Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_SRV_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 #include "mbedtls/platform_util.h" 00042 00043 #include <string.h> 00044 00045 #if defined(MBEDTLS_ECP_C) 00046 #include "mbedtls/ecp.h" 00047 #endif 00048 00049 #if defined(MBEDTLS_HAVE_TIME) 00050 #include "mbedtls/platform_time.h" 00051 #endif 00052 00053 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 00054 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, 00055 const unsigned char *info, 00056 size_t ilen ) 00057 { 00058 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) 00059 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00060 00061 mbedtls_free( ssl->cli_id ); 00062 00063 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) 00064 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00065 00066 memcpy( ssl->cli_id, info, ilen ); 00067 ssl->cli_id_len = ilen; 00068 00069 return( 0 ); 00070 } 00071 00072 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, 00073 mbedtls_ssl_cookie_write_t *f_cookie_write, 00074 mbedtls_ssl_cookie_check_t *f_cookie_check, 00075 void *p_cookie ) 00076 { 00077 conf->f_cookie_write = f_cookie_write; 00078 conf->f_cookie_check = f_cookie_check; 00079 conf->p_cookie = p_cookie; 00080 } 00081 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 00082 00083 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00084 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, 00085 const unsigned char *buf, 00086 size_t len ) 00087 { 00088 int ret; 00089 size_t servername_list_size, hostname_len; 00090 const unsigned char *p; 00091 00092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00093 00094 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00095 if( servername_list_size + 2 != len ) 00096 { 00097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00098 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00099 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00100 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00101 } 00102 00103 p = buf + 2; 00104 while( servername_list_size > 0 ) 00105 { 00106 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00107 if( hostname_len + 3 > servername_list_size ) 00108 { 00109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00110 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00111 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00112 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00113 } 00114 00115 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) 00116 { 00117 ret = ssl->conf->f_sni( ssl->conf->p_sni, 00118 ssl, p + 3, hostname_len ); 00119 if( ret != 0 ) 00120 { 00121 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00122 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00123 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00124 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00125 } 00126 return( 0 ); 00127 } 00128 00129 servername_list_size -= hostname_len + 3; 00130 p += hostname_len + 3; 00131 } 00132 00133 if( servername_list_size != 0 ) 00134 { 00135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00136 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00137 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00138 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00139 } 00140 00141 return( 0 ); 00142 } 00143 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00144 00145 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 00146 const unsigned char *buf, 00147 size_t len ) 00148 { 00149 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00150 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00151 { 00152 /* Check verify-data in constant-time. The length OTOH is no secret */ 00153 if( len != 1 + ssl->verify_data_len || 00154 buf[0] != ssl->verify_data_len || 00155 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, 00156 ssl->verify_data_len ) != 0 ) 00157 { 00158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00159 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00160 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00161 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00162 } 00163 } 00164 else 00165 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00166 { 00167 if( len != 1 || buf[0] != 0x0 ) 00168 { 00169 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00170 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00171 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00172 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00173 } 00174 00175 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00176 } 00177 00178 return( 0 ); 00179 } 00180 00181 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00182 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00183 00184 /* 00185 * Status of the implementation of signature-algorithms extension: 00186 * 00187 * Currently, we are only considering the signature-algorithm extension 00188 * to pick a ciphersuite which allows us to send the ServerKeyExchange 00189 * message with a signature-hash combination that the user allows. 00190 * 00191 * We do *not* check whether all certificates in our certificate 00192 * chain are signed with an allowed signature-hash pair. 00193 * This needs to be done at a later stage. 00194 * 00195 */ 00196 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00197 const unsigned char *buf, 00198 size_t len ) 00199 { 00200 size_t sig_alg_list_size; 00201 00202 const unsigned char *p; 00203 const unsigned char *end = buf + len; 00204 00205 mbedtls_md_type_t md_cur; 00206 mbedtls_pk_type_t sig_cur; 00207 00208 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00209 if( sig_alg_list_size + 2 != len || 00210 sig_alg_list_size % 2 != 0 ) 00211 { 00212 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00213 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00214 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00215 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00216 } 00217 00218 /* Currently we only guarantee signing the ServerKeyExchange message according 00219 * to the constraints specified in this extension (see above), so it suffices 00220 * to remember only one suitable hash for each possible signature algorithm. 00221 * 00222 * This will change when we also consider certificate signatures, 00223 * in which case we will need to remember the whole signature-hash 00224 * pair list from the extension. 00225 */ 00226 00227 for( p = buf + 2; p < end; p += 2 ) 00228 { 00229 /* Silently ignore unknown signature or hash algorithms. */ 00230 00231 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) 00232 { 00233 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" 00234 " unknown sig alg encoding %d", p[1] ) ); 00235 continue; 00236 } 00237 00238 /* Check if we support the hash the user proposes */ 00239 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); 00240 if( md_cur == MBEDTLS_MD_NONE ) 00241 { 00242 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00243 " unknown hash alg encoding %d", p[0] ) ); 00244 continue; 00245 } 00246 00247 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) 00248 { 00249 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); 00250 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00251 " match sig %d and hash %d", 00252 sig_cur, md_cur ) ); 00253 } 00254 else 00255 { 00256 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " 00257 "hash alg %d not supported", md_cur ) ); 00258 } 00259 } 00260 00261 return( 0 ); 00262 } 00263 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00264 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00265 00266 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00267 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00268 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, 00269 const unsigned char *buf, 00270 size_t len ) 00271 { 00272 size_t list_size, our_size; 00273 const unsigned char *p; 00274 const mbedtls_ecp_curve_info *curve_info, **curves; 00275 00276 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00277 if( list_size + 2 != len || 00278 list_size % 2 != 0 ) 00279 { 00280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00281 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00282 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00283 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00284 } 00285 00286 /* Should never happen unless client duplicates the extension */ 00287 if( ssl->handshake->curves != NULL ) 00288 { 00289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00290 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00291 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00292 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00293 } 00294 00295 /* Don't allow our peer to make us allocate too much memory, 00296 * and leave room for a final 0 */ 00297 our_size = list_size / 2 + 1; 00298 if( our_size > MBEDTLS_ECP_DP_MAX ) 00299 our_size = MBEDTLS_ECP_DP_MAX; 00300 00301 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) 00302 { 00303 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00304 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 00305 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00306 } 00307 00308 ssl->handshake->curves = curves; 00309 00310 p = buf + 2; 00311 while( list_size > 0 && our_size > 1 ) 00312 { 00313 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00314 00315 if( curve_info != NULL ) 00316 { 00317 *curves++ = curve_info; 00318 our_size--; 00319 } 00320 00321 list_size -= 2; 00322 p += 2; 00323 } 00324 00325 return( 0 ); 00326 } 00327 00328 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, 00329 const unsigned char *buf, 00330 size_t len ) 00331 { 00332 size_t list_size; 00333 const unsigned char *p; 00334 00335 list_size = buf[0]; 00336 if( list_size + 1 != len ) 00337 { 00338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00339 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00340 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00341 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00342 } 00343 00344 p = buf + 1; 00345 while( list_size > 0 ) 00346 { 00347 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 00348 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 00349 { 00350 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00351 ssl->handshake->ecdh_ctx.point_format = p[0]; 00352 #endif 00353 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00354 ssl->handshake->ecjpake_ctx.point_format = p[0]; 00355 #endif 00356 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00357 return( 0 ); 00358 } 00359 00360 list_size--; 00361 p++; 00362 } 00363 00364 return( 0 ); 00365 } 00366 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00367 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00368 00369 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00370 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 00371 const unsigned char *buf, 00372 size_t len ) 00373 { 00374 int ret; 00375 00376 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00377 { 00378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 00379 return( 0 ); 00380 } 00381 00382 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 00383 buf, len ) ) != 0 ) 00384 { 00385 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 00386 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00387 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00388 return( ret ); 00389 } 00390 00391 /* Only mark the extension as OK when we're sure it is */ 00392 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 00393 00394 return( 0 ); 00395 } 00396 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00397 00398 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00399 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00400 const unsigned char *buf, 00401 size_t len ) 00402 { 00403 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) 00404 { 00405 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00406 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00407 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00408 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00409 } 00410 00411 ssl->session_negotiate->mfl_code = buf[0]; 00412 00413 return( 0 ); 00414 } 00415 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00416 00417 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00418 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00419 const unsigned char *buf, 00420 size_t len ) 00421 { 00422 if( len != 0 ) 00423 { 00424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00425 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00426 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00427 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00428 } 00429 00430 ((void) buf); 00431 00432 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00433 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 00434 00435 return( 0 ); 00436 } 00437 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00438 00439 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00440 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00441 const unsigned char *buf, 00442 size_t len ) 00443 { 00444 if( len != 0 ) 00445 { 00446 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00447 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00448 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00449 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00450 } 00451 00452 ((void) buf); 00453 00454 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 00455 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00456 { 00457 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 00458 } 00459 00460 return( 0 ); 00461 } 00462 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00463 00464 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00465 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 00466 const unsigned char *buf, 00467 size_t len ) 00468 { 00469 if( len != 0 ) 00470 { 00471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00472 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00473 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00474 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00475 } 00476 00477 ((void) buf); 00478 00479 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && 00480 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00481 { 00482 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 00483 } 00484 00485 return( 0 ); 00486 } 00487 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00488 00489 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00490 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 00491 unsigned char *buf, 00492 size_t len ) 00493 { 00494 int ret; 00495 mbedtls_ssl_session session; 00496 00497 mbedtls_ssl_session_init( &session ); 00498 00499 if( ssl->conf->f_ticket_parse == NULL || 00500 ssl->conf->f_ticket_write == NULL ) 00501 { 00502 return( 0 ); 00503 } 00504 00505 /* Remember the client asked us to send a new ticket */ 00506 ssl->handshake->new_session_ticket = 1; 00507 00508 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00509 00510 if( len == 0 ) 00511 return( 0 ); 00512 00513 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00514 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00515 { 00516 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00517 return( 0 ); 00518 } 00519 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00520 00521 /* 00522 * Failures are ok: just ignore the ticket and proceed. 00523 */ 00524 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, 00525 buf, len ) ) != 0 ) 00526 { 00527 mbedtls_ssl_session_free( &session ); 00528 00529 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 00530 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); 00531 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) 00532 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); 00533 else 00534 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); 00535 00536 return( 0 ); 00537 } 00538 00539 /* 00540 * Keep the session ID sent by the client, since we MUST send it back to 00541 * inform them we're accepting the ticket (RFC 5077 section 3.4) 00542 */ 00543 session.id_len = ssl->session_negotiate->id_len; 00544 memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); 00545 00546 mbedtls_ssl_session_free( ssl->session_negotiate ); 00547 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); 00548 00549 /* Zeroize instead of free as we copied the content */ 00550 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) ); 00551 00552 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00553 00554 ssl->handshake->resume = 1; 00555 00556 /* Don't send a new ticket after all, this one is OK */ 00557 ssl->handshake->new_session_ticket = 0; 00558 00559 return( 0 ); 00560 } 00561 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00562 00563 #if defined(MBEDTLS_SSL_ALPN) 00564 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 00565 const unsigned char *buf, size_t len ) 00566 { 00567 size_t list_len, cur_len, ours_len; 00568 const unsigned char *theirs, *start, *end; 00569 const char **ours; 00570 00571 /* If ALPN not configured, just ignore the extension */ 00572 if( ssl->conf->alpn_list == NULL ) 00573 return( 0 ); 00574 00575 /* 00576 * opaque ProtocolName<1..2^8-1>; 00577 * 00578 * struct { 00579 * ProtocolName protocol_name_list<2..2^16-1> 00580 * } ProtocolNameList; 00581 */ 00582 00583 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00584 if( len < 4 ) 00585 { 00586 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00587 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00588 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00589 } 00590 00591 list_len = ( buf[0] << 8 ) | buf[1]; 00592 if( list_len != len - 2 ) 00593 { 00594 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00596 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00597 } 00598 00599 /* 00600 * Validate peer's list (lengths) 00601 */ 00602 start = buf + 2; 00603 end = buf + len; 00604 for( theirs = start; theirs != end; theirs += cur_len ) 00605 { 00606 cur_len = *theirs++; 00607 00608 /* Current identifier must fit in list */ 00609 if( cur_len > (size_t)( end - theirs ) ) 00610 { 00611 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00612 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00613 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00614 } 00615 00616 /* Empty strings MUST NOT be included */ 00617 if( cur_len == 0 ) 00618 { 00619 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00620 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00621 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00622 } 00623 } 00624 00625 /* 00626 * Use our order of preference 00627 */ 00628 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) 00629 { 00630 ours_len = strlen( *ours ); 00631 for( theirs = start; theirs != end; theirs += cur_len ) 00632 { 00633 cur_len = *theirs++; 00634 00635 if( cur_len == ours_len && 00636 memcmp( theirs, *ours, cur_len ) == 0 ) 00637 { 00638 ssl->alpn_chosen = *ours; 00639 return( 0 ); 00640 } 00641 } 00642 } 00643 00644 /* If we get there, no match was found */ 00645 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00646 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00647 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00648 } 00649 #endif /* MBEDTLS_SSL_ALPN */ 00650 00651 /* 00652 * Auxiliary functions for ServerHello parsing and related actions 00653 */ 00654 00655 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00656 /* 00657 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00658 */ 00659 #if defined(MBEDTLS_ECDSA_C) 00660 static int ssl_check_key_curve( mbedtls_pk_context *pk, 00661 const mbedtls_ecp_curve_info **curves ) 00662 { 00663 const mbedtls_ecp_curve_info **crv = curves; 00664 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ; 00665 00666 while( *crv != NULL ) 00667 { 00668 if( (*crv)->grp_id == grp_id ) 00669 return( 0 ); 00670 crv++; 00671 } 00672 00673 return( -1 ); 00674 } 00675 #endif /* MBEDTLS_ECDSA_C */ 00676 00677 /* 00678 * Try picking a certificate for this ciphersuite, 00679 * return 0 on success and -1 on failure. 00680 */ 00681 static int ssl_pick_cert( mbedtls_ssl_context *ssl, 00682 const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) 00683 { 00684 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; 00685 mbedtls_pk_type_t pk_alg = 00686 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00687 uint32_t flags; 00688 00689 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00690 if( ssl->handshake->sni_key_cert != NULL ) 00691 list = ssl->handshake->sni_key_cert; 00692 else 00693 #endif 00694 list = ssl->conf->key_cert; 00695 00696 if( pk_alg == MBEDTLS_PK_NONE ) 00697 return( 0 ); 00698 00699 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00700 00701 if( list == NULL ) 00702 { 00703 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); 00704 return( -1 ); 00705 } 00706 00707 for( cur = list; cur != NULL; cur = cur->next ) 00708 { 00709 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00710 cur->cert ); 00711 00712 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) ) 00713 { 00714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00715 continue; 00716 } 00717 00718 /* 00719 * This avoids sending the client a cert it'll reject based on 00720 * keyUsage or other extensions. 00721 * 00722 * It also allows the user to provision different certificates for 00723 * different uses based on keyUsage, eg if they want to avoid signing 00724 * and decrypting with the same RSA key. 00725 */ 00726 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, 00727 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) 00728 { 00729 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00730 "(extended) key usage extension" ) ); 00731 continue; 00732 } 00733 00734 #if defined(MBEDTLS_ECDSA_C) 00735 if( pk_alg == MBEDTLS_PK_ECDSA && 00736 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) 00737 { 00738 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00739 continue; 00740 } 00741 #endif 00742 00743 /* 00744 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00745 * present them a SHA-higher cert rather than failing if it's the only 00746 * one we got that satisfies the other conditions. 00747 */ 00748 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && 00749 cur->cert->sig_md != MBEDTLS_MD_SHA1 ) 00750 { 00751 if( fallback == NULL ) 00752 fallback = cur; 00753 { 00754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00755 "sha-2 with pre-TLS 1.2 client" ) ); 00756 continue; 00757 } 00758 } 00759 00760 /* If we get there, we got a winner */ 00761 break; 00762 } 00763 00764 if( cur == NULL ) 00765 cur = fallback; 00766 00767 /* Do not update ssl->handshake->key_cert unless there is a match */ 00768 if( cur != NULL ) 00769 { 00770 ssl->handshake->key_cert = cur; 00771 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00772 ssl->handshake->key_cert->cert ); 00773 return( 0 ); 00774 } 00775 00776 return( -1 ); 00777 } 00778 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00779 00780 /* 00781 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00782 * Sets ciphersuite_info only if the suite matches. 00783 */ 00784 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, 00785 const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) 00786 { 00787 const mbedtls_ssl_ciphersuite_t *suite_info; 00788 00789 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00790 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00791 mbedtls_pk_type_t sig_type; 00792 #endif 00793 00794 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); 00795 if( suite_info == NULL ) 00796 { 00797 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00798 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00799 } 00800 00801 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00802 00803 if( suite_info->min_minor_ver > ssl->minor_ver || 00804 suite_info->max_minor_ver < ssl->minor_ver ) 00805 { 00806 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00807 return( 0 ); 00808 } 00809 00810 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00811 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00812 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00813 return( 0 ); 00814 #endif 00815 00816 #if defined(MBEDTLS_ARC4_C) 00817 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00818 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00819 { 00820 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00821 return( 0 ); 00822 } 00823 #endif 00824 00825 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00826 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00827 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) 00828 { 00829 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " 00830 "not configured or ext missing" ) ); 00831 return( 0 ); 00832 } 00833 #endif 00834 00835 00836 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00837 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && 00838 ( ssl->handshake->curves == NULL || 00839 ssl->handshake->curves[0] == NULL ) ) 00840 { 00841 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00842 "no common elliptic curve" ) ); 00843 return( 0 ); 00844 } 00845 #endif 00846 00847 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00848 /* If the ciphersuite requires a pre-shared key and we don't 00849 * have one, skip it now rather than failing later */ 00850 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00851 ssl->conf->f_psk == NULL && 00852 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 00853 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 00854 { 00855 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00856 return( 0 ); 00857 } 00858 #endif 00859 00860 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00861 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00862 /* If the ciphersuite requires signing, check whether 00863 * a suitable hash algorithm is present. */ 00864 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00865 { 00866 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); 00867 if( sig_type != MBEDTLS_PK_NONE && 00868 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) 00869 { 00870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " 00871 "for signature algorithm %d", sig_type ) ); 00872 return( 0 ); 00873 } 00874 } 00875 00876 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00877 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00878 00879 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00880 /* 00881 * Final check: if ciphersuite requires us to have a 00882 * certificate/key of a particular type: 00883 * - select the appropriate certificate if we have one, or 00884 * - try the next ciphersuite if we don't 00885 * This must be done last since we modify the key_cert list. 00886 */ 00887 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00888 { 00889 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00890 "no suitable certificate" ) ); 00891 return( 0 ); 00892 } 00893 #endif 00894 00895 *ciphersuite_info = suite_info; 00896 return( 0 ); 00897 } 00898 00899 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00900 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) 00901 { 00902 int ret, got_common_suite; 00903 unsigned int i, j; 00904 size_t n; 00905 unsigned int ciph_len, sess_len, chal_len; 00906 unsigned char *buf, *p; 00907 const int *ciphersuites; 00908 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00909 00910 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 00911 00912 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00913 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00914 { 00915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 00916 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00917 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00918 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00919 } 00920 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00921 00922 buf = ssl->in_hdr; 00923 00924 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00925 00926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00927 buf[2] ) ); 00928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00929 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00931 buf[3], buf[4] ) ); 00932 00933 /* 00934 * SSLv2 Client Hello 00935 * 00936 * Record layer: 00937 * 0 . 1 message length 00938 * 00939 * SSL layer: 00940 * 2 . 2 message type 00941 * 3 . 4 protocol version 00942 */ 00943 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || 00944 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) 00945 { 00946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00947 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00948 } 00949 00950 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00951 00952 if( n < 17 || n > 512 ) 00953 { 00954 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00955 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00956 } 00957 00958 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 00959 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) 00960 ? buf[4] : ssl->conf->max_minor_ver; 00961 00962 if( ssl->minor_ver < ssl->conf->min_minor_ver ) 00963 { 00964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 00965 " [%d:%d] < [%d:%d]", 00966 ssl->major_ver, ssl->minor_ver, 00967 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 00968 00969 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00970 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 00971 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00972 } 00973 00974 ssl->handshake->max_major_ver = buf[3]; 00975 ssl->handshake->max_minor_ver = buf[4]; 00976 00977 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00978 { 00979 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 00980 return( ret ); 00981 } 00982 00983 ssl->handshake->update_checksum( ssl, buf + 2, n ); 00984 00985 buf = ssl->in_msg; 00986 n = ssl->in_left - 5; 00987 00988 /* 00989 * 0 . 1 ciphersuitelist length 00990 * 2 . 3 session id length 00991 * 4 . 5 challenge length 00992 * 6 . .. ciphersuitelist 00993 * .. . .. session id 00994 * .. . .. challenge 00995 */ 00996 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00997 00998 ciph_len = ( buf[0] << 8 ) | buf[1]; 00999 sess_len = ( buf[2] << 8 ) | buf[3]; 01000 chal_len = ( buf[4] << 8 ) | buf[5]; 01001 01002 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 01003 ciph_len, sess_len, chal_len ) ); 01004 01005 /* 01006 * Make sure each parameter length is valid 01007 */ 01008 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01009 { 01010 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01011 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01012 } 01013 01014 if( sess_len > 32 ) 01015 { 01016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01017 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01018 } 01019 01020 if( chal_len < 8 || chal_len > 32 ) 01021 { 01022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01023 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01024 } 01025 01026 if( n != 6 + ciph_len + sess_len + chal_len ) 01027 { 01028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01029 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01030 } 01031 01032 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01033 buf + 6, ciph_len ); 01034 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", 01035 buf + 6 + ciph_len, sess_len ); 01036 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", 01037 buf + 6 + ciph_len + sess_len, chal_len ); 01038 01039 p = buf + 6 + ciph_len; 01040 ssl->session_negotiate->id_len = sess_len; 01041 memset( ssl->session_negotiate->id, 0, 01042 sizeof( ssl->session_negotiate->id ) ); 01043 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); 01044 01045 p += sess_len; 01046 memset( ssl->handshake->randbytes, 0, 64 ); 01047 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01048 01049 /* 01050 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01051 */ 01052 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01053 { 01054 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01055 { 01056 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01057 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01058 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01059 { 01060 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01061 "during renegotiation" ) ); 01062 01063 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01064 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01065 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01066 } 01067 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01068 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01069 break; 01070 } 01071 } 01072 01073 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01074 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01075 { 01076 if( p[0] == 0 && 01077 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01078 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01079 { 01080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 01081 01082 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01083 { 01084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01085 01086 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01087 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01088 01089 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01090 } 01091 01092 break; 01093 } 01094 } 01095 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01096 01097 got_common_suite = 0; 01098 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01099 ciphersuite_info = NULL; 01100 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01101 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01102 for( i = 0; ciphersuites[i] != 0; i++ ) 01103 #else 01104 for( i = 0; ciphersuites[i] != 0; i++ ) 01105 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01106 #endif 01107 { 01108 if( p[0] != 0 || 01109 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01110 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01111 continue; 01112 01113 got_common_suite = 1; 01114 01115 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01116 &ciphersuite_info ) ) != 0 ) 01117 return( ret ); 01118 01119 if( ciphersuite_info != NULL ) 01120 goto have_ciphersuite_v2; 01121 } 01122 01123 if( got_common_suite ) 01124 { 01125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01126 "but none of them usable" ) ); 01127 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01128 } 01129 else 01130 { 01131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01132 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01133 } 01134 01135 have_ciphersuite_v2: 01136 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01137 01138 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01139 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01140 01141 /* 01142 * SSLv2 Client Hello relevant renegotiation security checks 01143 */ 01144 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01145 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01146 { 01147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01148 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01149 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01150 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01151 } 01152 01153 ssl->in_left = 0; 01154 ssl->state++; 01155 01156 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01157 01158 return( 0 ); 01159 } 01160 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01161 01162 /* This function doesn't alert on errors that happen early during 01163 ClientHello parsing because they might indicate that the client is 01164 not talking SSL/TLS at all and would not understand our alert. */ 01165 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) 01166 { 01167 int ret, got_common_suite; 01168 size_t i, j; 01169 size_t ciph_offset, comp_offset, ext_offset; 01170 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 01171 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01172 size_t cookie_offset, cookie_len; 01173 #endif 01174 unsigned char *buf, *p, *ext; 01175 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01176 int renegotiation_info_seen = 0; 01177 #endif 01178 int handshake_failure = 0; 01179 const int *ciphersuites; 01180 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01181 int major, minor; 01182 01183 /* If there is no signature-algorithm extension present, 01184 * we need to fall back to the default values for allowed 01185 * signature-hash pairs. */ 01186 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01187 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01188 int sig_hash_alg_ext_present = 0; 01189 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01190 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01191 01192 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01193 01194 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01195 read_record_header: 01196 #endif 01197 /* 01198 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 01199 * otherwise read it ourselves manually in order to support SSLv2 01200 * ClientHello, which doesn't use the same record layer format. 01201 */ 01202 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01203 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01204 #endif 01205 { 01206 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) 01207 { 01208 /* No alert on a read error. */ 01209 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01210 return( ret ); 01211 } 01212 } 01213 01214 buf = ssl->in_hdr; 01215 01216 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01217 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01218 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 01219 #endif 01220 if( ( buf[0] & 0x80 ) != 0 ) 01221 return( ssl_parse_client_hello_v2( ssl ) ); 01222 #endif 01223 01224 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) ); 01225 01226 /* 01227 * SSLv3/TLS Client Hello 01228 * 01229 * Record layer: 01230 * 0 . 0 message type 01231 * 1 . 2 protocol version 01232 * 3 . 11 DTLS: epoch + record sequence number 01233 * 3 . 4 message length 01234 */ 01235 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01236 buf[0] ) ); 01237 01238 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) 01239 { 01240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01241 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01242 } 01243 01244 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01245 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); 01246 01247 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", 01248 buf[1], buf[2] ) ); 01249 01250 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); 01251 01252 /* According to RFC 5246 Appendix E.1, the version here is typically 01253 * "{03,00}, the lowest version number supported by the client, [or] the 01254 * value of ClientHello.client_version", so the only meaningful check here 01255 * is the major version shouldn't be less than 3 */ 01256 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) 01257 { 01258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01259 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01260 } 01261 01262 /* For DTLS if this is the initial handshake, remember the client sequence 01263 * number to use it in our next message (RFC 6347 4.2.1) */ 01264 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01265 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 01266 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01267 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01268 #endif 01269 ) 01270 { 01271 /* Epoch should be 0 for initial handshakes */ 01272 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) 01273 { 01274 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01275 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01276 } 01277 01278 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); 01279 01280 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01281 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 01282 { 01283 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); 01284 ssl->next_record_offset = 0; 01285 ssl->in_left = 0; 01286 goto read_record_header; 01287 } 01288 01289 /* No MAC to check yet, so we can update right now */ 01290 mbedtls_ssl_dtls_replay_update( ssl ); 01291 #endif 01292 } 01293 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01294 01295 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 01296 01297 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01298 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01299 { 01300 /* Set by mbedtls_ssl_read_record() */ 01301 msg_len = ssl->in_hslen; 01302 } 01303 else 01304 #endif 01305 { 01306 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01307 { 01308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01309 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01310 } 01311 01312 if( ( ret = mbedtls_ssl_fetch_input( ssl, 01313 mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 ) 01314 { 01315 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01316 return( ret ); 01317 } 01318 01319 /* Done reading this record, get ready for the next one */ 01320 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01321 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01322 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); 01323 else 01324 #endif 01325 ssl->in_left = 0; 01326 } 01327 01328 buf = ssl->in_msg; 01329 01330 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); 01331 01332 ssl->handshake->update_checksum( ssl, buf, msg_len ); 01333 01334 /* 01335 * Handshake layer: 01336 * 0 . 0 handshake type 01337 * 1 . 3 handshake length 01338 * 4 . 5 DTLS only: message seqence number 01339 * 6 . 8 DTLS only: fragment offset 01340 * 9 . 11 DTLS only: fragment length 01341 */ 01342 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) 01343 { 01344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01345 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01346 } 01347 01348 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); 01349 01350 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 01351 { 01352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01353 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01354 } 01355 01356 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01357 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01358 01359 /* We don't support fragmentation of ClientHello (yet?) */ 01360 if( buf[1] != 0 || 01361 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) 01362 { 01363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01364 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01365 } 01366 01367 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01368 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01369 { 01370 /* 01371 * Copy the client's handshake message_seq on initial handshakes, 01372 * check sequence number on renego. 01373 */ 01374 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01375 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01376 { 01377 /* This couldn't be done in ssl_prepare_handshake_record() */ 01378 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01379 ssl->in_msg[5]; 01380 01381 if( cli_msg_seq != ssl->handshake->in_msg_seq ) 01382 { 01383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " 01384 "%d (expected %d)", cli_msg_seq, 01385 ssl->handshake->in_msg_seq ) ); 01386 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01387 } 01388 01389 ssl->handshake->in_msg_seq++; 01390 } 01391 else 01392 #endif 01393 { 01394 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01395 ssl->in_msg[5]; 01396 ssl->handshake->out_msg_seq = cli_msg_seq; 01397 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 01398 } 01399 01400 /* 01401 * For now we don't support fragmentation, so make sure 01402 * fragment_offset == 0 and fragment_length == length 01403 */ 01404 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || 01405 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) 01406 { 01407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); 01408 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01409 } 01410 } 01411 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01412 01413 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01414 msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); 01415 01416 /* 01417 * ClientHello layer: 01418 * 0 . 1 protocol version 01419 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 01420 * 34 . 35 session id length (1 byte) 01421 * 35 . 34+x session id 01422 * 35+x . 35+x DTLS only: cookie length (1 byte) 01423 * 36+x . .. DTLS only: cookie 01424 * .. . .. ciphersuite list length (2 bytes) 01425 * .. . .. ciphersuite list 01426 * .. . .. compression alg. list length (1 byte) 01427 * .. . .. compression alg. list 01428 * .. . .. extensions length (2 bytes, optional) 01429 * .. . .. extensions (optional) 01430 */ 01431 01432 /* 01433 * Minimal length (with everything empty and extensions ommitted) is 01434 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 01435 * read at least up to session id length without worrying. 01436 */ 01437 if( msg_len < 38 ) 01438 { 01439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01440 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01441 } 01442 01443 /* 01444 * Check and save the protocol version 01445 */ 01446 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); 01447 01448 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01449 ssl->conf->transport, buf ); 01450 01451 ssl->handshake->max_major_ver = ssl->major_ver; 01452 ssl->handshake->max_minor_ver = ssl->minor_ver; 01453 01454 if( ssl->major_ver < ssl->conf->min_major_ver || 01455 ssl->minor_ver < ssl->conf->min_minor_ver ) 01456 { 01457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01458 " [%d:%d] < [%d:%d]", 01459 ssl->major_ver, ssl->minor_ver, 01460 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01461 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01462 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01463 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01464 } 01465 01466 if( ssl->major_ver > ssl->conf->max_major_ver ) 01467 { 01468 ssl->major_ver = ssl->conf->max_major_ver; 01469 ssl->minor_ver = ssl->conf->max_minor_ver; 01470 } 01471 else if( ssl->minor_ver > ssl->conf->max_minor_ver ) 01472 ssl->minor_ver = ssl->conf->max_minor_ver; 01473 01474 /* 01475 * Save client random (inc. Unix time) 01476 */ 01477 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); 01478 01479 memcpy( ssl->handshake->randbytes, buf + 2, 32 ); 01480 01481 /* 01482 * Check the session ID length and save session ID 01483 */ 01484 sess_len = buf[34]; 01485 01486 if( sess_len > sizeof( ssl->session_negotiate->id ) || 01487 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ 01488 { 01489 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01490 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01491 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01492 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01493 } 01494 01495 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); 01496 01497 ssl->session_negotiate->id_len = sess_len; 01498 memset( ssl->session_negotiate->id, 0, 01499 sizeof( ssl->session_negotiate->id ) ); 01500 memcpy( ssl->session_negotiate->id, buf + 35, 01501 ssl->session_negotiate->id_len ); 01502 01503 /* 01504 * Check the cookie length and content 01505 */ 01506 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01507 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01508 { 01509 cookie_offset = 35 + sess_len; 01510 cookie_len = buf[cookie_offset]; 01511 01512 if( cookie_offset + 1 + cookie_len + 2 > msg_len ) 01513 { 01514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01515 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01516 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01518 } 01519 01520 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 01521 buf + cookie_offset + 1, cookie_len ); 01522 01523 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 01524 if( ssl->conf->f_cookie_check != NULL 01525 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01526 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01527 #endif 01528 ) 01529 { 01530 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, 01531 buf + cookie_offset + 1, cookie_len, 01532 ssl->cli_id, ssl->cli_id_len ) != 0 ) 01533 { 01534 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); 01535 ssl->handshake->verify_cookie_len = 1; 01536 } 01537 else 01538 { 01539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); 01540 ssl->handshake->verify_cookie_len = 0; 01541 } 01542 } 01543 else 01544 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 01545 { 01546 /* We know we didn't send a cookie, so it should be empty */ 01547 if( cookie_len != 0 ) 01548 { 01549 /* This may be an attacker's probe, so don't send an alert */ 01550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01551 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01552 } 01553 01554 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); 01555 } 01556 01557 /* 01558 * Check the ciphersuitelist length (will be parsed later) 01559 */ 01560 ciph_offset = cookie_offset + 1 + cookie_len; 01561 } 01562 else 01563 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01564 ciph_offset = 35 + sess_len; 01565 01566 ciph_len = ( buf[ciph_offset + 0] << 8 ) 01567 | ( buf[ciph_offset + 1] ); 01568 01569 if( ciph_len < 2 || 01570 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 01571 ( ciph_len % 2 ) != 0 ) 01572 { 01573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01574 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01575 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01576 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01577 } 01578 01579 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01580 buf + ciph_offset + 2, ciph_len ); 01581 01582 /* 01583 * Check the compression algorithms length and pick one 01584 */ 01585 comp_offset = ciph_offset + 2 + ciph_len; 01586 01587 comp_len = buf[comp_offset]; 01588 01589 if( comp_len < 1 || 01590 comp_len > 16 || 01591 comp_len + comp_offset + 1 > msg_len ) 01592 { 01593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01594 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01596 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01597 } 01598 01599 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", 01600 buf + comp_offset + 1, comp_len ); 01601 01602 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01603 #if defined(MBEDTLS_ZLIB_SUPPORT) 01604 for( i = 0; i < comp_len; ++i ) 01605 { 01606 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) 01607 { 01608 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; 01609 break; 01610 } 01611 } 01612 #endif 01613 01614 /* See comments in ssl_write_client_hello() */ 01615 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01616 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01617 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01618 #endif 01619 01620 /* Do not parse the extensions if the protocol is SSLv3 */ 01621 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01622 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 01623 { 01624 #endif 01625 /* 01626 * Check the extension length 01627 */ 01628 ext_offset = comp_offset + 1 + comp_len; 01629 if( msg_len > ext_offset ) 01630 { 01631 if( msg_len < ext_offset + 2 ) 01632 { 01633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01634 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01635 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01636 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01637 } 01638 01639 ext_len = ( buf[ext_offset + 0] << 8 ) 01640 | ( buf[ext_offset + 1] ); 01641 01642 if( ( ext_len > 0 && ext_len < 4 ) || 01643 msg_len != ext_offset + 2 + ext_len ) 01644 { 01645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01646 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01647 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01648 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01649 } 01650 } 01651 else 01652 ext_len = 0; 01653 01654 ext = buf + ext_offset + 2; 01655 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); 01656 01657 while( ext_len != 0 ) 01658 { 01659 unsigned int ext_id = ( ( ext[0] << 8 ) 01660 | ( ext[1] ) ); 01661 unsigned int ext_size = ( ( ext[2] << 8 ) 01662 | ( ext[3] ) ); 01663 01664 if( ext_size + 4 > ext_len ) 01665 { 01666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01667 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01668 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01669 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01670 } 01671 switch( ext_id ) 01672 { 01673 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01674 case MBEDTLS_TLS_EXT_SERVERNAME: 01675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01676 if( ssl->conf->f_sni == NULL ) 01677 break; 01678 01679 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01680 if( ret != 0 ) 01681 return( ret ); 01682 break; 01683 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 01684 01685 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01686 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01687 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01688 renegotiation_info_seen = 1; 01689 #endif 01690 01691 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01692 if( ret != 0 ) 01693 return( ret ); 01694 break; 01695 01696 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01697 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01698 case MBEDTLS_TLS_EXT_SIG_ALG: 01699 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01700 01701 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01702 if( ret != 0 ) 01703 return( ret ); 01704 01705 sig_hash_alg_ext_present = 1; 01706 break; 01707 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01708 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01709 01710 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01711 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01712 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01713 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01714 01715 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01716 if( ret != 0 ) 01717 return( ret ); 01718 break; 01719 01720 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01721 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01722 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01723 01724 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01725 if( ret != 0 ) 01726 return( ret ); 01727 break; 01728 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01729 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01730 01731 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01732 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); 01734 01735 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); 01736 if( ret != 0 ) 01737 return( ret ); 01738 break; 01739 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01740 01741 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01742 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01743 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01744 01745 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01746 if( ret != 0 ) 01747 return( ret ); 01748 break; 01749 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01750 01751 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01752 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01753 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01754 01755 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01756 if( ret != 0 ) 01757 return( ret ); 01758 break; 01759 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01760 01761 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01762 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01763 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01764 01765 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01766 if( ret != 0 ) 01767 return( ret ); 01768 break; 01769 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01770 01771 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01772 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01774 01775 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01776 if( ret != 0 ) 01777 return( ret ); 01778 break; 01779 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01780 01781 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01782 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01783 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01784 01785 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01786 if( ret != 0 ) 01787 return( ret ); 01788 break; 01789 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01790 01791 #if defined(MBEDTLS_SSL_ALPN) 01792 case MBEDTLS_TLS_EXT_ALPN: 01793 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01794 01795 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01796 if( ret != 0 ) 01797 return( ret ); 01798 break; 01799 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01800 01801 default: 01802 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01803 ext_id ) ); 01804 } 01805 01806 ext_len -= 4 + ext_size; 01807 ext += 4 + ext_size; 01808 01809 if( ext_len > 0 && ext_len < 4 ) 01810 { 01811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01812 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01813 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01814 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01815 } 01816 } 01817 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01818 } 01819 #endif 01820 01821 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01822 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01823 { 01824 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01825 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01826 { 01827 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); 01828 01829 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01830 { 01831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01832 01833 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01834 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01835 01836 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01837 } 01838 01839 break; 01840 } 01841 } 01842 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01843 01844 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01845 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01846 01847 /* 01848 * Try to fall back to default hash SHA1 if the client 01849 * hasn't provided any preferred signature-hash combinations. 01850 */ 01851 if( sig_hash_alg_ext_present == 0 ) 01852 { 01853 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1; 01854 01855 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 ) 01856 md_default = MBEDTLS_MD_NONE; 01857 01858 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default ); 01859 } 01860 01861 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01862 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01863 01864 /* 01865 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01866 */ 01867 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01868 { 01869 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01870 { 01871 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01872 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01873 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01874 { 01875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01876 "during renegotiation" ) ); 01877 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01878 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01879 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01880 } 01881 #endif 01882 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01883 break; 01884 } 01885 } 01886 01887 /* 01888 * Renegotiation security checks 01889 */ 01890 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 01891 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01892 { 01893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01894 handshake_failure = 1; 01895 } 01896 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01897 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01898 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01899 renegotiation_info_seen == 0 ) 01900 { 01901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01902 handshake_failure = 1; 01903 } 01904 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01905 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01906 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01907 { 01908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01909 handshake_failure = 1; 01910 } 01911 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01912 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01913 renegotiation_info_seen == 1 ) 01914 { 01915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01916 handshake_failure = 1; 01917 } 01918 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01919 01920 if( handshake_failure == 1 ) 01921 { 01922 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01923 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01924 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01925 } 01926 01927 /* 01928 * Search for a matching ciphersuite 01929 * (At the end because we need information from the EC-based extensions 01930 * and certificate from the SNI callback triggered by the SNI extension.) 01931 */ 01932 got_common_suite = 0; 01933 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01934 ciphersuite_info = NULL; 01935 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01936 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01937 for( i = 0; ciphersuites[i] != 0; i++ ) 01938 #else 01939 for( i = 0; ciphersuites[i] != 0; i++ ) 01940 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01941 #endif 01942 { 01943 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01944 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01945 continue; 01946 01947 got_common_suite = 1; 01948 01949 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01950 &ciphersuite_info ) ) != 0 ) 01951 return( ret ); 01952 01953 if( ciphersuite_info != NULL ) 01954 goto have_ciphersuite; 01955 } 01956 01957 if( got_common_suite ) 01958 { 01959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01960 "but none of them usable" ) ); 01961 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01962 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01963 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01964 } 01965 else 01966 { 01967 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01968 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01969 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01970 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01971 } 01972 01973 have_ciphersuite: 01974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01975 01976 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01977 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01978 01979 ssl->state++; 01980 01981 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01982 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01983 mbedtls_ssl_recv_flight_completed( ssl ); 01984 #endif 01985 01986 /* Debugging-only output for testsuite */ 01987 #if defined(MBEDTLS_DEBUG_C) && \ 01988 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01989 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01990 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 01991 { 01992 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); 01993 if( sig_alg != MBEDTLS_PK_NONE ) 01994 { 01995 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 01996 sig_alg ); 01997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 01998 mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); 01999 } 02000 else 02001 { 02002 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " 02003 "%d - should not happen", sig_alg ) ); 02004 } 02005 } 02006 #endif 02007 02008 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 02009 02010 return( 0 ); 02011 } 02012 02013 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02014 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 02015 unsigned char *buf, 02016 size_t *olen ) 02017 { 02018 unsigned char *p = buf; 02019 02020 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 02021 { 02022 *olen = 0; 02023 return; 02024 } 02025 02026 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 02027 02028 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 02029 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 02030 02031 *p++ = 0x00; 02032 *p++ = 0x00; 02033 02034 *olen = 4; 02035 } 02036 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 02037 02038 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02039 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 02040 unsigned char *buf, 02041 size_t *olen ) 02042 { 02043 unsigned char *p = buf; 02044 const mbedtls_ssl_ciphersuite_t *suite = NULL; 02045 const mbedtls_cipher_info_t *cipher = NULL; 02046 02047 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 02048 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02049 { 02050 *olen = 0; 02051 return; 02052 } 02053 02054 /* 02055 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 02056 * from a client and then selects a stream or Authenticated Encryption 02057 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 02058 * encrypt-then-MAC response extension back to the client." 02059 */ 02060 if( ( suite = mbedtls_ssl_ciphersuite_from_id( 02061 ssl->session_negotiate->ciphersuite ) ) == NULL || 02062 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || 02063 cipher->mode != MBEDTLS_MODE_CBC ) 02064 { 02065 *olen = 0; 02066 return; 02067 } 02068 02069 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 02070 02071 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 02072 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 02073 02074 *p++ = 0x00; 02075 *p++ = 0x00; 02076 02077 *olen = 4; 02078 } 02079 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 02080 02081 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02082 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 02083 unsigned char *buf, 02084 size_t *olen ) 02085 { 02086 unsigned char *p = buf; 02087 02088 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 02089 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02090 { 02091 *olen = 0; 02092 return; 02093 } 02094 02095 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 02096 "extension" ) ); 02097 02098 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 02099 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 02100 02101 *p++ = 0x00; 02102 *p++ = 0x00; 02103 02104 *olen = 4; 02105 } 02106 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 02107 02108 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02109 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 02110 unsigned char *buf, 02111 size_t *olen ) 02112 { 02113 unsigned char *p = buf; 02114 02115 if( ssl->handshake->new_session_ticket == 0 ) 02116 { 02117 *olen = 0; 02118 return; 02119 } 02120 02121 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 02122 02123 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 02124 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 02125 02126 *p++ = 0x00; 02127 *p++ = 0x00; 02128 02129 *olen = 4; 02130 } 02131 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02132 02133 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 02134 unsigned char *buf, 02135 size_t *olen ) 02136 { 02137 unsigned char *p = buf; 02138 02139 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) 02140 { 02141 *olen = 0; 02142 return; 02143 } 02144 02145 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 02146 02147 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 02148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 02149 02150 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02151 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 02152 { 02153 *p++ = 0x00; 02154 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 02155 *p++ = ssl->verify_data_len * 2 & 0xFF; 02156 02157 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 02158 p += ssl->verify_data_len; 02159 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 02160 p += ssl->verify_data_len; 02161 } 02162 else 02163 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02164 { 02165 *p++ = 0x00; 02166 *p++ = 0x01; 02167 *p++ = 0x00; 02168 } 02169 02170 *olen = p - buf; 02171 } 02172 02173 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02174 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 02175 unsigned char *buf, 02176 size_t *olen ) 02177 { 02178 unsigned char *p = buf; 02179 02180 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 02181 { 02182 *olen = 0; 02183 return; 02184 } 02185 02186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 02187 02188 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 02189 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 02190 02191 *p++ = 0x00; 02192 *p++ = 1; 02193 02194 *p++ = ssl->session_negotiate->mfl_code; 02195 02196 *olen = 5; 02197 } 02198 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 02199 02200 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02201 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02202 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 02203 unsigned char *buf, 02204 size_t *olen ) 02205 { 02206 unsigned char *p = buf; 02207 ((void) ssl); 02208 02209 if( ( ssl->handshake->cli_exts & 02210 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02211 { 02212 *olen = 0; 02213 return; 02214 } 02215 02216 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02217 02218 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02219 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02220 02221 *p++ = 0x00; 02222 *p++ = 2; 02223 02224 *p++ = 1; 02225 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 02226 02227 *olen = 6; 02228 } 02229 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02230 02231 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02232 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 02233 unsigned char *buf, 02234 size_t *olen ) 02235 { 02236 int ret; 02237 unsigned char *p = buf; 02238 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02239 size_t kkpp_len; 02240 02241 *olen = 0; 02242 02243 /* Skip costly computation if not needed */ 02244 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 02245 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02246 return; 02247 02248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); 02249 02250 if( end - p < 4 ) 02251 { 02252 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02253 return; 02254 } 02255 02256 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 02257 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 02258 02259 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 02260 p + 2, end - p - 2, &kkpp_len, 02261 ssl->conf->f_rng, ssl->conf->p_rng ); 02262 if( ret != 0 ) 02263 { 02264 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 02265 return; 02266 } 02267 02268 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 02269 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 02270 02271 *olen = kkpp_len + 4; 02272 } 02273 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02274 02275 #if defined(MBEDTLS_SSL_ALPN ) 02276 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 02277 unsigned char *buf, size_t *olen ) 02278 { 02279 if( ssl->alpn_chosen == NULL ) 02280 { 02281 *olen = 0; 02282 return; 02283 } 02284 02285 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02286 02287 /* 02288 * 0 . 1 ext identifier 02289 * 2 . 3 ext length 02290 * 4 . 5 protocol list length 02291 * 6 . 6 protocol name length 02292 * 7 . 7+n protocol name 02293 */ 02294 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 02295 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 02296 02297 *olen = 7 + strlen( ssl->alpn_chosen ); 02298 02299 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02300 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02301 02302 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02303 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02304 02305 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02306 02307 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02308 } 02309 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 02310 02311 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02312 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) 02313 { 02314 int ret; 02315 unsigned char *p = ssl->out_msg + 4; 02316 unsigned char *cookie_len_byte; 02317 02318 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); 02319 02320 /* 02321 * struct { 02322 * ProtocolVersion server_version; 02323 * opaque cookie<0..2^8-1>; 02324 * } HelloVerifyRequest; 02325 */ 02326 02327 /* The RFC is not clear on this point, but sending the actual negotiated 02328 * version looks like the most interoperable thing to do. */ 02329 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02330 ssl->conf->transport, p ); 02331 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 02332 p += 2; 02333 02334 /* If we get here, f_cookie_check is not null */ 02335 if( ssl->conf->f_cookie_write == NULL ) 02336 { 02337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); 02338 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02339 } 02340 02341 /* Skip length byte until we know the length */ 02342 cookie_len_byte = p++; 02343 02344 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, 02345 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, 02346 ssl->cli_id, ssl->cli_id_len ) ) != 0 ) 02347 { 02348 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); 02349 return( ret ); 02350 } 02351 02352 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); 02353 02354 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); 02355 02356 ssl->out_msglen = p - ssl->out_msg; 02357 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02358 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 02359 02360 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 02361 02362 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02363 { 02364 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02365 return( ret ); 02366 } 02367 02368 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); 02369 02370 return( 0 ); 02371 } 02372 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02373 02374 static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) 02375 { 02376 #if defined(MBEDTLS_HAVE_TIME) 02377 mbedtls_time_t t; 02378 #endif 02379 int ret; 02380 size_t olen, ext_len = 0, n; 02381 unsigned char *buf, *p; 02382 02383 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02384 02385 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02386 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02387 ssl->handshake->verify_cookie_len != 0 ) 02388 { 02389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); 02390 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02391 02392 return( ssl_write_hello_verify_request( ssl ) ); 02393 } 02394 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02395 02396 if( ssl->conf->f_rng == NULL ) 02397 { 02398 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02399 return( MBEDTLS_ERR_SSL_NO_RNG ); 02400 } 02401 02402 /* 02403 * 0 . 0 handshake type 02404 * 1 . 3 handshake length 02405 * 4 . 5 protocol version 02406 * 6 . 9 UNIX time() 02407 * 10 . 37 random bytes 02408 */ 02409 buf = ssl->out_msg; 02410 p = buf + 4; 02411 02412 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02413 ssl->conf->transport, p ); 02414 p += 2; 02415 02416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02417 buf[4], buf[5] ) ); 02418 02419 #if defined(MBEDTLS_HAVE_TIME) 02420 t = mbedtls_time( NULL ); 02421 *p++ = (unsigned char)( t >> 24 ); 02422 *p++ = (unsigned char)( t >> 16 ); 02423 *p++ = (unsigned char)( t >> 8 ); 02424 *p++ = (unsigned char)( t ); 02425 02426 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02427 #else 02428 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 02429 return( ret ); 02430 02431 p += 4; 02432 #endif /* MBEDTLS_HAVE_TIME */ 02433 02434 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 02435 return( ret ); 02436 02437 p += 28; 02438 02439 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02440 02441 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02442 02443 /* 02444 * Resume is 0 by default, see ssl_handshake_init(). 02445 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02446 * If not, try looking up session ID in our cache. 02447 */ 02448 if( ssl->handshake->resume == 0 && 02449 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02450 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && 02451 #endif 02452 ssl->session_negotiate->id_len != 0 && 02453 ssl->conf->f_get_cache != NULL && 02454 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) 02455 { 02456 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02457 ssl->handshake->resume = 1; 02458 } 02459 02460 if( ssl->handshake->resume == 0 ) 02461 { 02462 /* 02463 * New session, create a new session id, 02464 * unless we're about to issue a session ticket 02465 */ 02466 ssl->state++; 02467 02468 #if defined(MBEDTLS_HAVE_TIME) 02469 ssl->session_negotiate->start = mbedtls_time( NULL ); 02470 #endif 02471 02472 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02473 if( ssl->handshake->new_session_ticket != 0 ) 02474 { 02475 ssl->session_negotiate->id_len = n = 0; 02476 memset( ssl->session_negotiate->id, 0, 32 ); 02477 } 02478 else 02479 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02480 { 02481 ssl->session_negotiate->id_len = n = 32; 02482 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 02483 n ) ) != 0 ) 02484 return( ret ); 02485 } 02486 } 02487 else 02488 { 02489 /* 02490 * Resuming a session 02491 */ 02492 n = ssl->session_negotiate->id_len; 02493 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 02494 02495 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02496 { 02497 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02498 return( ret ); 02499 } 02500 } 02501 02502 /* 02503 * 38 . 38 session id length 02504 * 39 . 38+n session id 02505 * 39+n . 40+n chosen ciphersuite 02506 * 41+n . 41+n chosen compression alg. 02507 * 42+n . 43+n extensions length 02508 * 44+n . 43+n+m extensions 02509 */ 02510 *p++ = (unsigned char) ssl->session_negotiate->id_len; 02511 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); 02512 p += ssl->session_negotiate->id_len; 02513 02514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02515 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02516 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02517 ssl->handshake->resume ? "a" : "no" ) ); 02518 02519 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02520 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02521 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02522 02523 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02524 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02525 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02526 ssl->session_negotiate->compression ) ); 02527 02528 /* Do not write the extensions if the protocol is SSLv3 */ 02529 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02530 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 02531 { 02532 #endif 02533 02534 /* 02535 * First write extensions, then the total length 02536 */ 02537 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02538 ext_len += olen; 02539 02540 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02541 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02542 ext_len += olen; 02543 #endif 02544 02545 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02546 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02547 ext_len += olen; 02548 #endif 02549 02550 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02551 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02552 ext_len += olen; 02553 #endif 02554 02555 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02556 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02557 ext_len += olen; 02558 #endif 02559 02560 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02561 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02562 ext_len += olen; 02563 #endif 02564 02565 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02566 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02567 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02568 ext_len += olen; 02569 #endif 02570 02571 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02572 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 02573 ext_len += olen; 02574 #endif 02575 02576 #if defined(MBEDTLS_SSL_ALPN) 02577 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02578 ext_len += olen; 02579 #endif 02580 02581 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02582 02583 if( ext_len > 0 ) 02584 { 02585 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02586 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02587 p += ext_len; 02588 } 02589 02590 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02591 } 02592 #endif 02593 02594 ssl->out_msglen = p - buf; 02595 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02596 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 02597 02598 ret = mbedtls_ssl_write_record( ssl ); 02599 02600 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02601 02602 return( ret ); 02603 } 02604 02605 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02606 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02607 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02608 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02609 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02610 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02611 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02612 { 02613 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02614 ssl->transform_negotiate->ciphersuite_info; 02615 02616 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02617 02618 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02619 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02620 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02621 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02622 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02623 { 02624 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02625 ssl->state++; 02626 return( 0 ); 02627 } 02628 02629 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02630 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02631 } 02632 #else 02633 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02634 { 02635 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02636 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02637 ssl->transform_negotiate->ciphersuite_info; 02638 size_t dn_size, total_dn_size; /* excluding length bytes */ 02639 size_t ct_len, sa_len; /* including length bytes */ 02640 unsigned char *buf, *p; 02641 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02642 const mbedtls_x509_crt *crt; 02643 int authmode; 02644 02645 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02646 02647 ssl->state++; 02648 02649 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02650 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 02651 authmode = ssl->handshake->sni_authmode; 02652 else 02653 #endif 02654 authmode = ssl->conf->authmode; 02655 02656 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02657 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02658 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02659 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02660 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 02661 authmode == MBEDTLS_SSL_VERIFY_NONE ) 02662 { 02663 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02664 return( 0 ); 02665 } 02666 02667 /* 02668 * 0 . 0 handshake type 02669 * 1 . 3 handshake length 02670 * 4 . 4 cert type count 02671 * 5 .. m-1 cert types 02672 * m .. m+1 sig alg length (TLS 1.2 only) 02673 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02674 * n .. n+1 length of all DNs 02675 * n+2 .. n+3 length of DN 1 02676 * n+4 .. ... Distinguished Name #1 02677 * ... .. ... length of DN 2, etc. 02678 */ 02679 buf = ssl->out_msg; 02680 p = buf + 4; 02681 02682 /* 02683 * Supported certificate types 02684 * 02685 * ClientCertificateType certificate_types<1..2^8-1>; 02686 * enum { (255) } ClientCertificateType; 02687 */ 02688 ct_len = 0; 02689 02690 #if defined(MBEDTLS_RSA_C) 02691 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02692 #endif 02693 #if defined(MBEDTLS_ECDSA_C) 02694 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02695 #endif 02696 02697 p[0] = (unsigned char) ct_len++; 02698 p += ct_len; 02699 02700 sa_len = 0; 02701 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02702 /* 02703 * Add signature_algorithms for verify (TLS 1.2) 02704 * 02705 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02706 * 02707 * struct { 02708 * HashAlgorithm hash; 02709 * SignatureAlgorithm signature; 02710 * } SignatureAndHashAlgorithm; 02711 * 02712 * enum { (255) } HashAlgorithm; 02713 * enum { (255) } SignatureAlgorithm; 02714 */ 02715 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02716 { 02717 const int *cur; 02718 02719 /* 02720 * Supported signature algorithms 02721 */ 02722 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 02723 { 02724 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur ); 02725 02726 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) 02727 continue; 02728 02729 #if defined(MBEDTLS_RSA_C) 02730 p[2 + sa_len++] = hash; 02731 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; 02732 #endif 02733 #if defined(MBEDTLS_ECDSA_C) 02734 p[2 + sa_len++] = hash; 02735 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; 02736 #endif 02737 } 02738 02739 p[0] = (unsigned char)( sa_len >> 8 ); 02740 p[1] = (unsigned char)( sa_len ); 02741 sa_len += 2; 02742 p += sa_len; 02743 } 02744 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02745 02746 /* 02747 * DistinguishedName certificate_authorities<0..2^16-1>; 02748 * opaque DistinguishedName<1..2^16-1>; 02749 */ 02750 p += 2; 02751 02752 total_dn_size = 0; 02753 02754 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) 02755 { 02756 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02757 if( ssl->handshake->sni_ca_chain != NULL ) 02758 crt = ssl->handshake->sni_ca_chain; 02759 else 02760 #endif 02761 crt = ssl->conf->ca_chain; 02762 02763 while( crt != NULL && crt->version != 0 ) 02764 { 02765 dn_size = crt->subject_raw.len; 02766 02767 if( end < p || 02768 (size_t)( end - p ) < dn_size || 02769 (size_t)( end - p ) < 2 + dn_size ) 02770 { 02771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); 02772 break; 02773 } 02774 02775 *p++ = (unsigned char)( dn_size >> 8 ); 02776 *p++ = (unsigned char)( dn_size ); 02777 memcpy( p, crt->subject_raw.p, dn_size ); 02778 p += dn_size; 02779 02780 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); 02781 02782 total_dn_size += 2 + dn_size; 02783 crt = crt->next; 02784 } 02785 } 02786 02787 ssl->out_msglen = p - buf; 02788 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02789 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 02790 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02791 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02792 02793 ret = mbedtls_ssl_write_record( ssl ); 02794 02795 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02796 02797 return( ret ); 02798 } 02799 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02800 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02801 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 02802 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02803 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 02804 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02805 02806 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02807 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02808 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02809 { 02810 int ret; 02811 02812 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) 02813 { 02814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02815 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02816 } 02817 02818 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, 02819 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), 02820 MBEDTLS_ECDH_OURS ) ) != 0 ) 02821 { 02822 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02823 return( ret ); 02824 } 02825 02826 return( 0 ); 02827 } 02828 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02829 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02830 02831 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) 02832 { 02833 int ret; 02834 size_t n = 0; 02835 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02836 ssl->transform_negotiate->ciphersuite_info; 02837 02838 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) 02839 unsigned char *p = ssl->out_msg + 4; 02840 size_t len; 02841 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02842 unsigned char *dig_signed = p; 02843 size_t dig_signed_len = 0; 02844 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02845 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ 02846 02847 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02848 02849 /* 02850 * 02851 * Part 1: Extract static ECDH parameters and abort 02852 * if ServerKeyExchange not needed. 02853 * 02854 */ 02855 02856 /* For suites involving ECDH, extract DH parameters 02857 * from certificate at this point. */ 02858 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) 02859 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) 02860 { 02861 ssl_get_ecdh_params_from_cert( ssl ); 02862 } 02863 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */ 02864 02865 /* Key exchanges not involving ephemeral keys don't use 02866 * ServerKeyExchange, so end here. */ 02867 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) 02868 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) 02869 { 02870 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02871 ssl->state++; 02872 return( 0 ); 02873 } 02874 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */ 02875 02876 /* 02877 * 02878 * Part 2: Provide key exchange parameters for chosen ciphersuite. 02879 * 02880 */ 02881 02882 /* 02883 * - ECJPAKE key exchanges 02884 */ 02885 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02886 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02887 { 02888 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02889 02890 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02891 p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng ); 02892 if( ret != 0 ) 02893 { 02894 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02895 return( ret ); 02896 } 02897 02898 p += len; 02899 n += len; 02900 } 02901 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02902 02903 /* 02904 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 02905 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 02906 * we use empty support identity hints here. 02907 **/ 02908 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02909 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02910 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02911 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02912 { 02913 *(p++) = 0x00; 02914 *(p++) = 0x00; 02915 02916 n += 2; 02917 } 02918 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 02919 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02920 02921 /* 02922 * - DHE key exchanges 02923 */ 02924 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) 02925 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) 02926 { 02927 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) 02928 { 02929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); 02930 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02931 } 02932 02933 /* 02934 * Ephemeral DH parameters: 02935 * 02936 * struct { 02937 * opaque dh_p<1..2^16-1>; 02938 * opaque dh_g<1..2^16-1>; 02939 * opaque dh_Ys<1..2^16-1>; 02940 * } ServerDHParams; 02941 */ 02942 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, 02943 &ssl->conf->dhm_P, 02944 &ssl->conf->dhm_G ) ) != 0 ) 02945 { 02946 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); 02947 return( ret ); 02948 } 02949 02950 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, 02951 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02952 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02953 { 02954 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); 02955 return( ret ); 02956 } 02957 02958 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02959 dig_signed = p; 02960 dig_signed_len = len; 02961 #endif 02962 02963 p += len; 02964 n += len; 02965 02966 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02967 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02968 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02969 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02970 } 02971 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ 02972 02973 /* 02974 * - ECDHE key exchanges 02975 */ 02976 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02977 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) 02978 { 02979 /* 02980 * Ephemeral ECDH parameters: 02981 * 02982 * struct { 02983 * ECParameters curve_params; 02984 * ECPoint public; 02985 * } ServerECDHParams; 02986 */ 02987 const mbedtls_ecp_curve_info **curve = NULL; 02988 const mbedtls_ecp_group_id *gid; 02989 02990 /* Match our preference list against the offered curves */ 02991 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 02992 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02993 if( (*curve)->grp_id == *gid ) 02994 goto curve_matching_done; 02995 02996 curve_matching_done: 02997 if( curve == NULL || *curve == NULL ) 02998 { 02999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 03000 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 03001 } 03002 03003 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 03004 03005 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp, 03006 (*curve)->grp_id ) ) != 0 ) 03007 { 03008 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); 03009 return( ret ); 03010 } 03011 03012 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 03013 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, 03014 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03015 { 03016 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); 03017 return( ret ); 03018 } 03019 03020 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03021 dig_signed = p; 03022 dig_signed_len = len; 03023 #endif 03024 03025 p += len; 03026 n += len; 03027 03028 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 03029 } 03030 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 03031 03032 /* 03033 * 03034 * Part 3: For key exchanges involving the server signing the 03035 * exchange parameters, compute and add the signature here. 03036 * 03037 */ 03038 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03039 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 03040 { 03041 size_t signature_len = 0; 03042 unsigned int hashlen = 0; 03043 unsigned char hash[64]; 03044 03045 /* 03046 * 3.1: Choose hash algorithm: 03047 * A: For TLS 1.2, obey signature-hash-algorithm extension 03048 * to choose appropriate hash. 03049 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 03050 * (RFC 4492, Sec. 5.4) 03051 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) 03052 */ 03053 03054 mbedtls_md_type_t md_alg; 03055 03056 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03057 mbedtls_pk_type_t sig_alg = 03058 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 03059 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03060 { 03061 /* A: For TLS 1.2, obey signature-hash-algorithm extension 03062 * (RFC 5246, Sec. 7.4.1.4.1). */ 03063 if( sig_alg == MBEDTLS_PK_NONE || 03064 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 03065 sig_alg ) ) == MBEDTLS_MD_NONE ) 03066 { 03067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03068 /* (... because we choose a cipher suite 03069 * only if there is a matching hash.) */ 03070 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03071 } 03072 } 03073 else 03074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03075 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03076 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03077 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 03078 { 03079 /* B: Default hash SHA1 */ 03080 md_alg = MBEDTLS_MD_SHA1; 03081 } 03082 else 03083 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03084 MBEDTLS_SSL_PROTO_TLS1_1 */ 03085 { 03086 /* C: MD5 + SHA1 */ 03087 md_alg = MBEDTLS_MD_NONE; 03088 } 03089 03090 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); 03091 03092 /* 03093 * 3.2: Compute the hash to be signed 03094 */ 03095 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03096 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03097 if( md_alg == MBEDTLS_MD_NONE ) 03098 { 03099 hashlen = 36; 03100 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, 03101 dig_signed, 03102 dig_signed_len ); 03103 if( ret != 0 ) 03104 return( ret ); 03105 } 03106 else 03107 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03108 MBEDTLS_SSL_PROTO_TLS1_1 */ 03109 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03110 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03111 if( md_alg != MBEDTLS_MD_NONE ) 03112 { 03113 /* Info from md_alg will be used instead */ 03114 hashlen = 0; 03115 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, 03116 dig_signed, 03117 dig_signed_len, 03118 md_alg ); 03119 if( ret != 0 ) 03120 return( ret ); 03121 } 03122 else 03123 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 03124 MBEDTLS_SSL_PROTO_TLS1_2 */ 03125 { 03126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03127 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03128 } 03129 03130 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 03131 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 03132 03133 /* 03134 * 3.3: Compute and add the signature 03135 */ 03136 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03137 { 03138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 03139 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03140 } 03141 03142 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03143 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03144 { 03145 /* 03146 * For TLS 1.2, we need to specify signature and hash algorithm 03147 * explicitly through a prefix to the signature. 03148 * 03149 * struct { 03150 * HashAlgorithm hash; 03151 * SignatureAlgorithm signature; 03152 * } SignatureAndHashAlgorithm; 03153 * 03154 * struct { 03155 * SignatureAndHashAlgorithm algorithm; 03156 * opaque signature<0..2^16-1>; 03157 * } DigitallySigned; 03158 * 03159 */ 03160 03161 *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg ); 03162 *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg ); 03163 03164 n += 2; 03165 } 03166 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03167 03168 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, 03169 p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03170 { 03171 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03172 return( ret ); 03173 } 03174 03175 *(p++) = (unsigned char)( signature_len >> 8 ); 03176 *(p++) = (unsigned char)( signature_len ); 03177 n += 2; 03178 03179 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 03180 03181 n += signature_len; 03182 } 03183 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03184 03185 /* Done with actual work; add header and send. */ 03186 03187 ssl->out_msglen = 4 + n; 03188 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03189 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 03190 03191 ssl->state++; 03192 03193 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03194 { 03195 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03196 return( ret ); 03197 } 03198 03199 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 03200 03201 return( 0 ); 03202 } 03203 03204 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) 03205 { 03206 int ret; 03207 03208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 03209 03210 ssl->out_msglen = 4; 03211 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03212 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 03213 03214 ssl->state++; 03215 03216 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03217 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03218 mbedtls_ssl_send_flight_completed( ssl ); 03219 #endif 03220 03221 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03222 { 03223 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03224 return( ret ); 03225 } 03226 03227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 03228 03229 return( 0 ); 03230 } 03231 03232 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 03233 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03234 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, 03235 const unsigned char *end ) 03236 { 03237 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03238 size_t n; 03239 03240 /* 03241 * Receive G^Y mod P, premaster = (G^Y)^X mod P 03242 */ 03243 if( *p + 2 > end ) 03244 { 03245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03246 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03247 } 03248 03249 n = ( (*p)[0] << 8 ) | (*p)[1]; 03250 *p += 2; 03251 03252 if( *p + n > end ) 03253 { 03254 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03255 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03256 } 03257 03258 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 03259 { 03260 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); 03261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03262 } 03263 03264 *p += n; 03265 03266 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 03267 03268 return( ret ); 03269 } 03270 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 03271 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03272 03273 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03274 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03275 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, 03276 const unsigned char *p, 03277 const unsigned char *end, 03278 size_t pms_offset ) 03279 { 03280 int ret; 03281 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) ); 03282 unsigned char *pms = ssl->handshake->premaster + pms_offset; 03283 unsigned char ver[2]; 03284 unsigned char fake_pms[48], peer_pms[48]; 03285 unsigned char mask; 03286 size_t i, peer_pmslen; 03287 unsigned int diff; 03288 03289 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 03290 { 03291 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 03292 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03293 } 03294 03295 /* 03296 * Decrypt the premaster using own private RSA key 03297 */ 03298 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03299 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03300 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 03301 { 03302 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 03303 *p++ != ( ( len ) & 0xFF ) ) 03304 { 03305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03306 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03307 } 03308 } 03309 #endif 03310 03311 if( p + len != end ) 03312 { 03313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03314 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03315 } 03316 03317 mbedtls_ssl_write_version( ssl->handshake->max_major_ver, 03318 ssl->handshake->max_minor_ver, 03319 ssl->conf->transport, ver ); 03320 03321 /* 03322 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 03323 * must not cause the connection to end immediately; instead, send a 03324 * bad_record_mac later in the handshake. 03325 * Also, avoid data-dependant branches here to protect against 03326 * timing-based variants. 03327 */ 03328 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); 03329 if( ret != 0 ) 03330 return( ret ); 03331 03332 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, 03333 peer_pms, &peer_pmslen, 03334 sizeof( peer_pms ), 03335 ssl->conf->f_rng, ssl->conf->p_rng ); 03336 03337 diff = (unsigned int) ret; 03338 diff |= peer_pmslen ^ 48; 03339 diff |= peer_pms[0] ^ ver[0]; 03340 diff |= peer_pms[1] ^ ver[1]; 03341 03342 #if defined(MBEDTLS_SSL_DEBUG_ALL) 03343 if( diff != 0 ) 03344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03345 #endif 03346 03347 if( sizeof( ssl->handshake->premaster ) < pms_offset || 03348 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 03349 { 03350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03351 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03352 } 03353 ssl->handshake->pmslen = 48; 03354 03355 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 03356 /* MSVC has a warning about unary minus on unsigned, but this is 03357 * well-defined and precisely what we want to do here */ 03358 #if defined(_MSC_VER) 03359 #pragma warning( push ) 03360 #pragma warning( disable : 4146 ) 03361 #endif 03362 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); 03363 #if defined(_MSC_VER) 03364 #pragma warning( pop ) 03365 #endif 03366 03367 for( i = 0; i < ssl->handshake->pmslen; i++ ) 03368 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 03369 03370 return( 0 ); 03371 } 03372 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 03373 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03374 03375 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03376 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, 03377 const unsigned char *end ) 03378 { 03379 int ret = 0; 03380 size_t n; 03381 03382 if( ssl->conf->f_psk == NULL && 03383 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 03384 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 03385 { 03386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 03387 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03388 } 03389 03390 /* 03391 * Receive client pre-shared key identity name 03392 */ 03393 if( end - *p < 2 ) 03394 { 03395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03396 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03397 } 03398 03399 n = ( (*p)[0] << 8 ) | (*p)[1]; 03400 *p += 2; 03401 03402 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) 03403 { 03404 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03405 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03406 } 03407 03408 if( ssl->conf->f_psk != NULL ) 03409 { 03410 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) 03411 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03412 } 03413 else 03414 { 03415 /* Identity is not a big secret since clients send it in the clear, 03416 * but treat it carefully anyway, just in case */ 03417 if( n != ssl->conf->psk_identity_len || 03418 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) 03419 { 03420 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03421 } 03422 } 03423 03424 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) 03425 { 03426 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03427 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03428 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); 03429 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); 03430 } 03431 03432 *p += n; 03433 03434 return( 0 ); 03435 } 03436 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03437 03438 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) 03439 { 03440 int ret; 03441 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 03442 unsigned char *p, *end; 03443 03444 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03445 03446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03447 03448 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03449 { 03450 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03451 return( ret ); 03452 } 03453 03454 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03455 end = ssl->in_msg + ssl->in_hslen; 03456 03457 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03458 { 03459 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03460 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03461 } 03462 03463 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) 03464 { 03465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03466 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03467 } 03468 03469 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03470 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03471 { 03472 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03473 { 03474 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03475 return( ret ); 03476 } 03477 03478 if( p != end ) 03479 { 03480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03481 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03482 } 03483 03484 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03485 ssl->handshake->premaster, 03486 MBEDTLS_PREMASTER_SIZE, 03487 &ssl->handshake->pmslen, 03488 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03489 { 03490 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03491 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03492 } 03493 03494 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03495 } 03496 else 03497 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03498 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03499 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03500 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03501 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03502 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03503 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03504 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03505 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03506 { 03507 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03508 p, end - p) ) != 0 ) 03509 { 03510 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03511 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03512 } 03513 03514 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03515 03516 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03517 &ssl->handshake->pmslen, 03518 ssl->handshake->premaster, 03519 MBEDTLS_MPI_MAX_SIZE, 03520 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03521 { 03522 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03523 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03524 } 03525 03526 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 03527 } 03528 else 03529 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03530 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03531 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03532 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03533 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03534 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03535 { 03536 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03537 { 03538 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03539 return( ret ); 03540 } 03541 03542 if( p != end ) 03543 { 03544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03545 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03546 } 03547 03548 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03549 ciphersuite_info->key_exchange ) ) != 0 ) 03550 { 03551 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03552 return( ret ); 03553 } 03554 } 03555 else 03556 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 03557 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03558 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 03559 { 03560 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03561 { 03562 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03563 return( ret ); 03564 } 03565 03566 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 03567 { 03568 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 03569 return( ret ); 03570 } 03571 03572 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03573 ciphersuite_info->key_exchange ) ) != 0 ) 03574 { 03575 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03576 return( ret ); 03577 } 03578 } 03579 else 03580 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03581 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03582 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 03583 { 03584 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03585 { 03586 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03587 return( ret ); 03588 } 03589 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03590 { 03591 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03592 return( ret ); 03593 } 03594 03595 if( p != end ) 03596 { 03597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03598 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03599 } 03600 03601 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03602 ciphersuite_info->key_exchange ) ) != 0 ) 03603 { 03604 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03605 return( ret ); 03606 } 03607 } 03608 else 03609 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03610 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03611 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03612 { 03613 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03614 { 03615 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03616 return( ret ); 03617 } 03618 03619 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03620 p, end - p ) ) != 0 ) 03621 { 03622 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03623 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03624 } 03625 03626 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03627 03628 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03629 ciphersuite_info->key_exchange ) ) != 0 ) 03630 { 03631 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03632 return( ret ); 03633 } 03634 } 03635 else 03636 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03637 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03638 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03639 { 03640 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) 03641 { 03642 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 03643 return( ret ); 03644 } 03645 } 03646 else 03647 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03648 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03649 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03650 { 03651 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 03652 p, end - p ); 03653 if( ret != 0 ) 03654 { 03655 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 03656 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 03657 } 03658 03659 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03660 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03661 ssl->conf->f_rng, ssl->conf->p_rng ); 03662 if( ret != 0 ) 03663 { 03664 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03665 return( ret ); 03666 } 03667 } 03668 else 03669 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 03670 { 03671 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03672 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03673 } 03674 03675 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03676 { 03677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03678 return( ret ); 03679 } 03680 03681 ssl->state++; 03682 03683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 03684 03685 return( 0 ); 03686 } 03687 03688 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03689 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03690 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03691 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03692 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03693 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03694 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03695 { 03696 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03697 ssl->transform_negotiate->ciphersuite_info; 03698 03699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03700 03701 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03702 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03703 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03704 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03705 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03706 { 03707 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03708 ssl->state++; 03709 return( 0 ); 03710 } 03711 03712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03713 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03714 } 03715 #else 03716 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03717 { 03718 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03719 size_t i, sig_len; 03720 unsigned char hash[48]; 03721 unsigned char *hash_start = hash; 03722 size_t hashlen; 03723 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03724 mbedtls_pk_type_t pk_alg; 03725 #endif 03726 mbedtls_md_type_t md_alg; 03727 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03728 ssl->transform_negotiate->ciphersuite_info; 03729 03730 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03731 03732 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03733 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03734 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03735 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03736 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 03737 ssl->session_negotiate->peer_cert == NULL ) 03738 { 03739 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03740 ssl->state++; 03741 return( 0 ); 03742 } 03743 03744 /* Read the message without adding it to the checksum */ 03745 do { 03746 03747 do ret = mbedtls_ssl_read_record_layer( ssl ); 03748 while( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 03749 03750 if( ret != 0 ) 03751 { 03752 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03753 return( ret ); 03754 } 03755 03756 ret = mbedtls_ssl_handle_message_type( ssl ); 03757 03758 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret || 03759 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret ); 03760 03761 if( 0 != ret ) 03762 { 03763 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); 03764 return( ret ); 03765 } 03766 03767 ssl->state++; 03768 03769 /* Process the message contents */ 03770 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 03771 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) 03772 { 03773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03774 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03775 } 03776 03777 i = mbedtls_ssl_hs_hdr_len( ssl ); 03778 03779 /* 03780 * struct { 03781 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 03782 * opaque signature<0..2^16-1>; 03783 * } DigitallySigned; 03784 */ 03785 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03786 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03787 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03788 { 03789 md_alg = MBEDTLS_MD_NONE; 03790 hashlen = 36; 03791 03792 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03793 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03794 MBEDTLS_PK_ECDSA ) ) 03795 { 03796 hash_start += 16; 03797 hashlen -= 16; 03798 md_alg = MBEDTLS_MD_SHA1; 03799 } 03800 } 03801 else 03802 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || 03803 MBEDTLS_SSL_PROTO_TLS1_1 */ 03804 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03805 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03806 { 03807 if( i + 2 > ssl->in_hslen ) 03808 { 03809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03810 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03811 } 03812 03813 /* 03814 * Hash 03815 */ 03816 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); 03817 03818 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) 03819 { 03820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03821 " for verify message" ) ); 03822 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03823 } 03824 03825 #if !defined(MBEDTLS_MD_SHA1) 03826 if( MBEDTLS_MD_SHA1 == md_alg ) 03827 hash_start += 16; 03828 #endif 03829 03830 /* Info from md_alg will be used instead */ 03831 hashlen = 0; 03832 03833 i++; 03834 03835 /* 03836 * Signature 03837 */ 03838 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) 03839 == MBEDTLS_PK_NONE ) 03840 { 03841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03842 " for verify message" ) ); 03843 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03844 } 03845 03846 /* 03847 * Check the certificate's key type matches the signature alg 03848 */ 03849 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03850 { 03851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03852 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03853 } 03854 03855 i++; 03856 } 03857 else 03858 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03859 { 03860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03861 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03862 } 03863 03864 if( i + 2 > ssl->in_hslen ) 03865 { 03866 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03867 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03868 } 03869 03870 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; 03871 i += 2; 03872 03873 if( i + sig_len != ssl->in_hslen ) 03874 { 03875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03876 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03877 } 03878 03879 /* Calculate hash and verify signature */ 03880 ssl->handshake->calc_verify( ssl, hash ); 03881 03882 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 03883 md_alg, hash_start, hashlen, 03884 ssl->in_msg + i, sig_len ) ) != 0 ) 03885 { 03886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 03887 return( ret ); 03888 } 03889 03890 mbedtls_ssl_update_handshake_status( ssl ); 03891 03892 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03893 03894 return( ret ); 03895 } 03896 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03897 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03898 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03899 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03900 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03901 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03902 03903 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03904 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) 03905 { 03906 int ret; 03907 size_t tlen; 03908 uint32_t lifetime; 03909 03910 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03911 03912 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03913 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 03914 03915 /* 03916 * struct { 03917 * uint32 ticket_lifetime_hint; 03918 * opaque ticket<0..2^16-1>; 03919 * } NewSessionTicket; 03920 * 03921 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03922 * 8 . 9 ticket_len (n) 03923 * 10 . 9+n ticket content 03924 */ 03925 03926 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, 03927 ssl->session_negotiate, 03928 ssl->out_msg + 10, 03929 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, 03930 &tlen, &lifetime ) ) != 0 ) 03931 { 03932 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); 03933 tlen = 0; 03934 } 03935 03936 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03937 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03938 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03939 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03940 03941 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03942 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03943 03944 ssl->out_msglen = 10 + tlen; 03945 03946 /* 03947 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03948 * ChangeCipherSpec share the same state. 03949 */ 03950 ssl->handshake->new_session_ticket = 0; 03951 03952 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03953 { 03954 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03955 return( ret ); 03956 } 03957 03958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 03959 03960 return( 0 ); 03961 } 03962 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03963 03964 /* 03965 * SSL handshake -- server side -- single step 03966 */ 03967 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) 03968 { 03969 int ret = 0; 03970 03971 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03972 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03973 03974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 03975 03976 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03977 return( ret ); 03978 03979 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03980 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03981 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03982 { 03983 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03984 return( ret ); 03985 } 03986 #endif 03987 03988 switch( ssl->state ) 03989 { 03990 case MBEDTLS_SSL_HELLO_REQUEST: 03991 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03992 break; 03993 03994 /* 03995 * <== ClientHello 03996 */ 03997 case MBEDTLS_SSL_CLIENT_HELLO: 03998 ret = ssl_parse_client_hello( ssl ); 03999 break; 04000 04001 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04002 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 04003 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 04004 #endif 04005 04006 /* 04007 * ==> ServerHello 04008 * Certificate 04009 * ( ServerKeyExchange ) 04010 * ( CertificateRequest ) 04011 * ServerHelloDone 04012 */ 04013 case MBEDTLS_SSL_SERVER_HELLO: 04014 ret = ssl_write_server_hello( ssl ); 04015 break; 04016 04017 case MBEDTLS_SSL_SERVER_CERTIFICATE: 04018 ret = mbedtls_ssl_write_certificate( ssl ); 04019 break; 04020 04021 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 04022 ret = ssl_write_server_key_exchange( ssl ); 04023 break; 04024 04025 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 04026 ret = ssl_write_certificate_request( ssl ); 04027 break; 04028 04029 case MBEDTLS_SSL_SERVER_HELLO_DONE: 04030 ret = ssl_write_server_hello_done( ssl ); 04031 break; 04032 04033 /* 04034 * <== ( Certificate/Alert ) 04035 * ClientKeyExchange 04036 * ( CertificateVerify ) 04037 * ChangeCipherSpec 04038 * Finished 04039 */ 04040 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 04041 ret = mbedtls_ssl_parse_certificate( ssl ); 04042 break; 04043 04044 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 04045 ret = ssl_parse_client_key_exchange( ssl ); 04046 break; 04047 04048 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 04049 ret = ssl_parse_certificate_verify( ssl ); 04050 break; 04051 04052 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 04053 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 04054 break; 04055 04056 case MBEDTLS_SSL_CLIENT_FINISHED: 04057 ret = mbedtls_ssl_parse_finished( ssl ); 04058 break; 04059 04060 /* 04061 * ==> ( NewSessionTicket ) 04062 * ChangeCipherSpec 04063 * Finished 04064 */ 04065 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 04066 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04067 if( ssl->handshake->new_session_ticket != 0 ) 04068 ret = ssl_write_new_session_ticket( ssl ); 04069 else 04070 #endif 04071 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 04072 break; 04073 04074 case MBEDTLS_SSL_SERVER_FINISHED: 04075 ret = mbedtls_ssl_write_finished( ssl ); 04076 break; 04077 04078 case MBEDTLS_SSL_FLUSH_BUFFERS: 04079 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 04080 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 04081 break; 04082 04083 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 04084 mbedtls_ssl_handshake_wrapup( ssl ); 04085 break; 04086 04087 default: 04088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 04089 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04090 } 04091 04092 return( ret ); 04093 } 04094 #endif /* MBEDTLS_SSL_SRV_C */
Generated on Tue Jul 12 2022 12:45:48 by
