053 00054 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00055 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00056 unsigned char *buf, 00057 size_t *olen ) 00058 { 00059 unsigned char *p = buf; 00060 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00061 size_t hostname_len; 00062 00063 *olen = 0; 00064 00065 if( ssl->hostname == NULL ) 00066 return; 00067 00068 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00069 ssl->hostname ) ); 00070 00071 hostname_len = strlen( ssl->hostname ); 00072 00073 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00074 { 00075 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00076 return; 00077 } 00078 00079 /* 00080 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 00081 * 00082 * In order to provide any of the server names, clients MAY include an 00083 * extension of type "server_name" in the (extended) client hello. The 00084 * "extension_data" field of this extension SHALL contain 00085 * "ServerNameList" where: 00086 * 00087 * struct { 00088 * NameType name_type; 00089 * select (name_type) { 00090 * case host_name: HostName; 00091 * } name; 00092 * } ServerName; 00093 * 00094 * enum { 00095 * host_name(0), (255) 00096 * } NameType; 00097 * 00098 * opaque HostName<1..2^16-1>; 00099 * 00100 * struct { 00101 * ServerName server_name_list<1..2^16-1> 00102 * } ServerNameList; 00103 * 00104 */ 00105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00107 00108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00110 00111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00113 00114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00117 00118 memcpy( p, ssl->hostname, hostname_len ); 00119 00120 *olen = hostname_len + 9; 00121 } 00122 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00123 00124 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00125 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00126 unsigned char *buf, 00127 size_t *olen ) 00128 { 00129 unsigned char *p = buf; 00130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00131 00132 *olen = 0; 00133 00134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 00135 * initial ClientHello, in which case also adding the renegotiation 00136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 00137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00138 return; 00139 00140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00141 00142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00143 { 00144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00145 return; 00146 } 00147 00148 /* 00149 * Secure renegotiation 00150 */ 00151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00153 00154 *p++ = 0x00; 00155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00156 *p++ = ssl->verify_data_len & 0xFF; 00157 00158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00159 00160 *olen = 5 + ssl->verify_data_len; 00161 } 00162 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00163 00164 /* 00165 * Only if we handle at least one key exchange that needs signatures. 00166 */ 00167 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00169 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00170 unsigned char *buf, 00171 size_t *olen ) 00172 { 00173 unsigned char *p = buf; 00174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00175 size_t sig_alg_len = 0; 00176 const int *md; 00177 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00178 unsigned char *sig_alg_list = buf + 6; 00179 #endif 00180 00181 *olen = 0; 00182 00183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00184 return; 00185 00186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00187 00188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00189 { 00190 #if defined(MBEDTLS_ECDSA_C) 00191 sig_alg_len += 2; 00192 #endif 00193 #if defined(MBEDTLS_RSA_C) 00194 sig_alg_len += 2; 00195 #endif 00196 } 00197 00198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00199 { 00200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00201 return; 00202 } 00203 00204 /* 00205 * Prepare signature_algorithms extension (TLS 1.2) 00206 */ 00207 sig_alg_len = 0; 00208 00209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00210 { 00211 #if defined(MBEDTLS_ECDSA_C) 00212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00214 #endif 00215 #if defined(MBEDTLS_RSA_C) 00216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00218 #endif 00219 } 00220 00221 /* 00222 * enum { 00223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00224 * sha512(6), (255) 00225 * } HashAlgorithm; 00226 * 00227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00228 * SignatureAlgorithm; 00229 * 00230 * struct { 00231 * HashAlgorithm hash; 00232 * SignatureAlgorithm signature; 00233 * } SignatureAndHashAlgorithm; 00234 * 00235 * SignatureAndHashAlgorithm 00236 * supported_signature_algorithms<2..2^16-2>; 00237 */ 00238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00240 00241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00243 00244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00246 00247 *olen = 6 + sig_alg_len; 00248 } 00249 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00251 00252 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00254 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00255 unsigned char *buf, 00256 size_t *olen ) 00257 { 00258 unsigned char *p = buf; 00259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00260 unsigned char *elliptic_curve_list = p + 6; 00261 size_t elliptic_curve_len = 0; 00262 const mbedtls_ecp_curve_info *info; 00263 #if defined(MBEDTLS_ECP_C) 00264 const mbedtls_ecp_group_id *grp_id; 00265 #else 00266 ((void) ssl); 00267 #endif 00268 00269 *olen = 0; 00270 00271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00272 00273 #if defined(MBEDTLS_ECP_C) 00274 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00275 #else 00276 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00277 #endif 00278 { 00279 #if defined(MBEDTLS_ECP_C) 00280 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00281 #endif 00282 if( info == NULL ) 00283 { 00284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00285 return; 00286 } 00287 00288 elliptic_curve_len += 2; 00289 } 00290 00291 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00292 { 00293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00294 return; 00295 } 00296 00297 elliptic_curve_len = 0; 00298 00299 #if defined(MBEDTLS_ECP_C) 00300 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00301 #else 00302 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00303 #endif 00304 { 00305 #if defined(MBEDTLS_ECP_C) 00306 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00307 #endif 00308 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00309 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00310 } 00311 00312 if( elliptic_curve_len == 0 ) 00313 return; 00314 00315 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00316 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00317 00318 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00319 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00320 00321 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00322 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00323 00324 *olen = 6 + elliptic_curve_len; 00325 } 00326 00327 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00328 unsigned char *buf, 00329 size_t *olen ) 00330 { 00331 unsigned char *p = buf; 00332 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00333 00334 *olen = 0; 00335 00336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00337 00338 if( end < p || (size_t)( end - p ) < 6 ) 00339 { 00340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00341 return; 00342 } 00343 00344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00345 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00346 00347 *p++ = 0x00; 00348 *p++ = 2; 00349 00350 *p++ = 1; 00351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00352 00353 *olen = 6; 00354 } 00355 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00357 00358 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00359 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00360 unsigned char *buf, 00361 size_t *olen ) 00362 { 00363 int ret; 00364 unsigned char *p = buf; 00365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00366 size_t kkpp_len; 00367 00368 *olen = 0; 00369 00370 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00372 return; 00373 00374 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00375 00376 if( end - p < 4 ) 00377 { 00378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00379 return; 00380 } 00381 00382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00384 00385 /* 00386 * We may need to send ClientHello multiple times for Hello verification. 00387 * We don't want to compute fresh values every time (both for performance 00388 * and consistency reasons), so cache the extension content. 00389 */ 00390 if( ssl->handshake->ecjpake_cache == NULL || 00391 ssl->handshake->ecjpake_cache_len == 0 ) 00392 { 00393 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00394 00395 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00396 p + 2, end - p - 2, &kkpp_len, 00397 ssl->conf->f_rng, ssl->conf->p_rng ); 00398 if( ret != 0 ) 00399 { 00400 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00401 return; 00402 } 00403 00404 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00405 if( ssl->handshake->ecjpake_cache == NULL ) 00406 { 00407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00408 return; 00409 } 00410 00411 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00412 ssl->handshake->ecjpake_cache_len = kkpp_len; 00413 } 00414 else 00415 { 00416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00417 00418 kkpp_len = ssl->handshake->ecjpake_cache_len; 00419 00420 if( (size_t)( end - p - 2 ) < kkpp_len ) 00421 { 00422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00423 return; 00424 } 00425 00426 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00427 } 00428 00429 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00430 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00431 00432 *olen = kkpp_len + 4; 00433 } 00434 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00435 00436 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00437 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00438 unsigned char *buf, 00439 size_t *olen ) 00440 { 00441 unsigned char *p = buf; 00442 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00443 00444 *olen = 0; 00445 00446 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00447 return; 00448 } 00449 00450 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00451 00452 if( end < p || (size_t)( end - p ) < 5 ) 00453 { 00454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00455 return; 00456 } 00457 00458 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00459 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00460 00461 *p++ = 0x00; 00462 *p++ = 1; 00463 00464 *p++ = ssl->conf->mfl_code; 00465 00466 *olen = 5; 00467 } 00468 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00469 00470 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00471 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00472 unsigned char *buf, size_t *olen ) 00473 { 00474 unsigned char *p = buf; 00475 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00476 00477 *olen = 0; 00478 00479 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00480 { 00481 return; 00482 } 00483 00484 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00485 00486 if( end < p || (size_t)( end - p ) < 4 ) 00487 { 00488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00489 return; 00490 } 00491 00492 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00493 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00494 00495 *p++ = 0x00; 00496 *p++ = 0x00; 00497 00498 *olen = 4; 00499 } 00500 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00501 00502 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00503 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00504 unsigned char *buf, size_t *olen ) 00505 { 00506 unsigned char *p = buf; 00507 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00508 00509 *olen = 0; 00510 00511 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00512 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00513 { 00514 return; 00515 } 00516 00517 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00518 "extension" ) ); 00519 00520 if( end < p || (size_t)( end - p ) < 4 ) 00521 { 00522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00523 return; 00524 } 00525 00526 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00527 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00528 00529 *p++ = 0x00; 00530 *p++ = 0x00; 00531 00532 *olen = 4; 00533 } 00534 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00535 00536 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00537 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00538 unsigned char *buf, size_t *olen ) 00539 { 00540 unsigned char *p = buf; 00541 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00542 00543 *olen = 0; 00544 00545 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00546 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00547 { 00548 return; 00549 } 00550 00551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00552 "extension" ) ); 00553 00554 if( end < p || (size_t)( end - p ) < 4 ) 00555 { 00556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00557 return; 00558 } 00559 00560 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00561 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00562 00563 *p++ = 0x00; 00564 *p++ = 0x00; 00565 00566 *olen = 4; 00567 } 00568 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00569 00570 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00571 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00572 unsigned char *buf, size_t *olen ) 00573 { 00574 unsigned char *p = buf; 00575 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00576 size_t tlen = ssl->session_negotiate->ticket_len; 00577 00578 *olen = 0; 00579 00580 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00581 { 00582 return; 00583 } 00584 00585 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00586 00587 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00588 { 00589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00590 return; 00591 } 00592 00593 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00594 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00595 00596 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00597 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00598 00599 *olen = 4; 00600 00601 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00602 { 00603 return; 00604 } 00605 00606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00607 00608 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00609 00610 *olen += tlen; 00611 } 00612 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00613 00614 #if defined(MBEDTLS_SSL_ALPN) 00615 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00616 unsigned char *buf, size_t *olen ) 00617 { 00618 unsigned char *p = buf; 00619 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00620 size_t alpnlen = 0; 00621 const char **cur; 00622 00623 *olen = 0; 00624 00625 if( ssl->conf->alpn_list == NULL ) 00626 { 00627 return; 00628 } 00629 00630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00631 00632 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00633 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00634 00635 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00636 { 00637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00638 return; 00639 } 00640 00641 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00642 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00643 00644 /* 00645 * opaque ProtocolName<1..2^8-1>; 00646 * 00647 * struct { 00648 * ProtocolName protocol_name_list<2..2^16-1> 00649 * } ProtocolNameList; 00650 */ 00651 00652 /* Skip writing extension and list length for now */ 00653 p += 4; 00654 00655 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00656 { 00657 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00658 memcpy( p + 1, *cur, *p ); 00659 p += 1 + *p; 00660 } 00661 00662 *olen = p - buf; 00663 00664 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00665 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00666 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00667 00668 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00669 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00670 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00671 } 00672 #endif /* MBEDTLS_SSL_ALPN */ 00673 00674 /* 00675 * Generate random bytes for ClientHello 00676 */ 00677 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00678 { 00679 int ret; 00680 unsigned char *p = ssl->handshake->randbytes; 00681 #if defined(MBEDTLS_HAVE_TIME) 00682 mbedtls_time_t t; 00683 #endif 00684 00685 /* 00686 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00687 */ 00688 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00689 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00690 ssl->handshake->verify_cookie != NULL ) 00691 { 00692 return( 0 ); 00693 } 00694 #endif 00695 00696 #if defined(MBEDTLS_HAVE_TIME) 00697 t = mbedtls_time( NULL ); 00698 *p++ = (unsigned char)( t >> 24 ); 00699 *p++ = (unsigned char)( t >> 16 ); 00700 *p++ = (unsigned char)( t >> 8 ); 00701 *p++ = (unsigned char)( t ); 00702 00703 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00704 #else 00705 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00706 return( ret ); 00707 00708 p += 4; 00709 #endif /* MBEDTLS_HAVE_TIME */ 00710 00711 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00712 return( ret ); 00713 00714 return( 0 ); 00715 } 00716 00717 /** 00718 * \brief Validate cipher suite against config in SSL context. 00719 * 00720 * \param suite_info cipher suite to validate 00721 * \param ssl SSL context 00722 * \param min_minor_ver Minimal minor version to accept a cipher suite 00723 * \param max_minor_ver Maximal minor version to accept a cipher suite 00724 * 00725 * \return 0 if valid, else 1 00726 */ 00727 static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info, 00728 const mbedtls_ssl_context * ssl, 00729 int min_minor_ver, int max_minor_ver ) 00730 { 00731 (void) ssl; 00732 if( suite_info == NULL ) 00733 return( 1 ); 00734 00735 if( suite_info->min_minor_ver > max_minor_ver || 00736 suite_info->max_minor_ver < min_minor_ver ) 00737 return( 1 ); 00738 00739 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00740 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00741 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00742 return( 1 ); 00743 #endif 00744 00745 #if defined(MBEDTLS_ARC4_C) 00746 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00747 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00748 return( 1 ); 00749 #endif 00750 00751 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00752 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00753 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00754 return( 1 ); 00755 #endif 00756 00757 return( 0 ); 00758 } 00759 00760 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00761 { 00762 int ret; 00763 size_t i, n, olen, ext_len = 0; 00764 unsigned char *buf; 00765 unsigned char *p, *q; 00766 unsigned char offer_compress; 00767 const int *ciphersuites; 00768 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00769 00770 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00771 00772 if( ssl->conf->f_rng == NULL ) 00773 { 00774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00775 return( MBEDTLS_ERR_SSL_NO_RNG ); 00776 } 00777 00778 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00779 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00780 #endif 00781 { 00782 ssl->major_ver = ssl->conf->min_major_ver; 00783 ssl->minor_ver = ssl->conf->min_minor_ver; 00784 } 00785 00786 if( ssl->conf->max_major_ver == 0 ) 00787 { 00788 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00789 "consider using mbedtls_ssl_config_defaults()" ) ); 00790 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00791 } 00792 00793 /* 00794 * 0 . 0 handshake type 00795 * 1 . 3 handshake length 00796 * 4 . 5 highest version supported 00797 * 6 . 9 current UNIX time 00798 * 10 . 37 random bytes 00799 */ 00800 buf = ssl->out_msg; 00801 p = buf + 4; 00802 00803 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00804 ssl->conf->transport, p ); 00805 p += 2; 00806 00807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00808 buf[4], buf[5] ) ); 00809 00810 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00811 { 00812 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00813 return( ret ); 00814 } 00815 00816 memcpy( p, ssl->handshake->randbytes, 32 ); 00817 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00818 p += 32; 00819 00820 /* 00821 * 38 . 38 session id length 00822 * 39 . 39+n session id 00823 * 39+n . 39+n DTLS only: cookie length (1 byte) 00824 * 40+n . .. DTSL only: cookie 00825 * .. . .. ciphersuitelist length (2 bytes) 00826 * .. . .. ciphersuitelist 00827 * .. . .. compression methods length (1 byte) 00828 * .. . .. compression methods 00829 * .. . .. extensions length (2 bytes) 00830 * .. . .. extensions 00831 */ 00832 n = ssl->session_negotiate->id_len; 00833 00834 if( n < 16 || n > 32 || 00835 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00836 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00837 #endif 00838 ssl->handshake->resume == 0 ) 00839 { 00840 n = 0; 00841 } 00842 00843 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00844 /* 00845 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00846 * generate and include a Session ID in the TLS ClientHello." 00847 */ 00848 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00849 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00850 #endif 00851 { 00852 if( ssl->session_negotiate->ticket != NULL && 00853 ssl->session_negotiate->ticket_len != 0 ) 00854 { 00855 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00856 00857 if( ret != 0 ) 00858 return( ret ); 00859 00860 ssl->session_negotiate->id_len = n = 32; 00861 } 00862 } 00863 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00864 00865 *p++ = (unsigned char) n; 00866 00867 for( i = 0; i < n; i++ ) 00868 *p++ = ssl->session_negotiate->id[i]; 00869 00870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00871 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00872 00873 /* 00874 * DTLS cookie 00875 */ 00876 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00877 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00878 { 00879 if( ssl->handshake->verify_cookie == NULL ) 00880 { 00881 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00882 *p++ = 0; 00883 } 00884 else 00885 { 00886 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00887 ssl->handshake->verify_cookie, 00888 ssl->handshake->verify_cookie_len ); 00889 00890 *p++ = ssl->handshake->verify_cookie_len; 00891 memcpy( p, ssl->handshake->verify_cookie, 00892 ssl->handshake->verify_cookie_len ); 00893 p += ssl->handshake->verify_cookie_len; 00894 } 00895 } 00896 #endif 00897 00898 /* 00899 * Ciphersuite list 00900 */ 00901 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00902 00903 /* Skip writing ciphersuite length for now */ 00904 n = 0; 00905 q = p; 00906 p += 2; 00907 00908 for( i = 0; ciphersuites[i] != 0; i++ ) 00909 { 00910 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00911 00912 if( ssl_validate_ciphersuite( ciphersuite_info, ssl, 00913 ssl->conf->min_minor_ver, 00914 ssl->conf->max_minor_ver ) != 0 ) 00915 continue; 00916 00917 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00918 ciphersuites[i] ) ); 00919 00920 n++; 00921 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00922 *p++ = (unsigned char)( ciphersuites[i] ); 00923 } 00924 00925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) ); 00926 00927 /* 00928 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00929 */ 00930 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00931 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00932 #endif 00933 { 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); 00935 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00936 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00937 n++; 00938 } 00939 00940 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00941 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00942 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00943 { 00944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00945 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00946 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00947 n++; 00948 } 00949 #endif 00950 00951 *q++ = (unsigned char)( n >> 7 ); 00952 *q++ = (unsigned char)( n << 1 ); 00953 00954 #if defined(MBEDTLS_ZLIB_SUPPORT) 00955 offer_compress = 1; 00956 #else 00957 offer_compress = 0; 00958 #endif 00959 00960 /* 00961 * We don't support compression with DTLS right now: if many records come 00962 * in the same datagram, uncompressing one could overwrite the next one. 00963 * We don't want to add complexity for handling that case unless there is 00964 * an actual need for it. 00965 */ 00966 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00967 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00968 offer_compress = 0; 00969 #endif 00970 00971 if( offer_compress ) 00972 { 00973 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00974 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00975 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00976 00977 *p++ = 2; 00978 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00979 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00980 } 00981 else 00982 { 00983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00984 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00985 MBEDTLS_SSL_COMPRESS_NULL ) ); 00986 00987 *p++ = 1; 00988 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00989 } 00990 00991 // First write extensions, then the total length 00992 // 00993 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00994 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00995 ext_len += olen; 00996 #endif 00997 00998 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 00999 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 01000 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01001 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 01002 ext_len += olen; 01003 #endif 01004 01005 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01006 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01007 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 01008 ext_len += olen; 01009 #endif 01010 01011 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01012 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01013 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 01014 ext_len += olen; 01015 01016 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 01017 ext_len += olen; 01018 #endif 01019 01020 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01021 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 01022 ext_len += olen; 01023 #endif 01024 01025 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01026 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 01027 ext_len += olen; 01028 #endif 01029 01030 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01031 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 01032 ext_len += olen; 01033 #endif 01034 01035 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01036 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01037 ext_len += olen; 01038 #endif 01039 01040 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01041 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01042 ext_len += olen; 01043 #endif 01044 01045 #if defined(MBEDTLS_SSL_ALPN) 01046 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01047 ext_len += olen; 01048 #endif 01049 01050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01051 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01052 ext_len += olen; 01053 #endif 01054 01055 /* olen unused if all extensions are disabled */ 01056 ((void) olen); 01057 01058 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01059 ext_len ) ); 01060 01061 if( ext_len > 0 ) 01062 { 01063 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01064 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01065 p += ext_len; 01066 } 01067 01068 ssl->out_msglen = p - buf; 01069 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01070 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01071 01072 ssl->state++; 01073 01074 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01075 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01076 mbedtls_ssl_send_flight_completed( ssl ); 01077 #endif 01078 01079 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01080 { 01081 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01082 return( ret ); 01083 } 01084 01085 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01086 01087 return( 0 ); 01088 } 01089 01090 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01091 const unsigned char *buf, 01092 size_t len ) 01093 { 01094 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01095 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01096 { 01097 /* Check verify-data in constant-time. The length OTOH is no secret */ 01098 if( len != 1 + ssl->verify_data_len * 2 || 01099 buf[0] != ssl->verify_data_len * 2 || 01100 mbedtls_ssl_safer_memcmp( buf + 1, 01101 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01102 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01103 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01104 { 01105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01106 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01107 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01108 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01109 } 01110 } 01111 else 01112 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01113 { 01114 if( len != 1 || buf[0] != 0x00 ) 01115 { 01116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01117 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01118 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01119 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01120 } 01121 01122 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01123 } 01124 01125 return( 0 ); 01126 } 01127 01128 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01129 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01130 const unsigned char *buf, 01131 size_t len ) 01132 { 01133 /* 01134 * server should use the extension only if we did, 01135 * and if so the server's value should match ours (and len is always 1) 01136 */ 01137 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01138 len != 1 || 01139 buf[0] != ssl->conf->mfl_code ) 01140 { 01141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 01142 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01143 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01144 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01145 } 01146 01147 return( 0 ); 01148 } 01149 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01150 01151 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01152 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01153 const unsigned char *buf, 01154 size_t len ) 01155 { 01156 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01157 len != 0 ) 01158 { 01159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 01160 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01161 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01162 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01163 } 01164 01165 ((void) buf); 01166 01167 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01168 01169 return( 0 ); 01170 } 01171 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01172 01173 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01174 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01175 const unsigned char *buf, 01176 size_t len ) 01177 { 01178 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01179 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01180 len != 0 ) 01181 { 01182 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 01183 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01184 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01186 } 01187 01188 ((void) buf); 01189 01190 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01191 01192 return( 0 ); 01193 } 01194 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01195 01196 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01197 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01198 const unsigned char *buf, 01199 size_t len ) 01200 { 01201 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01202 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01203 len != 0 ) 01204 { 01205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 01206 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01207 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01208 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01209 } 01210 01211 ((void) buf); 01212 01213 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01214 01215 return( 0 ); 01216 } 01217 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01218 01219 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01220 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01221 const unsigned char *buf, 01222 size_t len ) 01223 { 01224 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01225 len != 0 ) 01226 { 01227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 01228 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01229 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01230 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01231 } 01232 01233 ((void) buf); 01234 01235 ssl->handshake->new_session_ticket = 1; 01236 01237 return( 0 ); 01238 } 01239 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01240 01241 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01242 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01243 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01244 const unsigned char *buf, 01245 size_t len ) 01246 { 01247 size_t list_size; 01248 const unsigned char *p; 01249 01250 list_size = buf[0]; 01251 if( list_size + 1 != len ) 01252 { 01253 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01254 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01255 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01256 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01257 } 01258 01259 p = buf + 1; 01260 while( list_size > 0 ) 01261 { 01262 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01263 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01264 { 01265 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01266 ssl->handshake->ecdh_ctx.point_format = p[0]; 01267 #endif 01268 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01269 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01270 #endif 01271 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01272 return( 0 ); 01273 } 01274 01275 list_size--; 01276 p++; 01277 } 01278 01279 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01280 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01281 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01282 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01283 } 01284 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01285 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01286 01287 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01288 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01289 const unsigned char *buf, 01290 size_t len ) 01291 { 01292 int ret; 01293 01294 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01295 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01296 { 01297 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01298 return( 0 ); 01299 } 01300 01301 /* If we got here, we no longer need our cached extension */ 01302 mbedtls_free( ssl->handshake->ecjpake_cache ); 01303 ssl->handshake->ecjpake_cache = NULL; 01304 ssl->handshake->ecjpake_cache_len = 0; 01305 01306 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01307 buf, len ) ) != 0 ) 01308 { 01309 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01310 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01311 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01312 return( ret ); 01313 } 01314 01315 return( 0 ); 01316 } 01317 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01318 01319 #if defined(MBEDTLS_SSL_ALPN) 01320 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01321 const unsigned char *buf, size_t len ) 01322 { 01323 size_t list_len, name_len; 01324 const char **p; 01325 01326 /* If we didn't send it, the server shouldn't send it */ 01327 if( ssl->conf->alpn_list == NULL ) 01328 { 01329 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 01330 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01331 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01332 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01333 } 01334 01335 /* 01336 * opaque ProtocolName<1..2^8-1>; 01337 * 01338 * struct { 01339 * ProtocolName protocol_name_list<2..2^16-1> 01340 * } ProtocolNameList; 01341 * 01342 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01343 */ 01344 01345 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01346 if( len < 4 ) 01347 { 01348 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01349 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01350 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01351 } 01352 01353 list_len = ( buf[0] << 8 ) | buf[1]; 01354 if( list_len != len - 2 ) 01355 { 01356 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01357 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01358 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01359 } 01360 01361 name_len = buf[2]; 01362 if( name_len != list_len - 1 ) 01363 { 01364 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01365 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01366 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01367 } 01368 01369 /* Check that the server chosen protocol was in our list and save it */ 01370 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01371 { 01372 if( name_len == strlen( *p ) && 01373 memcmp( buf + 3, *p, name_len ) == 0 ) 01374 { 01375 ssl->alpn_chosen = *p; 01376 return( 0 ); 01377 } 01378 } 01379 01380 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 01381 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01382 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01383 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01384 } 01385 #endif /* MBEDTLS_SSL_ALPN */ 01386 01387 /* 01388 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01389 */ 01390 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01391 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01392 { 01393 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01394 int major_ver, minor_ver; 01395 unsigned char cookie_len; 01396 01397 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01398 01399 /* 01400 * struct { 01401 * ProtocolVersion server_version; 01402 * opaque cookie<0..2^8-1>; 01403 * } HelloVerifyRequest; 01404 */ 01405 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01406 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01407 p += 2; 01408 01409 /* 01410 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01411 * even is lower than our min version. 01412 */ 01413 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01414 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01415 major_ver > ssl->conf->max_major_ver || 01416 minor_ver > ssl->conf->max_minor_ver ) 01417 { 01418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01419 01420 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01421 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01422 01423 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01424 } 01425 01426 cookie_len = *p++; 01427 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01428 01429 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01430 { 01431 MBEDTLS_SSL_DEBUG_MSG( 1, 01432 ( "cookie length does not match incoming message size" ) ); 01433 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01434 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01435 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01436 } 01437 01438 mbedtls_free( ssl->handshake->verify_cookie ); 01439 01440 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01441 if( ssl->handshake->verify_cookie == NULL ) 01442 { 01443 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01444 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01445 } 01446 01447 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01448 ssl->handshake->verify_cookie_len = cookie_len; 01449 01450 /* Start over at ClientHello */ 01451 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01452 mbedtls_ssl_reset_checksum( ssl ); 01453 01454 mbedtls_ssl_recv_flight_completed( ssl ); 01455 01456 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01457 01458 return( 0 ); 01459 } 01460 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01461 01462 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01463 { 01464 int ret, i; 01465 size_t n; 01466 size_t ext_len; 01467 unsigned char *buf, *ext; 01468 unsigned char comp; 01469 #if defined(MBEDTLS_ZLIB_SUPPORT) 01470 int accept_comp; 01471 #endif 01472 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01473 int renegotiation_info_seen = 0; 01474 #endif 01475 int handshake_failure = 0; 01476 const mbedtls_ssl_ciphersuite_t *suite_info; 01477 01478 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01479 01480 buf = ssl->in_msg; 01481 01482 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01483 { 01484 /* No alert on a read error. */ 01485 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01486 return( ret ); 01487 } 01488 01489 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01490 { 01491 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01492 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01493 { 01494 ssl->renego_records_seen++; 01495 01496 if( ssl->conf->renego_max_records >= 0 && 01497 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01498 { 01499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01500 "but not honored by server" ) ); 01501 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01502 } 01503 01504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01505 01506 ssl->keep_current_message = 1; 01507 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01508 } 01509 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01510 01511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01512 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01513 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 01514 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01515 } 01516 01517 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01518 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01519 { 01520 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01521 { 01522 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01524 return( ssl_parse_hello_verify_request( ssl ) ); 01525 } 01526 else 01527 { 01528 /* We made it through the verification process */ 01529 mbedtls_free( ssl->handshake->verify_cookie ); 01530 ssl->handshake->verify_cookie = NULL; 01531 ssl->handshake->verify_cookie_len = 0; 01532 } 01533 } 01534 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01535 01536 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01537 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01538 { 01539 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01540 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01541 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01542 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01543 } 01544 01545 /* 01546 * 0 . 1 server_version 01547 * 2 . 33 random (maybe including 4 bytes of Unix time) 01548 * 34 . 34 session_id length = n 01549 * 35 . 34+n session_id 01550 * 35+n . 36+n cipher_suite 01551 * 37+n . 37+n compression_method 01552 * 01553 * 38+n . 39+n extensions length (optional) 01554 * 40+n . .. extensions 01555 */ 01556 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01557 01558 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01559 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01560 ssl->conf->transport, buf + 0 ); 01561 01562 if( ssl->major_ver < ssl->conf->min_major_ver || 01563 ssl->minor_ver < ssl->conf->min_minor_ver || 01564 ssl->major_ver > ssl->conf->max_major_ver || 01565 ssl->minor_ver > ssl->conf->max_minor_ver ) 01566 { 01567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01568 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01569 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01570 ssl->major_ver, ssl->minor_ver, 01571 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01572 01573 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01574 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01575 01576 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01577 } 01578 01579 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 01580 ( (uint32_t) buf[2] << 24 ) | 01581 ( (uint32_t) buf[3] << 16 ) | 01582 ( (uint32_t) buf[4] << 8 ) | 01583 ( (uint32_t) buf[5] ) ) ); 01584 01585 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01586 01587 n = buf[34]; 01588 01589 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01590 01591 if( n > 32 ) 01592 { 01593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01594 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01596 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01597 } 01598 01599 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01600 { 01601 ext_len = ( ( buf[38 + n] << 8 ) 01602 | ( buf[39 + n] ) ); 01603 01604 if( ( ext_len > 0 && ext_len < 4 ) || 01605 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01606 { 01607 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01608 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01609 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01610 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01611 } 01612 } 01613 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01614 { 01615 ext_len = 0; 01616 } 01617 else 01618 { 01619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01620 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01621 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01622 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01623 } 01624 01625 /* ciphersuite (used later) */ 01626 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01627 01628 /* 01629 * Read and check compression 01630 */ 01631 comp = buf[37 + n]; 01632 01633 #if defined(MBEDTLS_ZLIB_SUPPORT) 01634 /* See comments in ssl_write_client_hello() */ 01635 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01636 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01637 accept_comp = 0; 01638 else 01639 #endif 01640 accept_comp = 1; 01641 01642 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01643 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01644 #else /* MBEDTLS_ZLIB_SUPPORT */ 01645 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01646 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01647 { 01648 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01649 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01650 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01651 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01652 } 01653 01654 /* 01655 * Initialize update checksum functions 01656 */ 01657 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01658 01659 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01660 { 01661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01662 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01663 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01664 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01665 } 01666 01667 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01668 01669 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01670 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01671 01672 /* 01673 * Check if the session can be resumed 01674 */ 01675 if( ssl->handshake->resume == 0 || n == 0 || 01676 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01677 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01678 #endif 01679 ssl->session_negotiate->ciphersuite != i || 01680 ssl->session_negotiate->compression != comp || 01681 ssl->session_negotiate->id_len != n || 01682 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01683 { 01684 ssl->state++; 01685 ssl->handshake->resume = 0; 01686 #if defined(MBEDTLS_HAVE_TIME) 01687 ssl->session_negotiate->start = mbedtls_time( NULL ); 01688 #endif 01689 ssl->session_negotiate->ciphersuite = i; 01690 ssl->session_negotiate->compression = comp; 01691 ssl->session_negotiate->id_len = n; 01692 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01693 } 01694 else 01695 { 01696 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01697 01698 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01699 { 01700 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01701 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01702 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01703 return( ret ); 01704 } 01705 } 01706 01707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01708 ssl->handshake->resume ? "a" : "no" ) ); 01709 01710 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01711 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01712 01713 /* 01714 * Perform cipher suite validation in same way as in ssl_write_client_hello. 01715 */ 01716 i = 0; 01717 while( 1 ) 01718 { 01719 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01720 { 01721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01722 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01723 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01724 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01725 } 01726 01727 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01728 ssl->session_negotiate->ciphersuite ) 01729 { 01730 break; 01731 } 01732 } 01733 01734 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01735 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 ) 01736 { 01737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01738 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01739 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01740 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01741 } 01742 01743 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01744 01745 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01746 #if defined(MBEDTLS_ZLIB_SUPPORT) 01747 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01748 #endif 01749 ) 01750 { 01751 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01752 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01753 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01754 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01755 } 01756 ssl->session_negotiate->compression = comp; 01757 01758 ext = buf + 40 + n; 01759 01760 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01761 01762 while( ext_len ) 01763 { 01764 unsigned int ext_id = ( ( ext[0] << 8 ) 01765 | ( ext[1] ) ); 01766 unsigned int ext_size = ( ( ext[2] << 8 ) 01767 | ( ext[3] ) ); 01768 01769 if( ext_size + 4 > ext_len ) 01770 { 01771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01772 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01773 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01774 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01775 } 01776 01777 switch( ext_id ) 01778 { 01779 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01780 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01781 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01782 renegotiation_info_seen = 1; 01783 #endif 01784 01785 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01786 ext_size ) ) != 0 ) 01787 return( ret ); 01788 01789 break; 01790 01791 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01792 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01793 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01794 01795 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01796 ext + 4, ext_size ) ) != 0 ) 01797 { 01798 return( ret ); 01799 } 01800 01801 break; 01802 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01803 01804 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01805 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01806 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01807 01808 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01809 ext + 4, ext_size ) ) != 0 ) 01810 { 01811 return( ret ); 01812 } 01813 01814 break; 01815 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01816 01817 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01818 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01819 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01820 01821 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01822 ext + 4, ext_size ) ) != 0 ) 01823 { 01824 return( ret ); 01825 } 01826 01827 break; 01828 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01829 01830 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01831 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01833 01834 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01835 ext + 4, ext_size ) ) != 0 ) 01836 { 01837 return( ret ); 01838 } 01839 01840 break; 01841 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01842 01843 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01844 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01845 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01846 01847 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01848 ext + 4, ext_size ) ) != 0 ) 01849 { 01850 return( ret ); 01851 } 01852 01853 break; 01854 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01855 01856 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01857 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01858 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01859 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01860 01861 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01862 ext + 4, ext_size ) ) != 0 ) 01863 { 01864 return( ret ); 01865 } 01866 01867 break; 01868 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01869 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01870 01871 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01872 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01873 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01874 01875 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01876 ext + 4, ext_size ) ) != 0 ) 01877 { 01878 return( ret ); 01879 } 01880 01881 break; 01882 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01883 01884 #if defined(MBEDTLS_SSL_ALPN) 01885 case MBEDTLS_TLS_EXT_ALPN: 01886 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01887 01888 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01889 return( ret ); 01890 01891 break; 01892 #endif /* MBEDTLS_SSL_ALPN */ 01893 01894 default: 01895 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01896 ext_id ) ); 01897 } 01898 01899 ext_len -= 4 + ext_size; 01900 ext += 4 + ext_size; 01901 01902 if( ext_len > 0 && ext_len < 4 ) 01903 { 01904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01905 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01906 } 01907 } 01908 01909 /* 01910 * Renegotiation security checks 01911 */ 01912 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01913 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01914 { 01915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01916 handshake_failure = 1; 01917 } 01918 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01919 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01920 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01921 renegotiation_info_seen == 0 ) 01922 { 01923 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01924 handshake_failure = 1; 01925 } 01926 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01927 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01928 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01929 { 01930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01931 handshake_failure = 1; 01932 } 01933 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01934 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01935 renegotiation_info_seen == 1 ) 01936 { 01937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01938 handshake_failure = 1; 01939 } 01940 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01941 01942 if( handshake_failure == 1 ) 01943 { 01944 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01945 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01946 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01947 } 01948 01949 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01950 01951 return( 0 ); 01952 } 01953 01954 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01955 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01956 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01957 unsigned char *end ) 01958 { 01959 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01960 01961 /* 01962 * Ephemeral DH parameters: 01963 * 01964 * struct { 01965 * opaque dh_p<1..2^16-1>; 01966 * opaque dh_g<1..2^16-1>; 01967 * opaque dh_Ys<1..2^16-1>; 01968 * } ServerDHParams; 01969 */ 01970 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01971 { 01972 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01973 return( ret ); 01974 } 01975 01976 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01977 { 01978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01979 ssl->handshake->dhm_ctx.len * 8, 01980 ssl->conf->dhm_min_bitlen ) ); 01981 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01982 } 01983 01984 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01985 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01986 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01987 01988 return( ret ); 01989 } 01990 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01991 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01992 01993 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01994 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01995 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01996 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01997 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01998 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01999 { 02000 const mbedtls_ecp_curve_info *curve_info; 02001 02002 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 02003 if( curve_info == NULL ) 02004 { 02005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02006 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02007 } 02008 02009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 02010 02011 #if defined(MBEDTLS_ECP_C) 02012 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 02013 #else 02014 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 02015 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 02016 #endif 02017 return( -1 ); 02018 02019 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 02020 02021 return( 0 ); 02022 } 02023 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02024 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02025 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02026 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02027 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02028 02029 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02030 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02031 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02032 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 02033 unsigned char **p, 02034 unsigned char *end ) 02035 { 02036 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02037 02038 /* 02039 * Ephemeral ECDH parameters: 02040 * 02041 * struct { 02042 * ECParameters curve_params; 02043 * ECPoint public; 02044 * } ServerECDHParams; 02045 */ 02046 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 02047 (const unsigned char **) p, end ) ) != 0 ) 02048 { 02049 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 02050 return( ret ); 02051 } 02052 02053 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02054 { 02055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 02056 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02057 } 02058 02059 return( ret ); 02060 } 02061 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02062 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02063 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02064 02065 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02066 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 02067 unsigned char **p, 02068 unsigned char *end ) 02069 { 02070 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02071 size_t len; 02072 ((void) ssl); 02073 02074 /* 02075 * PSK parameters: 02076 * 02077 * opaque psk_identity_hint<0..2^16-1>; 02078 */ 02079 if( (*p) > end - 2 ) 02080 { 02081 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02082 "(psk_identity_hint length)" ) ); 02083 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02084 } 02085 len = (*p)[0] << 8 | (*p)[1]; 02086 *p += 2; 02087 02088 if( (*p) > end - len ) 02089 { 02090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02091 "(psk_identity_hint length)" ) ); 02092 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02093 } 02094 02095 /* 02096 * Note: we currently ignore the PKS identity hint, as we only allow one 02097 * PSK to be provisionned on the client. This could be changed later if 02098 * someone needs that feature. 02099 */ 02100 *p += len; 02101 ret = 0; 02102 02103 return( ret ); 02104 } 02105 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02106 02107 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02108 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02109 /* 02110 * Generate a pre-master secret and encrypt it with the server's RSA key 02111 */ 02112 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02113 size_t offset, size_t *olen, 02114 size_t pms_offset ) 02115 { 02116 int ret; 02117 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02118 unsigned char *p = ssl->handshake->premaster + pms_offset; 02119 02120 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02121 { 02122 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02123 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02124 } 02125 02126 /* 02127 * Generate (part of) the pre-master as 02128 * struct { 02129 * ProtocolVersion client_version; 02130 * opaque random[46]; 02131 * } PreMasterSecret; 02132 */ 02133 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02134 ssl->conf->transport, p ); 02135 02136 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02137 { 02138 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02139 return( ret ); 02140 } 02141 02142 ssl->handshake->pmslen = 48; 02143 02144 if( ssl->session_negotiate->peer_cert == NULL ) 02145 { 02146 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02147 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02148 } 02149 02150 /* 02151 * Now write it out, encrypted 02152 */ 02153 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02154 MBEDTLS_PK_RSA ) ) 02155 { 02156 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02157 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02158 } 02159 02160 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02161 p, ssl->handshake->pmslen, 02162 ssl->out_msg + offset + len_bytes, olen, 02163 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02164 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02165 { 02166 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02167 return( ret ); 02168 } 02169 02170 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02171 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02172 if( len_bytes == 2 ) 02173 { 02174 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02175 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02176 *olen += 2; 02177 } 02178 #endif 02179 02180 return( 0 ); 02181 } 02182 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02183 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02184 02185 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02186 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02187 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02188 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02189 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02190 unsigned char **p, 02191 unsigned char *end, 02192 mbedtls_md_type_t *md_alg, 02193 mbedtls_pk_type_t *pk_alg ) 02194 { 02195 ((void) ssl); 02196 *md_alg = MBEDTLS_MD_NONE; 02197 *pk_alg = MBEDTLS_PK_NONE; 02198 02199 /* Only in TLS 1.2 */ 02200 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02201 { 02202 return( 0 ); 02203 } 02204 02205 if( (*p) + 2 > end ) 02206 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02207 02208 /* 02209 * Get hash algorithm 02210 */ 02211 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02212 { 02213 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02214 "HashAlgorithm %d", *(p)[0] ) ); 02215 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02216 } 02217 02218 /* 02219 * Get signature algorithm 02220 */ 02221 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02222 { 02223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02224 "SignatureAlgorithm %d", (*p)[1] ) ); 02225 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02226 } 02227 02228 /* 02229 * Check if the hash is acceptable 02230 */ 02231 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02232 { 02233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 02234 *(p)[0] ) ); 02235 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02236 } 02237 02238 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02239 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02240 *p += 2; 02241 02242 return( 0 ); 02243 } 02244 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02245 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02246 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02247 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02248 02249 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02250 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02251 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02252 { 02253 int ret; 02254 const mbedtls_ecp_keypair *peer_key; 02255 02256 if( ssl->session_negotiate->peer_cert == NULL ) 02257 { 02258 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02259 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02260 } 02261 02262 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02263 MBEDTLS_PK_ECKEY ) ) 02264 { 02265 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02266 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02267 } 02268 02269 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02270 02271 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02272 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02273 { 02274 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02275 return( ret ); 02276 } 02277 02278 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02279 { 02280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02281 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02282 } 02283 02284 return( ret ); 02285 } 02286 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02287 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02288 02289 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02290 { 02291 int ret; 02292 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02293 ssl->transform_negotiate->ciphersuite_info; 02294 unsigned char *p = NULL, *end = NULL; 02295 02296 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02297 02298 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02299 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02300 { 02301 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02302 ssl->state++; 02303 return( 0 ); 02304 } 02305 ((void) p); 02306 ((void) end); 02307 #endif 02308 02309 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02310 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02311 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02312 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02313 { 02314 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02315 { 02316 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02317 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02318 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02319 return( ret ); 02320 } 02321 02322 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02323 ssl->state++; 02324 return( 0 ); 02325 } 02326 ((void) p); 02327 ((void) end); 02328 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02329 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02330 02331 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02332 { 02333 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02334 return( ret ); 02335 } 02336 02337 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02338 { 02339 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02340 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02341 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02342 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02343 } 02344 02345 /* 02346 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02347 * doesn't use a psk_identity_hint 02348 */ 02349 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02350 { 02351 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02352 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02353 { 02354 /* Current message is probably either 02355 * CertificateRequest or ServerHelloDone */ 02356 ssl->keep_current_message = 1; 02357 goto exit; 02358 } 02359 02360 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 02361 "not be skipped" ) ); 02362 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02363 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02364 02365 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02366 } 02367 02368 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02369 end = ssl->in_msg + ssl->in_hslen; 02370 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02371 02372 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02373 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02374 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02375 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02376 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02377 { 02378 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02379 { 02380 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02381 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02382 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02383 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02384 } 02385 } /* FALLTROUGH */ 02386 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02387 02388 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02389 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02390 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02391 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02392 ; /* nothing more to do */ 02393 else 02394 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02395 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02396 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02397 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02398 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02399 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02400 { 02401 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02402 { 02403 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02404 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02405 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02406 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02407 } 02408 } 02409 else 02410 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02411 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02412 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02413 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02414 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02415 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02416 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02417 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02418 { 02419 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02420 { 02421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02422 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02423 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02424 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02425 } 02426 } 02427 else 02428 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02429 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02430 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02431 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02432 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02433 { 02434 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02435 p, end - p ); 02436 if( ret != 0 ) 02437 { 02438 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02439 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02440 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02441 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02442 } 02443 } 02444 else 02445 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02446 { 02447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02448 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02449 } 02450 02451 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02452 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 02453 { 02454 size_t sig_len, hashlen; 02455 unsigned char hash[64]; 02456 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02457 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02458 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02459 size_t params_len = p - params; 02460 02461 /* 02462 * Handle the digitally-signed structure 02463 */ 02464 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02465 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02466 { 02467 if( ssl_parse_signature_algorithm( ssl, &p, end, 02468 &md_alg, &pk_alg ) != 0 ) 02469 { 02470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02471 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02472 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02473 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02474 } 02475 02476 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02477 { 02478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02479 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02480 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02481 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02482 } 02483 } 02484 else 02485 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02486 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02487 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02488 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02489 { 02490 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02491 02492 /* Default hash for ECDSA is SHA-1 */ 02493 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02494 md_alg = MBEDTLS_MD_SHA1; 02495 } 02496 else 02497 #endif 02498 { 02499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02500 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02501 } 02502 02503 /* 02504 * Read signature 02505 */ 02506 02507 if( p > end - 2 ) 02508 { 02509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02510 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02511 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02512 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02513 } 02514 sig_len = ( p[0] << 8 ) | p[1]; 02515 p += 2; 02516 02517 if( p != end - sig_len ) 02518 { 02519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02520 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02521 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02522 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02523 } 02524 02525 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02526 02527 /* 02528 * Compute the hash that has been signed 02529 */ 02530 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02531 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02532 if( md_alg == MBEDTLS_MD_NONE ) 02533 { 02534 hashlen = 36; 02535 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 02536 params_len ); 02537 if( ret != 0 ) 02538 return( ret ); 02539 } 02540 else 02541 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02542 MBEDTLS_SSL_PROTO_TLS1_1 */ 02543 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02544 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02545 if( md_alg != MBEDTLS_MD_NONE ) 02546 { 02547 /* Info from md_alg will be used instead */ 02548 hashlen = 0; 02549 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params, 02550 params_len, md_alg ); 02551 if( ret != 0 ) 02552 return( ret ); 02553 } 02554 else 02555 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02556 MBEDTLS_SSL_PROTO_TLS1_2 */ 02557 { 02558 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02559 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02560 } 02561 02562 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02563 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02564 02565 if( ssl->session_negotiate->peer_cert == NULL ) 02566 { 02567 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02568 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02569 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02570 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02571 } 02572 02573 /* 02574 * Verify signature 02575 */ 02576 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02577 { 02578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02579 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02580 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02581 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02582 } 02583 02584 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02585 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02586 { 02587 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02588 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 02589 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02590 return( ret ); 02591 } 02592 } 02593 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02594 02595 exit: 02596 ssl->state++; 02597 02598 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02599 02600 return( 0 ); 02601 } 02602 02603 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02604 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02605 { 02606 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02607 ssl->transform_negotiate->ciphersuite_info; 02608 02609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02610 02611 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02612 { 02613 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02614 ssl->state++; 02615 return( 0 ); 02616 } 02617 02618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02619 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02620 } 02621 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02622 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02623 { 02624 int ret; 02625 unsigned char *buf; 02626 size_t n = 0; 02627 size_t cert_type_len = 0, dn_len = 0; 02628 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02629 ssl->transform_negotiate->ciphersuite_info; 02630 02631 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02632 02633 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02634 { 02635 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02636 ssl->state++; 02637 return( 0 ); 02638 } 02639 02640 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02641 { 02642 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02643 return( ret ); 02644 } 02645 02646 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02647 { 02648 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02649 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02650 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02651 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02652 } 02653 02654 ssl->state++; 02655 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 02656 02657 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02658 ssl->client_auth ? "a" : "no" ) ); 02659 02660 if( ssl->client_auth == 0 ) 02661 { 02662 /* Current message is probably the ServerHelloDone */ 02663 ssl->keep_current_message = 1; 02664 goto exit; 02665 } 02666 02667 /* 02668 * struct { 02669 * ClientCertificateType certificate_types<1..2^8-1>; 02670 * SignatureAndHashAlgorithm 02671 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02672 * DistinguishedName certificate_authorities<0..2^16-1>; 02673 * } CertificateRequest; 02674 * 02675 * Since we only support a single certificate on clients, let's just 02676 * ignore all the information that's supposed to help us pick a 02677 * certificate. 02678 * 02679 * We could check that our certificate matches the request, and bail out 02680 * if it doesn't, but it's simpler to just send the certificate anyway, 02681 * and give the server the opportunity to decide if it should terminate 02682 * the connection when it doesn't like our certificate. 02683 * 02684 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02685 * point we only have one hash available (see comments in 02686 * write_certificate_verify), so let's just use what we have. 02687 * 02688 * However, we still minimally parse the message to check it is at least 02689 * superficially sane. 02690 */ 02691 buf = ssl->in_msg; 02692 02693 /* certificate_types */ 02694 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) ) 02695 { 02696 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02697 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02698 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02699 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02700 } 02701 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02702 n = cert_type_len; 02703 02704 /* 02705 * In the subsequent code there are two paths that read from buf: 02706 * * the length of the signature algorithms field (if minor version of 02707 * SSL is 3), 02708 * * distinguished name length otherwise. 02709 * Both reach at most the index: 02710 * ...hdr_len + 2 + n, 02711 * therefore the buffer length at this point must be greater than that 02712 * regardless of the actual code path. 02713 */ 02714 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02715 { 02716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02717 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02718 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02719 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02720 } 02721 02722 /* supported_signature_algorithms */ 02723 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02724 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02725 { 02726 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02727 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02728 #if defined(MBEDTLS_DEBUG_C) 02729 unsigned char* sig_alg; 02730 size_t i; 02731 #endif 02732 02733 /* 02734 * The furthest access in buf is in the loop few lines below: 02735 * sig_alg[i + 1], 02736 * where: 02737 * sig_alg = buf + ...hdr_len + 3 + n, 02738 * max(i) = sig_alg_len - 1. 02739 * Therefore the furthest access is: 02740 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], 02741 * which reduces to: 02742 * buf[...hdr_len + 3 + n + sig_alg_len], 02743 * which is one less than we need the buf to be. 02744 */ 02745 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len ) 02746 { 02747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02748 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02749 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02750 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02751 } 02752 02753 #if defined(MBEDTLS_DEBUG_C) 02754 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02755 for( i = 0; i < sig_alg_len; i += 2 ) 02756 { 02757 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 02758 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 02759 } 02760 #endif 02761 02762 n += 2 + sig_alg_len; 02763 } 02764 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02765 02766 /* certificate_authorities */ 02767 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02768 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02769 02770 n += dn_len; 02771 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02772 { 02773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02774 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02775 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02776 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02777 } 02778 02779 exit: 02780 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02781 02782 return( 0 ); 02783 } 02784 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02785 02786 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02787 { 02788 int ret; 02789 02790 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02791 02792 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02793 { 02794 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02795 return( ret ); 02796 } 02797 02798 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02799 { 02800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02801 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02802 } 02803 02804 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02805 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02806 { 02807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02808 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02809 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02810 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02811 } 02812 02813 ssl->state++; 02814 02815 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02816 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02817 mbedtls_ssl_recv_flight_completed( ssl ); 02818 #endif 02819 02820 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02821 02822 return( 0 ); 02823 } 02824 02825 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02826 { 02827 int ret; 02828 size_t i, n; 02829 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02830 ssl->transform_negotiate->ciphersuite_info; 02831 02832 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02833 02834 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02835 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02836 { 02837 /* 02838 * DHM key exchange -- send G^X mod P 02839 */ 02840 n = ssl->handshake->dhm_ctx.len; 02841 02842 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02843 ssl->out_msg[5] = (unsigned char)( n ); 02844 i = 6; 02845 02846 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02847 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02848 &ssl->out_msg[i], n, 02849 ssl->conf->f_rng, ssl->conf->p_rng ); 02850 if( ret != 0 ) 02851 { 02852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02853 return( ret ); 02854 } 02855 02856 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02857 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02858 02859 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02860 ssl->handshake->premaster, 02861 MBEDTLS_PREMASTER_SIZE, 02862 &ssl->handshake->pmslen, 02863 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02864 { 02865 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02866 return( ret ); 02867 } 02868 02869 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02870 } 02871 else 02872 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02873 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02874 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02875 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02876 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02877 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02878 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02879 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02880 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02881 { 02882 /* 02883 * ECDH key exchange -- send client public value 02884 */ 02885 i = 4; 02886 02887 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02888 &n, 02889 &ssl->out_msg[i], 1000, 02890 ssl->conf->f_rng, ssl->conf->p_rng ); 02891 if( ret != 0 ) 02892 { 02893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02894 return( ret ); 02895 } 02896 02897 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02898 02899 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02900 &ssl->handshake->pmslen, 02901 ssl->handshake->premaster, 02902 MBEDTLS_MPI_MAX_SIZE, 02903 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02904 { 02905 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02906 return( ret ); 02907 } 02908 02909 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02910 } 02911 else 02912 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02913 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02914 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02915 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02916 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02917 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 02918 { 02919 /* 02920 * opaque psk_identity<0..2^16-1>; 02921 */ 02922 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02923 { 02924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02925 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02926 } 02927 02928 i = 4; 02929 n = ssl->conf->psk_identity_len; 02930 02931 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02932 { 02933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02934 "SSL buffer too short" ) ); 02935 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02936 } 02937 02938 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02939 ssl->out_msg[i++] = (unsigned char)( n ); 02940 02941 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02942 i += ssl->conf->psk_identity_len; 02943 02944 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02945 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02946 { 02947 n = 0; 02948 } 02949 else 02950 #endif 02951 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02952 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02953 { 02954 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02955 return( ret ); 02956 } 02957 else 02958 #endif 02959 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02960 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02961 { 02962 /* 02963 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02964 */ 02965 n = ssl->handshake->dhm_ctx.len; 02966 02967 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02968 { 02969 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02970 " or SSL buffer too short" ) ); 02971 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02972 } 02973 02974 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02975 ssl->out_msg[i++] = (unsigned char)( n ); 02976 02977 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02978 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02979 &ssl->out_msg[i], n, 02980 ssl->conf->f_rng, ssl->conf->p_rng ); 02981 if( ret != 0 ) 02982 { 02983 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02984 return( ret ); 02985 } 02986 } 02987 else 02988 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02989 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02990 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02991 { 02992 /* 02993 * ClientECDiffieHellmanPublic public; 02994 */ 02995 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02996 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02997 ssl->conf->f_rng, ssl->conf->p_rng ); 02998 if( ret != 0 ) 02999 { 03000 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 03001 return( ret ); 03002 } 03003 03004 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 03005 } 03006 else 03007 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03008 { 03009 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03010 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03011 } 03012 03013 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03014 ciphersuite_info->key_exchange ) ) != 0 ) 03015 { 03016 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03017 return( ret ); 03018 } 03019 } 03020 else 03021 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03022 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03023 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03024 { 03025 i = 4; 03026 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 03027 return( ret ); 03028 } 03029 else 03030 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03031 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03032 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03033 { 03034 i = 4; 03035 03036 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 03037 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 03038 ssl->conf->f_rng, ssl->conf->p_rng ); 03039 if( ret != 0 ) 03040 { 03041 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 03042 return( ret ); 03043 } 03044 03045 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03046 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03047 ssl->conf->f_rng, ssl->conf->p_rng ); 03048 if( ret != 0 ) 03049 { 03050 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03051 return( ret ); 03052 } 03053 } 03054 else 03055 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03056 { 03057 ((void) ciphersuite_info); 03058 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03059 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03060 } 03061 03062 ssl->out_msglen = i + n; 03063 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03064 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 03065 03066 ssl->state++; 03067 03068 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03069 { 03070 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03071 return( ret ); 03072 } 03073 03074 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 03075 03076 return( 0 ); 03077 } 03078 03079 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03080 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03081 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03082 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03083 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03084 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03085 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03086 { 03087 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03088 ssl->transform_negotiate->ciphersuite_info; 03089 int ret; 03090 03091 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03092 03093 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03094 { 03095 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03096 return( ret ); 03097 } 03098 03099 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03100 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03101 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03102 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03103 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03104 { 03105 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03106 ssl->state++; 03107 return( 0 ); 03108 } 03109 03110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03111 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03112 } 03113 #else 03114 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03115 { 03116 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03117 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03118 ssl->transform_negotiate->ciphersuite_info; 03119 size_t n = 0, offset = 0; 03120 unsigned char hash[48]; 03121 unsigned char *hash_start = hash; 03122 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03123 unsigned int hashlen; 03124 03125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03126 03127 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03128 { 03129 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03130 return( ret ); 03131 } 03132 03133 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03134 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03135 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03136 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03137 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03138 { 03139 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03140 ssl->state++; 03141 return( 0 ); 03142 } 03143 03144 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03145 { 03146 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03147 ssl->state++; 03148 return( 0 ); 03149 } 03150 03151 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03152 { 03153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03154 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03155 } 03156 03157 /* 03158 * Make an RSA signature of the handshake digests 03159 */ 03160 ssl->handshake->calc_verify( ssl, hash ); 03161 03162 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03163 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03164 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03165 { 03166 /* 03167 * digitally-signed struct { 03168 * opaque md5_hash[16]; 03169 * opaque sha_hash[20]; 03170 * }; 03171 * 03172 * md5_hash 03173 * MD5(handshake_messages); 03174 * 03175 * sha_hash 03176 * SHA(handshake_messages); 03177 */ 03178 hashlen = 36; 03179 md_alg = MBEDTLS_MD_NONE; 03180 03181 /* 03182 * For ECDSA, default hash is SHA-1 only 03183 */ 03184 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03185 { 03186 hash_start += 16; 03187 hashlen -= 16; 03188 md_alg = MBEDTLS_MD_SHA1; 03189 } 03190 } 03191 else 03192 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03193 MBEDTLS_SSL_PROTO_TLS1_1 */ 03194 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03195 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03196 { 03197 /* 03198 * digitally-signed struct { 03199 * opaque handshake_messages[handshake_messages_length]; 03200 * }; 03201 * 03202 * Taking shortcut here. We assume that the server always allows the 03203 * PRF Hash function and has sent it in the allowed signature 03204 * algorithms list received in the Certificate Request message. 03205 * 03206 * Until we encounter a server that does not, we will take this 03207 * shortcut. 03208 * 03209 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03210 * in order to satisfy 'weird' needs from the server side. 03211 */ 03212 if( ssl->transform_negotiate->ciphersuite_info->mac == 03213 MBEDTLS_MD_SHA384 ) 03214 { 03215 md_alg = MBEDTLS_MD_SHA384; 03216 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03217 } 03218 else 03219 { 03220 md_alg = MBEDTLS_MD_SHA256; 03221 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03222 } 03223 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03224 03225 /* Info from md_alg will be used instead */ 03226 hashlen = 0; 03227 offset = 2; 03228 } 03229 else 03230 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03231 { 03232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03233 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03234 } 03235 03236 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03237 ssl->out_msg + 6 + offset, &n, 03238 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03239 { 03240 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03241 return( ret ); 03242 } 03243 03244 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03245 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03246 03247 ssl->out_msglen = 6 + n + offset; 03248 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03249 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03250 03251 ssl->state++; 03252 03253 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03254 { 03255 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03256 return( ret ); 03257 } 03258 03259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03260 03261 return( ret ); 03262 } 03263 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03264 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03265 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03266 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03267 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03268 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03269 03270 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03271 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03272 { 03273 int ret; 03274 uint32_t lifetime; 03275 size_t ticket_len; 03276 unsigned char *ticket; 03277 const unsigned char *msg; 03278 03279 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03280 03281 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03282 { 03283 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03284 return( ret ); 03285 } 03286 03287 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03288 { 03289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03290 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03291 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03292 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03293 } 03294 03295 /* 03296 * struct { 03297 * uint32 ticket_lifetime_hint; 03298 * opaque ticket<0..2^16-1>; 03299 * } NewSessionTicket; 03300 * 03301 * 0 . 3 ticket_lifetime_hint 03302 * 4 . 5 ticket_len (n) 03303 * 6 . 5+n ticket content 03304 */ 03305 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03306 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03307 { 03308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03310 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03311 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03312 } 03313 03314 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03315 03316 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03317 ( msg[2] << 8 ) | ( msg[3] ); 03318 03319 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03320 03321 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03322 { 03323 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03324 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03325 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03326 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03327 } 03328 03329 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03330 03331 /* We're not waiting for a NewSessionTicket message any more */ 03332 ssl->handshake->new_session_ticket = 0; 03333 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03334 03335 /* 03336 * Zero-length ticket means the server changed his mind and doesn't want 03337 * to send a ticket after all, so just forget it 03338 */ 03339 if( ticket_len == 0 ) 03340 return( 0 ); 03341 03342 mbedtls_platform_zeroize( ssl->session_negotiate->ticket, 03343 ssl->session_negotiate->ticket_len ); 03344 mbedtls_free( ssl->session_negotiate->ticket ); 03345 ssl->session_negotiate->ticket = NULL; 03346 ssl->session_negotiate->ticket_len = 0; 03347 03348 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03349 { 03350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03351 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03352 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 03353 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03354 } 03355 03356 memcpy( ticket, msg + 6, ticket_len ); 03357 03358 ssl->session_negotiate->ticket = ticket; 03359 ssl->session_negotiate->ticket_len = ticket_len; 03360 ssl->session_negotiate->ticket_lifetime = lifetime; 03361 03362 /* 03363 * RFC 5077 section 3.4: 03364 * "If the client receives a session ticket from the server, then it 03365 * discards any Session ID that was sent in the ServerHello." 03366 */ 03367 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03368 ssl->session_negotiate->id_len = 0; 03369 03370 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03371 03372 return( 0 ); 03373 } 03374 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03375 03376 /* 03377 * SSL handshake -- client side -- single step 03378 */ 03379 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03380 { 03381 int ret = 0; 03382 03383 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03384 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03385 03386 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03387 03388 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03389 return( ret ); 03390 03391 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03392 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03393 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03394 { 03395 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03396 return( ret ); 03397 } 03398 #endif 03399 03400 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03401 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03402 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03403 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03404 ssl->handshake->new_session_ticket != 0 ) 03405 { 03406 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03407 } 03408 #endif 03409 03410 switch( ssl->state ) 03411 { 03412 case MBEDTLS_SSL_HELLO_REQUEST: 03413 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03414 break; 03415 03416 /* 03417 * ==> ClientHello 03418 */ 03419 case MBEDTLS_SSL_CLIENT_HELLO: 03420 ret = ssl_write_client_hello( ssl ); 03421 break; 03422 03423 /* 03424 * <== ServerHello 03425 * Certificate 03426 * ( ServerKeyExchange ) 03427 * ( CertificateRequest ) 03428 * ServerHelloDone 03429 */ 03430 case MBEDTLS_SSL_SERVER_HELLO: 03431 ret = ssl_parse_server_hello( ssl ); 03432 break; 03433 03434 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03435 ret = mbedtls_ssl_parse_certificate( ssl ); 03436 break; 03437 03438 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03439 ret = ssl_parse_server_key_exchange( ssl ); 03440 break; 03441 03442 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03443 ret = ssl_parse_certificate_request( ssl ); 03444 break; 03445 03446 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03447 ret = ssl_parse_server_hello_done( ssl ); 03448 break; 03449 03450 /* 03451 * ==> ( Certificate/Alert ) 03452 * ClientKeyExchange 03453 * ( CertificateVerify ) 03454 * ChangeCipherSpec 03455 * Finished 03456 */ 03457 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03458 ret = mbedtls_ssl_write_certificate( ssl ); 03459 break; 03460 03461 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03462 ret = ssl_write_client_key_exchange( ssl ); 03463 break; 03464 03465 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03466 ret = ssl_write_certificate_verify( ssl ); 03467 break; 03468 03469 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03470 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03471 break; 03472 03473 case MBEDTLS_SSL_CLIENT_FINISHED: 03474 ret = mbedtls_ssl_write_finished( ssl ); 03475 break; 03476 03477 /* 03478 * <== ( NewSessionTicket ) 03479 * ChangeCipherSpec 03480 * Finished 03481 */ 03482 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03483 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03484 ret = ssl_parse_new_session_ticket( ssl ); 03485 break; 03486 #endif 03487 03488 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03489 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03490 break; 03491 03492 case MBEDTLS_SSL_SERVER_FINISHED: 03493 ret = mbedtls_ssl_parse_finished( ssl ); 03494 break; 03495 03496 case MBEDTLS_SSL_FLUSH_BUFFERS: 03497 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03498 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03499 break; 03500 03501 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03502 mbedtls_ssl_handshake_wrapup( ssl ); 03503 break; 03504 03505 default: 03506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03507 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03508 } 03509 03510 return( ret ); 03511 } 03512 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 12:45:48 by
1.7.2