Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
ssl_tls.c
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The SSL 3.0 specification was drafted by Netscape in 1996, 00023 * and became an IETF standard in 1999. 00024 * 00025 * http://wp.netscape.com/eng/ssl3/ 00026 * http://www.ietf.org/rfc/rfc2246.txt 00027 * http://www.ietf.org/rfc/rfc4346.txt 00028 */ 00029 00030 #if !defined(MBEDTLS_CONFIG_FILE) 00031 #include "mbedtls/config.h" 00032 #else 00033 #include MBEDTLS_CONFIG_FILE 00034 #endif 00035 00036 #if defined(MBEDTLS_SSL_TLS_C) 00037 00038 #if defined(MBEDTLS_PLATFORM_C) 00039 #include "mbedtls/platform.h" 00040 #else 00041 #include <stdlib.h> 00042 #define mbedtls_calloc calloc 00043 #define mbedtls_free free 00044 #endif 00045 00046 #include "mbedtls/debug.h" 00047 #include "mbedtls/ssl.h" 00048 #include "mbedtls/ssl_internal.h" 00049 #include "mbedtls/platform_util.h" 00050 00051 #include <string.h> 00052 00053 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00054 #include "mbedtls/oid.h" 00055 #endif 00056 00057 /* Length of the "epoch" field in the record header */ 00058 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) 00059 { 00060 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00061 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00062 return( 2 ); 00063 #else 00064 ((void) ssl); 00065 #endif 00066 return( 0 ); 00067 } 00068 00069 /* 00070 * Start a timer. 00071 * Passing millisecs = 0 cancels a running timer. 00072 */ 00073 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 00074 { 00075 if( ssl->f_set_timer == NULL ) 00076 return; 00077 00078 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 00079 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 00080 } 00081 00082 /* 00083 * Return -1 is timer is expired, 0 if it isn't. 00084 */ 00085 static int ssl_check_timer( mbedtls_ssl_context *ssl ) 00086 { 00087 if( ssl->f_get_timer == NULL ) 00088 return( 0 ); 00089 00090 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 00091 { 00092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 00093 return( -1 ); 00094 } 00095 00096 return( 0 ); 00097 } 00098 00099 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00100 /* 00101 * Double the retransmit timeout value, within the allowed range, 00102 * returning -1 if the maximum value has already been reached. 00103 */ 00104 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 00105 { 00106 uint32_t new_timeout; 00107 00108 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 00109 return( -1 ); 00110 00111 new_timeout = 2 * ssl->handshake->retransmit_timeout; 00112 00113 /* Avoid arithmetic overflow and range overflow */ 00114 if( new_timeout < ssl->handshake->retransmit_timeout || 00115 new_timeout > ssl->conf->hs_timeout_max ) 00116 { 00117 new_timeout = ssl->conf->hs_timeout_max; 00118 } 00119 00120 ssl->handshake->retransmit_timeout = new_timeout; 00121 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00122 ssl->handshake->retransmit_timeout ) ); 00123 00124 return( 0 ); 00125 } 00126 00127 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 00128 { 00129 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 00130 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00131 ssl->handshake->retransmit_timeout ) ); 00132 } 00133 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00134 00135 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00136 /* 00137 * Convert max_fragment_length codes to length. 00138 * RFC 6066 says: 00139 * enum{ 00140 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 00141 * } MaxFragmentLength; 00142 * and we add 0 -> extension unused 00143 */ 00144 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] = 00145 { 00146 MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */ 00147 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */ 00148 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */ 00149 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */ 00150 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */ 00151 }; 00152 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00153 00154 #if defined(MBEDTLS_SSL_CLI_C) 00155 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) 00156 { 00157 mbedtls_ssl_session_free( dst ); 00158 memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); 00159 00160 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00161 if( src->peer_cert != NULL ) 00162 { 00163 int ret; 00164 00165 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); 00166 if( dst->peer_cert == NULL ) 00167 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00168 00169 mbedtls_x509_crt_init( dst->peer_cert ); 00170 00171 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, 00172 src->peer_cert->raw.len ) ) != 0 ) 00173 { 00174 mbedtls_free( dst->peer_cert ); 00175 dst->peer_cert = NULL; 00176 return( ret ); 00177 } 00178 } 00179 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00180 00181 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 00182 if( src->ticket != NULL ) 00183 { 00184 dst->ticket = mbedtls_calloc( 1, src->ticket_len ); 00185 if( dst->ticket == NULL ) 00186 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00187 00188 memcpy( dst->ticket, src->ticket, src->ticket_len ); 00189 } 00190 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 00191 00192 return( 0 ); 00193 } 00194 #endif /* MBEDTLS_SSL_CLI_C */ 00195 00196 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00197 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 00198 const unsigned char *key_enc, const unsigned char *key_dec, 00199 size_t keylen, 00200 const unsigned char *iv_enc, const unsigned char *iv_dec, 00201 size_t ivlen, 00202 const unsigned char *mac_enc, const unsigned char *mac_dec, 00203 size_t maclen ) = NULL; 00204 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 00205 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 00206 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 00207 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 00208 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 00209 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00210 00211 /* 00212 * Key material generation 00213 */ 00214 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00215 static int ssl3_prf( const unsigned char *secret, size_t slen, 00216 const char *label, 00217 const unsigned char *random, size_t rlen, 00218 unsigned char *dstbuf, size_t dlen ) 00219 { 00220 int ret = 0; 00221 size_t i; 00222 mbedtls_md5_context md5; 00223 mbedtls_sha1_context sha1; 00224 unsigned char padding[16]; 00225 unsigned char sha1sum[20]; 00226 ((void)label); 00227 00228 mbedtls_md5_init( &md5 ); 00229 mbedtls_sha1_init( &sha1 ); 00230 00231 /* 00232 * SSLv3: 00233 * block = 00234 * MD5( secret + SHA1( 'A' + secret + random ) ) + 00235 * MD5( secret + SHA1( 'BB' + secret + random ) ) + 00236 * MD5( secret + SHA1( 'CCC' + secret + random ) ) + 00237 * ... 00238 */ 00239 for( i = 0; i < dlen / 16; i++ ) 00240 { 00241 memset( padding, (unsigned char) ('A' + i), 1 + i ); 00242 00243 if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 ) 00244 goto exit; 00245 if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 ) 00246 goto exit; 00247 if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 ) 00248 goto exit; 00249 if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 ) 00250 goto exit; 00251 if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 ) 00252 goto exit; 00253 00254 if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 ) 00255 goto exit; 00256 if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 ) 00257 goto exit; 00258 if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 ) 00259 goto exit; 00260 if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 ) 00261 goto exit; 00262 } 00263 00264 exit: 00265 mbedtls_md5_free( &md5 ); 00266 mbedtls_sha1_free( &sha1 ); 00267 00268 mbedtls_platform_zeroize( padding, sizeof( padding ) ); 00269 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) ); 00270 00271 return( ret ); 00272 } 00273 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00274 00275 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00276 static int tls1_prf( const unsigned char *secret, size_t slen, 00277 const char *label, 00278 const unsigned char *random, size_t rlen, 00279 unsigned char *dstbuf, size_t dlen ) 00280 { 00281 size_t nb, hs; 00282 size_t i, j, k; 00283 const unsigned char *S1, *S2; 00284 unsigned char tmp[128]; 00285 unsigned char h_i[20]; 00286 const mbedtls_md_info_t *md_info; 00287 mbedtls_md_context_t md_ctx; 00288 int ret; 00289 00290 mbedtls_md_init( &md_ctx ); 00291 00292 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00293 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00294 00295 hs = ( slen + 1 ) / 2; 00296 S1 = secret; 00297 S2 = secret + slen - hs; 00298 00299 nb = strlen( label ); 00300 memcpy( tmp + 20, label, nb ); 00301 memcpy( tmp + 20 + nb, random, rlen ); 00302 nb += rlen; 00303 00304 /* 00305 * First compute P_md5(secret,label+random)[0..dlen] 00306 */ 00307 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) 00308 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00309 00310 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00311 return( ret ); 00312 00313 mbedtls_md_hmac_starts( &md_ctx, S1, hs ); 00314 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00315 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00316 00317 for( i = 0; i < dlen; i += 16 ) 00318 { 00319 mbedtls_md_hmac_reset ( &md_ctx ); 00320 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); 00321 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00322 00323 mbedtls_md_hmac_reset ( &md_ctx ); 00324 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); 00325 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00326 00327 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00328 00329 for( j = 0; j < k; j++ ) 00330 dstbuf[i + j] = h_i[j]; 00331 } 00332 00333 mbedtls_md_free( &md_ctx ); 00334 00335 /* 00336 * XOR out with P_sha1(secret,label+random)[0..dlen] 00337 */ 00338 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) 00339 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00340 00341 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00342 return( ret ); 00343 00344 mbedtls_md_hmac_starts( &md_ctx, S2, hs ); 00345 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00346 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00347 00348 for( i = 0; i < dlen; i += 20 ) 00349 { 00350 mbedtls_md_hmac_reset ( &md_ctx ); 00351 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); 00352 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00353 00354 mbedtls_md_hmac_reset ( &md_ctx ); 00355 mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); 00356 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00357 00358 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00359 00360 for( j = 0; j < k; j++ ) 00361 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00362 } 00363 00364 mbedtls_md_free( &md_ctx ); 00365 00366 mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); 00367 mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); 00368 00369 return( 0 ); 00370 } 00371 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ 00372 00373 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00374 static int tls_prf_generic( mbedtls_md_type_t md_type, 00375 const unsigned char *secret, size_t slen, 00376 const char *label, 00377 const unsigned char *random, size_t rlen, 00378 unsigned char *dstbuf, size_t dlen ) 00379 { 00380 size_t nb; 00381 size_t i, j, k, md_len; 00382 unsigned char tmp[128]; 00383 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 00384 const mbedtls_md_info_t *md_info; 00385 mbedtls_md_context_t md_ctx; 00386 int ret; 00387 00388 mbedtls_md_init( &md_ctx ); 00389 00390 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL ) 00391 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00392 00393 md_len = mbedtls_md_get_size( md_info ); 00394 00395 if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) 00396 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00397 00398 nb = strlen( label ); 00399 memcpy( tmp + md_len, label, nb ); 00400 memcpy( tmp + md_len + nb, random, rlen ); 00401 nb += rlen; 00402 00403 /* 00404 * Compute P_<hash>(secret, label + random)[0..dlen] 00405 */ 00406 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00407 return( ret ); 00408 00409 mbedtls_md_hmac_starts( &md_ctx, secret, slen ); 00410 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); 00411 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00412 00413 for( i = 0; i < dlen; i += md_len ) 00414 { 00415 mbedtls_md_hmac_reset ( &md_ctx ); 00416 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); 00417 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00418 00419 mbedtls_md_hmac_reset ( &md_ctx ); 00420 mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); 00421 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00422 00423 k = ( i + md_len > dlen ) ? dlen % md_len : md_len; 00424 00425 for( j = 0; j < k; j++ ) 00426 dstbuf[i + j] = h_i[j]; 00427 } 00428 00429 mbedtls_md_free( &md_ctx ); 00430 00431 mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); 00432 mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); 00433 00434 return( 0 ); 00435 } 00436 00437 #if defined(MBEDTLS_SHA256_C) 00438 static int tls_prf_sha256( const unsigned char *secret, size_t slen, 00439 const char *label, 00440 const unsigned char *random, size_t rlen, 00441 unsigned char *dstbuf, size_t dlen ) 00442 { 00443 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, 00444 label, random, rlen, dstbuf, dlen ) ); 00445 } 00446 #endif /* MBEDTLS_SHA256_C */ 00447 00448 #if defined(MBEDTLS_SHA512_C) 00449 static int tls_prf_sha384( const unsigned char *secret, size_t slen, 00450 const char *label, 00451 const unsigned char *random, size_t rlen, 00452 unsigned char *dstbuf, size_t dlen ) 00453 { 00454 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, 00455 label, random, rlen, dstbuf, dlen ) ); 00456 } 00457 #endif /* MBEDTLS_SHA512_C */ 00458 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00459 00460 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); 00461 00462 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00463 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00464 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); 00465 #endif 00466 00467 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00468 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * ); 00469 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int ); 00470 #endif 00471 00472 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00473 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * ); 00474 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); 00475 #endif 00476 00477 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00478 #if defined(MBEDTLS_SHA256_C) 00479 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); 00480 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * ); 00481 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); 00482 #endif 00483 00484 #if defined(MBEDTLS_SHA512_C) 00485 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); 00486 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * ); 00487 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); 00488 #endif 00489 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00490 00491 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) 00492 { 00493 int ret = 0; 00494 unsigned char tmp[64]; 00495 unsigned char keyblk[256]; 00496 unsigned char *key1; 00497 unsigned char *key2; 00498 unsigned char *mac_enc; 00499 unsigned char *mac_dec; 00500 size_t mac_key_len; 00501 size_t iv_copy_len; 00502 const mbedtls_cipher_info_t *cipher_info; 00503 const mbedtls_md_info_t *md_info; 00504 00505 mbedtls_ssl_session *session = ssl->session_negotiate; 00506 mbedtls_ssl_transform *transform = ssl->transform_negotiate; 00507 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 00508 00509 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00510 00511 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); 00512 if( cipher_info == NULL ) 00513 { 00514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", 00515 transform->ciphersuite_info->cipher ) ); 00516 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00517 } 00518 00519 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); 00520 if( md_info == NULL ) 00521 { 00522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", 00523 transform->ciphersuite_info->mac ) ); 00524 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00525 } 00526 00527 /* 00528 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions 00529 */ 00530 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00531 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00532 { 00533 handshake->tls_prf = ssl3_prf; 00534 handshake->calc_verify = ssl_calc_verify_ssl; 00535 handshake->calc_finished = ssl_calc_finished_ssl; 00536 } 00537 else 00538 #endif 00539 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00540 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 00541 { 00542 handshake->tls_prf = tls1_prf; 00543 handshake->calc_verify = ssl_calc_verify_tls; 00544 handshake->calc_finished = ssl_calc_finished_tls; 00545 } 00546 else 00547 #endif 00548 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00549 #if defined(MBEDTLS_SHA512_C) 00550 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 00551 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 00552 { 00553 handshake->tls_prf = tls_prf_sha384; 00554 handshake->calc_verify = ssl_calc_verify_tls_sha384; 00555 handshake->calc_finished = ssl_calc_finished_tls_sha384; 00556 } 00557 else 00558 #endif 00559 #if defined(MBEDTLS_SHA256_C) 00560 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00561 { 00562 handshake->tls_prf = tls_prf_sha256; 00563 handshake->calc_verify = ssl_calc_verify_tls_sha256; 00564 handshake->calc_finished = ssl_calc_finished_tls_sha256; 00565 } 00566 else 00567 #endif 00568 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00569 { 00570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00571 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00572 } 00573 00574 /* 00575 * SSLv3: 00576 * master = 00577 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00578 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00579 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00580 * 00581 * TLSv1+: 00582 * master = PRF( premaster, "master secret", randbytes )[0..47] 00583 */ 00584 if( handshake->resume == 0 ) 00585 { 00586 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, 00587 handshake->pmslen ); 00588 00589 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00590 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) 00591 { 00592 unsigned char session_hash[48]; 00593 size_t hash_len; 00594 00595 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) ); 00596 00597 ssl->handshake->calc_verify( ssl, session_hash ); 00598 00599 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00600 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00601 { 00602 #if defined(MBEDTLS_SHA512_C) 00603 if( ssl->transform_negotiate->ciphersuite_info->mac == 00604 MBEDTLS_MD_SHA384 ) 00605 { 00606 hash_len = 48; 00607 } 00608 else 00609 #endif 00610 hash_len = 32; 00611 } 00612 else 00613 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00614 hash_len = 36; 00615 00616 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len ); 00617 00618 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00619 "extended master secret", 00620 session_hash, hash_len, 00621 session->master, 48 ); 00622 if( ret != 0 ) 00623 { 00624 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00625 return( ret ); 00626 } 00627 00628 } 00629 else 00630 #endif 00631 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00632 "master secret", 00633 handshake->randbytes, 64, 00634 session->master, 48 ); 00635 if( ret != 0 ) 00636 { 00637 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00638 return( ret ); 00639 } 00640 00641 mbedtls_platform_zeroize( handshake->premaster, 00642 sizeof(handshake->premaster) ); 00643 } 00644 else 00645 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00646 00647 /* 00648 * Swap the client and server random values. 00649 */ 00650 memcpy( tmp, handshake->randbytes, 64 ); 00651 memcpy( handshake->randbytes, tmp + 32, 32 ); 00652 memcpy( handshake->randbytes + 32, tmp, 32 ); 00653 mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); 00654 00655 /* 00656 * SSLv3: 00657 * key block = 00658 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00659 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00660 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00661 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00662 * ... 00663 * 00664 * TLSv1: 00665 * key block = PRF( master, "key expansion", randbytes ) 00666 */ 00667 ret = handshake->tls_prf( session->master, 48, "key expansion", 00668 handshake->randbytes, 64, keyblk, 256 ); 00669 if( ret != 0 ) 00670 { 00671 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00672 return( ret ); 00673 } 00674 00675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", 00676 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) ); 00677 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 ); 00678 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); 00679 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00680 00681 mbedtls_platform_zeroize( handshake->randbytes, 00682 sizeof( handshake->randbytes ) ); 00683 00684 /* 00685 * Determine the appropriate key, IV and MAC length. 00686 */ 00687 00688 transform->keylen = cipher_info->key_bitlen / 8; 00689 00690 if( cipher_info->mode == MBEDTLS_MODE_GCM || 00691 cipher_info->mode == MBEDTLS_MODE_CCM ) 00692 { 00693 transform->maclen = 0; 00694 mac_key_len = 0; 00695 00696 transform->ivlen = 12; 00697 transform->fixed_ivlen = 4; 00698 00699 /* Minimum length is expicit IV + tag */ 00700 transform->minlen = transform->ivlen - transform->fixed_ivlen 00701 + ( transform->ciphersuite_info->flags & 00702 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); 00703 } 00704 else 00705 { 00706 /* Initialize HMAC contexts */ 00707 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || 00708 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) 00709 { 00710 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 00711 return( ret ); 00712 } 00713 00714 /* Get MAC length */ 00715 mac_key_len = mbedtls_md_get_size( md_info ); 00716 transform->maclen = mac_key_len; 00717 00718 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00719 /* 00720 * If HMAC is to be truncated, we shall keep the leftmost bytes, 00721 * (rfc 6066 page 13 or rfc 2104 section 4), 00722 * so we only need to adjust the length here. 00723 */ 00724 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00725 { 00726 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; 00727 00728 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) 00729 /* Fall back to old, non-compliant version of the truncated 00730 * HMAC implementation which also truncates the key 00731 * (Mbed TLS versions from 1.3 to 2.6.0) */ 00732 mac_key_len = transform->maclen; 00733 #endif 00734 } 00735 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00736 00737 /* IV length */ 00738 transform->ivlen = cipher_info->iv_size; 00739 00740 /* Minimum length */ 00741 if( cipher_info->mode == MBEDTLS_MODE_STREAM ) 00742 transform->minlen = transform->maclen; 00743 else 00744 { 00745 /* 00746 * GenericBlockCipher: 00747 * 1. if EtM is in use: one block plus MAC 00748 * otherwise: * first multiple of blocklen greater than maclen 00749 * 2. IV except for SSL3 and TLS 1.0 00750 */ 00751 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00752 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 00753 { 00754 transform->minlen = transform->maclen 00755 + cipher_info->block_size; 00756 } 00757 else 00758 #endif 00759 { 00760 transform->minlen = transform->maclen 00761 + cipher_info->block_size 00762 - transform->maclen % cipher_info->block_size; 00763 } 00764 00765 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 00766 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 00767 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) 00768 ; /* No need to adjust minlen */ 00769 else 00770 #endif 00771 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 00772 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || 00773 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00774 { 00775 transform->minlen += transform->ivlen; 00776 } 00777 else 00778 #endif 00779 { 00780 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00781 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00782 } 00783 } 00784 } 00785 00786 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00787 transform->keylen, transform->minlen, transform->ivlen, 00788 transform->maclen ) ); 00789 00790 /* 00791 * Finally setup the cipher contexts, IVs and MAC secrets. 00792 */ 00793 #if defined(MBEDTLS_SSL_CLI_C) 00794 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 00795 { 00796 key1 = keyblk + mac_key_len * 2; 00797 key2 = keyblk + mac_key_len * 2 + transform->keylen; 00798 00799 mac_enc = keyblk; 00800 mac_dec = keyblk + mac_key_len; 00801 00802 /* 00803 * This is not used in TLS v1.1. 00804 */ 00805 iv_copy_len = ( transform->fixed_ivlen ) ? 00806 transform->fixed_ivlen : transform->ivlen; 00807 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len ); 00808 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len, 00809 iv_copy_len ); 00810 } 00811 else 00812 #endif /* MBEDTLS_SSL_CLI_C */ 00813 #if defined(MBEDTLS_SSL_SRV_C) 00814 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 00815 { 00816 key1 = keyblk + mac_key_len * 2 + transform->keylen; 00817 key2 = keyblk + mac_key_len * 2; 00818 00819 mac_enc = keyblk + mac_key_len; 00820 mac_dec = keyblk; 00821 00822 /* 00823 * This is not used in TLS v1.1. 00824 */ 00825 iv_copy_len = ( transform->fixed_ivlen ) ? 00826 transform->fixed_ivlen : transform->ivlen; 00827 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len ); 00828 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len, 00829 iv_copy_len ); 00830 } 00831 else 00832 #endif /* MBEDTLS_SSL_SRV_C */ 00833 { 00834 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00835 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00836 } 00837 00838 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00839 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00840 { 00841 if( mac_key_len > sizeof transform->mac_enc ) 00842 { 00843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00844 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00845 } 00846 00847 memcpy( transform->mac_enc, mac_enc, mac_key_len ); 00848 memcpy( transform->mac_dec, mac_dec, mac_key_len ); 00849 } 00850 else 00851 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00852 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 00853 defined(MBEDTLS_SSL_PROTO_TLS1_2) 00854 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 00855 { 00856 /* For HMAC-based ciphersuites, initialize the HMAC transforms. 00857 For AEAD-based ciphersuites, there is nothing to do here. */ 00858 if( mac_key_len != 0 ) 00859 { 00860 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); 00861 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); 00862 } 00863 } 00864 else 00865 #endif 00866 { 00867 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00868 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00869 } 00870 00871 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00872 if( mbedtls_ssl_hw_record_init != NULL ) 00873 { 00874 int ret = 0; 00875 00876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) ); 00877 00878 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen, 00879 transform->iv_enc, transform->iv_dec, 00880 iv_copy_len, 00881 mac_enc, mac_dec, 00882 mac_key_len ) ) != 0 ) 00883 { 00884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); 00885 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 00886 } 00887 } 00888 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00889 00890 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 00891 if( ssl->conf->f_export_keys != NULL ) 00892 { 00893 ssl->conf->f_export_keys( ssl->conf->p_export_keys, 00894 session->master, keyblk, 00895 mac_key_len, transform->keylen, 00896 iv_copy_len ); 00897 } 00898 #endif 00899 00900 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, 00901 cipher_info ) ) != 0 ) 00902 { 00903 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00904 return( ret ); 00905 } 00906 00907 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, 00908 cipher_info ) ) != 0 ) 00909 { 00910 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00911 return( ret ); 00912 } 00913 00914 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, 00915 cipher_info->key_bitlen, 00916 MBEDTLS_ENCRYPT ) ) != 0 ) 00917 { 00918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00919 return( ret ); 00920 } 00921 00922 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, 00923 cipher_info->key_bitlen, 00924 MBEDTLS_DECRYPT ) ) != 0 ) 00925 { 00926 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00927 return( ret ); 00928 } 00929 00930 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00931 if( cipher_info->mode == MBEDTLS_MODE_CBC ) 00932 { 00933 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, 00934 MBEDTLS_PADDING_NONE ) ) != 0 ) 00935 { 00936 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00937 return( ret ); 00938 } 00939 00940 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, 00941 MBEDTLS_PADDING_NONE ) ) != 0 ) 00942 { 00943 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00944 return( ret ); 00945 } 00946 } 00947 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00948 00949 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) ); 00950 00951 #if defined(MBEDTLS_ZLIB_SUPPORT) 00952 // Initialize compression 00953 // 00954 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 00955 { 00956 if( ssl->compress_buf == NULL ) 00957 { 00958 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) ); 00959 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN ); 00960 if( ssl->compress_buf == NULL ) 00961 { 00962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 00963 MBEDTLS_SSL_BUFFER_LEN ) ); 00964 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00965 } 00966 } 00967 00968 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) ); 00969 00970 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) ); 00971 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) ); 00972 00973 if( deflateInit( &transform->ctx_deflate, 00974 Z_DEFAULT_COMPRESSION ) != Z_OK || 00975 inflateInit( &transform->ctx_inflate ) != Z_OK ) 00976 { 00977 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); 00978 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 00979 } 00980 } 00981 #endif /* MBEDTLS_ZLIB_SUPPORT */ 00982 00983 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00984 00985 return( 0 ); 00986 } 00987 00988 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00989 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 00990 { 00991 mbedtls_md5_context md5; 00992 mbedtls_sha1_context sha1; 00993 unsigned char pad_1[48]; 00994 unsigned char pad_2[48]; 00995 00996 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) ); 00997 00998 mbedtls_md5_init( &md5 ); 00999 mbedtls_sha1_init( &sha1 ); 01000 01001 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01002 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01003 01004 memset( pad_1, 0x36, 48 ); 01005 memset( pad_2, 0x5C, 48 ); 01006 01007 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 ); 01008 mbedtls_md5_update_ret( &md5, pad_1, 48 ); 01009 mbedtls_md5_finish_ret( &md5, hash ); 01010 01011 mbedtls_md5_starts_ret( &md5 ); 01012 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 ); 01013 mbedtls_md5_update_ret( &md5, pad_2, 48 ); 01014 mbedtls_md5_update_ret( &md5, hash, 16 ); 01015 mbedtls_md5_finish_ret( &md5, hash ); 01016 01017 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 ); 01018 mbedtls_sha1_update_ret( &sha1, pad_1, 40 ); 01019 mbedtls_sha1_finish_ret( &sha1, hash + 16 ); 01020 01021 mbedtls_sha1_starts_ret( &sha1 ); 01022 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 ); 01023 mbedtls_sha1_update_ret( &sha1, pad_2, 40 ); 01024 mbedtls_sha1_update_ret( &sha1, hash + 16, 20 ); 01025 mbedtls_sha1_finish_ret( &sha1, hash + 16 ); 01026 01027 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01029 01030 mbedtls_md5_free( &md5 ); 01031 mbedtls_sha1_free( &sha1 ); 01032 01033 return; 01034 } 01035 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01036 01037 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 01038 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 01039 { 01040 mbedtls_md5_context md5; 01041 mbedtls_sha1_context sha1; 01042 01043 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); 01044 01045 mbedtls_md5_init( &md5 ); 01046 mbedtls_sha1_init( &sha1 ); 01047 01048 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01049 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01050 01051 mbedtls_md5_finish_ret( &md5, hash ); 01052 mbedtls_sha1_finish_ret( &sha1, hash + 16 ); 01053 01054 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01055 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01056 01057 mbedtls_md5_free( &md5 ); 01058 mbedtls_sha1_free( &sha1 ); 01059 01060 return; 01061 } 01062 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 01063 01064 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 01065 #if defined(MBEDTLS_SHA256_C) 01066 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) 01067 { 01068 mbedtls_sha256_context sha256; 01069 01070 mbedtls_sha256_init( &sha256 ); 01071 01072 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); 01073 01074 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 01075 mbedtls_sha256_finish_ret( &sha256, hash ); 01076 01077 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); 01078 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01079 01080 mbedtls_sha256_free( &sha256 ); 01081 01082 return; 01083 } 01084 #endif /* MBEDTLS_SHA256_C */ 01085 01086 #if defined(MBEDTLS_SHA512_C) 01087 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) 01088 { 01089 mbedtls_sha512_context sha512; 01090 01091 mbedtls_sha512_init( &sha512 ); 01092 01093 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); 01094 01095 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 01096 mbedtls_sha512_finish_ret( &sha512, hash ); 01097 01098 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); 01099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01100 01101 mbedtls_sha512_free( &sha512 ); 01102 01103 return; 01104 } 01105 #endif /* MBEDTLS_SHA512_C */ 01106 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 01107 01108 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01109 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) 01110 { 01111 unsigned char *p = ssl->handshake->premaster; 01112 unsigned char *end = p + sizeof( ssl->handshake->premaster ); 01113 const unsigned char *psk = ssl->conf->psk; 01114 size_t psk_len = ssl->conf->psk_len; 01115 01116 /* If the psk callback was called, use its result */ 01117 if( ssl->handshake->psk != NULL ) 01118 { 01119 psk = ssl->handshake->psk; 01120 psk_len = ssl->handshake->psk_len; 01121 } 01122 01123 /* 01124 * PMS = struct { 01125 * opaque other_secret<0..2^16-1>; 01126 * opaque psk<0..2^16-1>; 01127 * }; 01128 * with "other_secret" depending on the particular key exchange 01129 */ 01130 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 01131 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) 01132 { 01133 if( end - p < 2 ) 01134 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01135 01136 *(p++) = (unsigned char)( psk_len >> 8 ); 01137 *(p++) = (unsigned char)( psk_len ); 01138 01139 if( end < p || (size_t)( end - p ) < psk_len ) 01140 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01141 01142 memset( p, 0, psk_len ); 01143 p += psk_len; 01144 } 01145 else 01146 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 01147 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01148 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 01149 { 01150 /* 01151 * other_secret already set by the ClientKeyExchange message, 01152 * and is 48 bytes long 01153 */ 01154 *p++ = 0; 01155 *p++ = 48; 01156 p += 48; 01157 } 01158 else 01159 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01160 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01161 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 01162 { 01163 int ret; 01164 size_t len; 01165 01166 /* Write length only when we know the actual value */ 01167 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 01168 p + 2, end - ( p + 2 ), &len, 01169 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01170 { 01171 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 01172 return( ret ); 01173 } 01174 *(p++) = (unsigned char)( len >> 8 ); 01175 *(p++) = (unsigned char)( len ); 01176 p += len; 01177 01178 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 01179 } 01180 else 01181 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01182 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01183 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 01184 { 01185 int ret; 01186 size_t zlen; 01187 01188 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, 01189 p + 2, end - ( p + 2 ), 01190 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01191 { 01192 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 01193 return( ret ); 01194 } 01195 01196 *(p++) = (unsigned char)( zlen >> 8 ); 01197 *(p++) = (unsigned char)( zlen ); 01198 p += zlen; 01199 01200 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 01201 } 01202 else 01203 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01204 { 01205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01206 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01207 } 01208 01209 /* opaque psk<0..2^16-1>; */ 01210 if( end - p < 2 ) 01211 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01212 01213 *(p++) = (unsigned char)( psk_len >> 8 ); 01214 *(p++) = (unsigned char)( psk_len ); 01215 01216 if( end < p || (size_t)( end - p ) < psk_len ) 01217 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01218 01219 memcpy( p, psk, psk_len ); 01220 p += psk_len; 01221 01222 ssl->handshake->pmslen = p - ssl->handshake->premaster; 01223 01224 return( 0 ); 01225 } 01226 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01227 01228 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01229 /* 01230 * SSLv3.0 MAC functions 01231 */ 01232 #define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */ 01233 static void ssl_mac( mbedtls_md_context_t *md_ctx, 01234 const unsigned char *secret, 01235 const unsigned char *buf, size_t len, 01236 const unsigned char *ctr, int type, 01237 unsigned char out[SSL_MAC_MAX_BYTES] ) 01238 { 01239 unsigned char header[11]; 01240 unsigned char padding[48]; 01241 int padlen; 01242 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 01243 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 01244 01245 /* Only MD5 and SHA-1 supported */ 01246 if( md_type == MBEDTLS_MD_MD5 ) 01247 padlen = 48; 01248 else 01249 padlen = 40; 01250 01251 memcpy( header, ctr, 8 ); 01252 header[ 8] = (unsigned char) type; 01253 header[ 9] = (unsigned char)( len >> 8 ); 01254 header[10] = (unsigned char)( len ); 01255 01256 memset( padding, 0x36, padlen ); 01257 mbedtls_md_starts( md_ctx ); 01258 mbedtls_md_update( md_ctx, secret, md_size ); 01259 mbedtls_md_update( md_ctx, padding, padlen ); 01260 mbedtls_md_update( md_ctx, header, 11 ); 01261 mbedtls_md_update( md_ctx, buf, len ); 01262 mbedtls_md_finish( md_ctx, out ); 01263 01264 memset( padding, 0x5C, padlen ); 01265 mbedtls_md_starts( md_ctx ); 01266 mbedtls_md_update( md_ctx, secret, md_size ); 01267 mbedtls_md_update( md_ctx, padding, padlen ); 01268 mbedtls_md_update( md_ctx, out, md_size ); 01269 mbedtls_md_finish( md_ctx, out ); 01270 } 01271 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01272 01273 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 01274 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01275 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) ) 01276 #define SSL_SOME_MODES_USE_MAC 01277 #endif 01278 01279 /* 01280 * Encryption/decryption functions 01281 */ 01282 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) 01283 { 01284 mbedtls_cipher_mode_t mode; 01285 int auth_done = 0; 01286 01287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 01288 01289 if( ssl->session_out == NULL || ssl->transform_out == NULL ) 01290 { 01291 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01292 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01293 } 01294 01295 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); 01296 01297 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 01298 ssl->out_msg, ssl->out_msglen ); 01299 01300 if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01301 { 01302 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d", 01303 (unsigned) ssl->out_msglen, 01304 MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 01305 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01306 } 01307 01308 /* 01309 * Add MAC before if needed 01310 */ 01311 #if defined(SSL_SOME_MODES_USE_MAC) 01312 if( mode == MBEDTLS_MODE_STREAM || 01313 ( mode == MBEDTLS_MODE_CBC 01314 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01315 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 01316 #endif 01317 ) ) 01318 { 01319 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01320 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01321 { 01322 unsigned char mac[SSL_MAC_MAX_BYTES]; 01323 01324 ssl_mac( &ssl->transform_out->md_ctx_enc, 01325 ssl->transform_out->mac_enc, 01326 ssl->out_msg, ssl->out_msglen, 01327 ssl->out_ctr, ssl->out_msgtype, 01328 mac ); 01329 01330 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen ); 01331 } 01332 else 01333 #endif 01334 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01335 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01336 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 01337 { 01338 unsigned char mac[MBEDTLS_SSL_MAC_ADD]; 01339 01340 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); 01341 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); 01342 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); 01343 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01344 ssl->out_msg, ssl->out_msglen ); 01345 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac ); 01346 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01347 01348 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen ); 01349 } 01350 else 01351 #endif 01352 { 01353 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01354 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01355 } 01356 01357 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", 01358 ssl->out_msg + ssl->out_msglen, 01359 ssl->transform_out->maclen ); 01360 01361 ssl->out_msglen += ssl->transform_out->maclen; 01362 auth_done++; 01363 } 01364 #endif /* AEAD not the only option */ 01365 01366 /* 01367 * Encrypt 01368 */ 01369 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01370 if( mode == MBEDTLS_MODE_STREAM ) 01371 { 01372 int ret; 01373 size_t olen = 0; 01374 01375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01376 "including %d bytes of padding", 01377 ssl->out_msglen, 0 ) ); 01378 01379 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01380 ssl->transform_out->iv_enc, 01381 ssl->transform_out->ivlen, 01382 ssl->out_msg, ssl->out_msglen, 01383 ssl->out_msg, &olen ) ) != 0 ) 01384 { 01385 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01386 return( ret ); 01387 } 01388 01389 if( ssl->out_msglen != olen ) 01390 { 01391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01392 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01393 } 01394 } 01395 else 01396 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01397 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01398 if( mode == MBEDTLS_MODE_GCM || 01399 mode == MBEDTLS_MODE_CCM ) 01400 { 01401 int ret; 01402 size_t enc_msglen, olen; 01403 unsigned char *enc_msg; 01404 unsigned char add_data[13]; 01405 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & 01406 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01407 01408 memcpy( add_data, ssl->out_ctr, 8 ); 01409 add_data[8] = ssl->out_msgtype; 01410 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01411 ssl->conf->transport, add_data + 9 ); 01412 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; 01413 add_data[12] = ssl->out_msglen & 0xFF; 01414 01415 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01416 add_data, 13 ); 01417 01418 /* 01419 * Generate IV 01420 */ 01421 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) 01422 { 01423 /* Reminder if we ever add an AEAD mode with a different size */ 01424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01425 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01426 } 01427 01428 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01429 ssl->out_ctr, 8 ); 01430 memcpy( ssl->out_iv, ssl->out_ctr, 8 ); 01431 01432 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, 01433 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01434 01435 /* 01436 * Fix pointer positions and message length with added IV 01437 */ 01438 enc_msg = ssl->out_msg; 01439 enc_msglen = ssl->out_msglen; 01440 ssl->out_msglen += ssl->transform_out->ivlen - 01441 ssl->transform_out->fixed_ivlen; 01442 01443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01444 "including %d bytes of padding", 01445 ssl->out_msglen, 0 ) ); 01446 01447 /* 01448 * Encrypt and authenticate 01449 */ 01450 if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, 01451 ssl->transform_out->iv_enc, 01452 ssl->transform_out->ivlen, 01453 add_data, 13, 01454 enc_msg, enc_msglen, 01455 enc_msg, &olen, 01456 enc_msg + enc_msglen, taglen ) ) != 0 ) 01457 { 01458 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 01459 return( ret ); 01460 } 01461 01462 if( olen != enc_msglen ) 01463 { 01464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01465 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01466 } 01467 01468 ssl->out_msglen += taglen; 01469 auth_done++; 01470 01471 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen ); 01472 } 01473 else 01474 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01475 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01476 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) ) 01477 if( mode == MBEDTLS_MODE_CBC ) 01478 { 01479 int ret; 01480 unsigned char *enc_msg; 01481 size_t enc_msglen, padlen, olen = 0, i; 01482 01483 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) % 01484 ssl->transform_out->ivlen; 01485 if( padlen == ssl->transform_out->ivlen ) 01486 padlen = 0; 01487 01488 for( i = 0; i <= padlen; i++ ) 01489 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 01490 01491 ssl->out_msglen += padlen + 1; 01492 01493 enc_msglen = ssl->out_msglen; 01494 enc_msg = ssl->out_msg; 01495 01496 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01497 /* 01498 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 01499 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 01500 */ 01501 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01502 { 01503 /* 01504 * Generate IV 01505 */ 01506 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, 01507 ssl->transform_out->ivlen ); 01508 if( ret != 0 ) 01509 return( ret ); 01510 01511 memcpy( ssl->out_iv, ssl->transform_out->iv_enc, 01512 ssl->transform_out->ivlen ); 01513 01514 /* 01515 * Fix pointer positions and message length with added IV 01516 */ 01517 enc_msg = ssl->out_msg; 01518 enc_msglen = ssl->out_msglen; 01519 ssl->out_msglen += ssl->transform_out->ivlen; 01520 } 01521 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01522 01523 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01524 "including %d bytes of IV and %d bytes of padding", 01525 ssl->out_msglen, ssl->transform_out->ivlen, 01526 padlen + 1 ) ); 01527 01528 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01529 ssl->transform_out->iv_enc, 01530 ssl->transform_out->ivlen, 01531 enc_msg, enc_msglen, 01532 enc_msg, &olen ) ) != 0 ) 01533 { 01534 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01535 return( ret ); 01536 } 01537 01538 if( enc_msglen != olen ) 01539 { 01540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01541 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01542 } 01543 01544 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01545 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01546 { 01547 /* 01548 * Save IV in SSL3 and TLS1 01549 */ 01550 memcpy( ssl->transform_out->iv_enc, 01551 ssl->transform_out->cipher_ctx_enc.iv, 01552 ssl->transform_out->ivlen ); 01553 } 01554 #endif 01555 01556 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01557 if( auth_done == 0 ) 01558 { 01559 /* 01560 * MAC(MAC_write_key, seq_num + 01561 * TLSCipherText.type + 01562 * TLSCipherText.version + 01563 * length_of( (IV +) ENC(...) ) + 01564 * IV + // except for TLS 1.0 01565 * ENC(content + padding + padding_length)); 01566 */ 01567 unsigned char pseudo_hdr[13]; 01568 01569 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01570 01571 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 ); 01572 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 ); 01573 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF ); 01574 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF ); 01575 01576 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01577 01578 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 ); 01579 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01580 ssl->out_iv, ssl->out_msglen ); 01581 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01582 ssl->out_iv + ssl->out_msglen ); 01583 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01584 01585 ssl->out_msglen += ssl->transform_out->maclen; 01586 auth_done++; 01587 } 01588 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01589 } 01590 else 01591 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01592 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */ 01593 { 01594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01595 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01596 } 01597 01598 /* Make extra sure authentication was performed, exactly once */ 01599 if( auth_done != 1 ) 01600 { 01601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01602 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01603 } 01604 01605 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 01606 01607 return( 0 ); 01608 } 01609 01610 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) 01611 { 01612 size_t i; 01613 mbedtls_cipher_mode_t mode; 01614 int auth_done = 0; 01615 #if defined(SSL_SOME_MODES_USE_MAC) 01616 size_t padlen = 0, correct = 1; 01617 #endif 01618 01619 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 01620 01621 if( ssl->session_in == NULL || ssl->transform_in == NULL ) 01622 { 01623 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01624 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01625 } 01626 01627 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); 01628 01629 if( ssl->in_msglen < ssl->transform_in->minlen ) 01630 { 01631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 01632 ssl->in_msglen, ssl->transform_in->minlen ) ); 01633 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01634 } 01635 01636 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01637 if( mode == MBEDTLS_MODE_STREAM ) 01638 { 01639 int ret; 01640 size_t olen = 0; 01641 01642 padlen = 0; 01643 01644 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01645 ssl->transform_in->iv_dec, 01646 ssl->transform_in->ivlen, 01647 ssl->in_msg, ssl->in_msglen, 01648 ssl->in_msg, &olen ) ) != 0 ) 01649 { 01650 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01651 return( ret ); 01652 } 01653 01654 if( ssl->in_msglen != olen ) 01655 { 01656 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01657 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01658 } 01659 } 01660 else 01661 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01662 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01663 if( mode == MBEDTLS_MODE_GCM || 01664 mode == MBEDTLS_MODE_CCM ) 01665 { 01666 int ret; 01667 size_t dec_msglen, olen; 01668 unsigned char *dec_msg; 01669 unsigned char *dec_msg_result; 01670 unsigned char add_data[13]; 01671 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & 01672 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01673 size_t explicit_iv_len = ssl->transform_in->ivlen - 01674 ssl->transform_in->fixed_ivlen; 01675 01676 if( ssl->in_msglen < explicit_iv_len + taglen ) 01677 { 01678 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " 01679 "+ taglen (%d)", ssl->in_msglen, 01680 explicit_iv_len, taglen ) ); 01681 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01682 } 01683 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; 01684 01685 dec_msg = ssl->in_msg; 01686 dec_msg_result = ssl->in_msg; 01687 ssl->in_msglen = dec_msglen; 01688 01689 memcpy( add_data, ssl->in_ctr, 8 ); 01690 add_data[8] = ssl->in_msgtype; 01691 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01692 ssl->conf->transport, add_data + 9 ); 01693 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; 01694 add_data[12] = ssl->in_msglen & 0xFF; 01695 01696 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01697 add_data, 13 ); 01698 01699 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, 01700 ssl->in_iv, 01701 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); 01702 01703 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, 01704 ssl->transform_in->ivlen ); 01705 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); 01706 01707 /* 01708 * Decrypt and authenticate 01709 */ 01710 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, 01711 ssl->transform_in->iv_dec, 01712 ssl->transform_in->ivlen, 01713 add_data, 13, 01714 dec_msg, dec_msglen, 01715 dec_msg_result, &olen, 01716 dec_msg + dec_msglen, taglen ) ) != 0 ) 01717 { 01718 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 01719 01720 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 01721 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01722 01723 return( ret ); 01724 } 01725 auth_done++; 01726 01727 if( olen != dec_msglen ) 01728 { 01729 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01730 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01731 } 01732 } 01733 else 01734 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01735 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01736 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) ) 01737 if( mode == MBEDTLS_MODE_CBC ) 01738 { 01739 /* 01740 * Decrypt and check the padding 01741 */ 01742 int ret; 01743 unsigned char *dec_msg; 01744 unsigned char *dec_msg_result; 01745 size_t dec_msglen; 01746 size_t minlen = 0; 01747 size_t olen = 0; 01748 01749 /* 01750 * Check immediate ciphertext sanity 01751 */ 01752 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01753 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01754 minlen += ssl->transform_in->ivlen; 01755 #endif 01756 01757 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen || 01758 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 ) 01759 { 01760 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) " 01761 "+ 1 ) ( + expl IV )", ssl->in_msglen, 01762 ssl->transform_in->ivlen, 01763 ssl->transform_in->maclen ) ); 01764 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01765 } 01766 01767 dec_msglen = ssl->in_msglen; 01768 dec_msg = ssl->in_msg; 01769 dec_msg_result = ssl->in_msg; 01770 01771 /* 01772 * Authenticate before decrypt if enabled 01773 */ 01774 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01775 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 01776 { 01777 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; 01778 unsigned char pseudo_hdr[13]; 01779 01780 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01781 01782 dec_msglen -= ssl->transform_in->maclen; 01783 ssl->in_msglen -= ssl->transform_in->maclen; 01784 01785 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 ); 01786 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 ); 01787 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF ); 01788 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF ); 01789 01790 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01791 01792 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); 01793 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, 01794 ssl->in_iv, ssl->in_msglen ); 01795 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); 01796 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01797 01798 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, 01799 ssl->transform_in->maclen ); 01800 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, 01801 ssl->transform_in->maclen ); 01802 01803 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect, 01804 ssl->transform_in->maclen ) != 0 ) 01805 { 01806 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01807 01808 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01809 } 01810 auth_done++; 01811 } 01812 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01813 01814 /* 01815 * Check length sanity 01816 */ 01817 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 ) 01818 { 01819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 01820 ssl->in_msglen, ssl->transform_in->ivlen ) ); 01821 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01822 } 01823 01824 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01825 /* 01826 * Initialize for prepended IV for block cipher in TLS v1.1 and up 01827 */ 01828 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01829 { 01830 dec_msglen -= ssl->transform_in->ivlen; 01831 ssl->in_msglen -= ssl->transform_in->ivlen; 01832 01833 for( i = 0; i < ssl->transform_in->ivlen; i++ ) 01834 ssl->transform_in->iv_dec[i] = ssl->in_iv[i]; 01835 } 01836 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01837 01838 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01839 ssl->transform_in->iv_dec, 01840 ssl->transform_in->ivlen, 01841 dec_msg, dec_msglen, 01842 dec_msg_result, &olen ) ) != 0 ) 01843 { 01844 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01845 return( ret ); 01846 } 01847 01848 if( dec_msglen != olen ) 01849 { 01850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01851 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01852 } 01853 01854 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01855 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01856 { 01857 /* 01858 * Save IV in SSL3 and TLS1 01859 */ 01860 memcpy( ssl->transform_in->iv_dec, 01861 ssl->transform_in->cipher_ctx_dec.iv, 01862 ssl->transform_in->ivlen ); 01863 } 01864 #endif 01865 01866 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 01867 01868 if( ssl->in_msglen < ssl->transform_in->maclen + padlen && 01869 auth_done == 0 ) 01870 { 01871 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01872 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 01873 ssl->in_msglen, ssl->transform_in->maclen, padlen ) ); 01874 #endif 01875 padlen = 0; 01876 correct = 0; 01877 } 01878 01879 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01880 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01881 { 01882 if( padlen > ssl->transform_in->ivlen ) 01883 { 01884 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01885 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 01886 "should be no more than %d", 01887 padlen, ssl->transform_in->ivlen ) ); 01888 #endif 01889 correct = 0; 01890 } 01891 } 01892 else 01893 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01894 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01895 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01896 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01897 { 01898 /* 01899 * TLSv1+: always check the padding up to the first failure 01900 * and fake check up to 256 bytes of padding 01901 */ 01902 size_t pad_count = 0, real_count = 1; 01903 size_t padding_idx = ssl->in_msglen - padlen - 1; 01904 01905 /* 01906 * Padding is guaranteed to be incorrect if: 01907 * 1. padlen >= ssl->in_msglen 01908 * 01909 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN + 01910 * ssl->transform_in->maclen 01911 * 01912 * In both cases we reset padding_idx to a safe value (0) to 01913 * prevent out-of-buffer reads. 01914 */ 01915 correct &= ( ssl->in_msglen >= padlen + 1 ); 01916 correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN + 01917 ssl->transform_in->maclen ); 01918 01919 padding_idx *= correct; 01920 01921 for( i = 1; i <= 256; i++ ) 01922 { 01923 real_count &= ( i <= padlen ); 01924 pad_count += real_count * 01925 ( ssl->in_msg[padding_idx + i] == padlen - 1 ); 01926 } 01927 01928 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ 01929 01930 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01931 if( padlen > 0 && correct == 0 ) 01932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 01933 #endif 01934 padlen &= correct * 0x1FF; 01935 } 01936 else 01937 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01938 MBEDTLS_SSL_PROTO_TLS1_2 */ 01939 { 01940 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01941 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01942 } 01943 01944 ssl->in_msglen -= padlen; 01945 } 01946 else 01947 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01948 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */ 01949 { 01950 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01951 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01952 } 01953 01954 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 01955 ssl->in_msg, ssl->in_msglen ); 01956 01957 /* 01958 * Authenticate if not done yet. 01959 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 01960 */ 01961 #if defined(SSL_SOME_MODES_USE_MAC) 01962 if( auth_done == 0 ) 01963 { 01964 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; 01965 01966 ssl->in_msglen -= ssl->transform_in->maclen; 01967 01968 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 01969 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 01970 01971 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01972 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01973 { 01974 ssl_mac( &ssl->transform_in->md_ctx_dec, 01975 ssl->transform_in->mac_dec, 01976 ssl->in_msg, ssl->in_msglen, 01977 ssl->in_ctr, ssl->in_msgtype, 01978 mac_expect ); 01979 } 01980 else 01981 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01982 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01983 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01984 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01985 { 01986 /* 01987 * Process MAC and always update for padlen afterwards to make 01988 * total time independent of padlen 01989 * 01990 * extra_run compensates MAC check for padlen 01991 * 01992 * Known timing attacks: 01993 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 01994 * 01995 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values 01996 * correctly. (We round down instead of up, so -56 is the correct 01997 * value for our calculations instead of -55) 01998 */ 01999 size_t j, extra_run = 0; 02000 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 - 02001 ( 13 + ssl->in_msglen + 8 ) / 64; 02002 02003 extra_run &= correct * 0xFF; 02004 02005 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 ); 02006 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 ); 02007 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); 02008 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, 02009 ssl->in_msglen ); 02010 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); 02011 /* Call mbedtls_md_process at least once due to cache attacks */ 02012 for( j = 0; j < extra_run + 1; j++ ) 02013 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); 02014 02015 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 02016 } 02017 else 02018 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02019 MBEDTLS_SSL_PROTO_TLS1_2 */ 02020 { 02021 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02022 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02023 } 02024 02025 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen ); 02026 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen, 02027 ssl->transform_in->maclen ); 02028 02029 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect, 02030 ssl->transform_in->maclen ) != 0 ) 02031 { 02032 #if defined(MBEDTLS_SSL_DEBUG_ALL) 02033 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 02034 #endif 02035 correct = 0; 02036 } 02037 auth_done++; 02038 02039 /* 02040 * Finally check the correct flag 02041 */ 02042 if( correct == 0 ) 02043 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02044 } 02045 #endif /* SSL_SOME_MODES_USE_MAC */ 02046 02047 /* Make extra sure authentication was performed, exactly once */ 02048 if( auth_done != 1 ) 02049 { 02050 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02051 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02052 } 02053 02054 if( ssl->in_msglen == 0 ) 02055 { 02056 ssl->nb_zero++; 02057 02058 /* 02059 * Three or more empty messages may be a DoS attack 02060 * (excessive CPU consumption). 02061 */ 02062 if( ssl->nb_zero > 3 ) 02063 { 02064 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 02065 "messages, possible DoS attack" ) ); 02066 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02067 } 02068 } 02069 else 02070 ssl->nb_zero = 0; 02071 02072 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02073 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02074 { 02075 ; /* in_ctr read from peer, not maintained internally */ 02076 } 02077 else 02078 #endif 02079 { 02080 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02081 if( ++ssl->in_ctr[i - 1] != 0 ) 02082 break; 02083 02084 /* The loop goes to its end iff the counter is wrapping */ 02085 if( i == ssl_ep_len( ssl ) ) 02086 { 02087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 02088 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02089 } 02090 } 02091 02092 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 02093 02094 return( 0 ); 02095 } 02096 02097 #undef MAC_NONE 02098 #undef MAC_PLAINTEXT 02099 #undef MAC_CIPHERTEXT 02100 02101 #if defined(MBEDTLS_ZLIB_SUPPORT) 02102 /* 02103 * Compression/decompression functions 02104 */ 02105 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 02106 { 02107 int ret; 02108 unsigned char *msg_post = ssl->out_msg; 02109 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf; 02110 size_t len_pre = ssl->out_msglen; 02111 unsigned char *msg_pre = ssl->compress_buf; 02112 02113 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 02114 02115 if( len_pre == 0 ) 02116 return( 0 ); 02117 02118 memcpy( msg_pre, ssl->out_msg, len_pre ); 02119 02120 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ", 02121 ssl->out_msglen ) ); 02122 02123 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 02124 ssl->out_msg, ssl->out_msglen ); 02125 02126 ssl->transform_out->ctx_deflate.next_in = msg_pre; 02127 ssl->transform_out->ctx_deflate.avail_in = len_pre; 02128 ssl->transform_out->ctx_deflate.next_out = msg_post; 02129 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written; 02130 02131 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 02132 if( ret != Z_OK ) 02133 { 02134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 02135 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02136 } 02137 02138 ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - 02139 ssl->transform_out->ctx_deflate.avail_out - bytes_written; 02140 02141 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", 02142 ssl->out_msglen ) ); 02143 02144 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 02145 ssl->out_msg, ssl->out_msglen ); 02146 02147 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 02148 02149 return( 0 ); 02150 } 02151 02152 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 02153 { 02154 int ret; 02155 unsigned char *msg_post = ssl->in_msg; 02156 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf; 02157 size_t len_pre = ssl->in_msglen; 02158 unsigned char *msg_pre = ssl->compress_buf; 02159 02160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 02161 02162 if( len_pre == 0 ) 02163 return( 0 ); 02164 02165 memcpy( msg_pre, ssl->in_msg, len_pre ); 02166 02167 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ", 02168 ssl->in_msglen ) ); 02169 02170 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 02171 ssl->in_msg, ssl->in_msglen ); 02172 02173 ssl->transform_in->ctx_inflate.next_in = msg_pre; 02174 ssl->transform_in->ctx_inflate.avail_in = len_pre; 02175 ssl->transform_in->ctx_inflate.next_out = msg_post; 02176 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - 02177 header_bytes; 02178 02179 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 02180 if( ret != Z_OK ) 02181 { 02182 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 02183 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02184 } 02185 02186 ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN - 02187 ssl->transform_in->ctx_inflate.avail_out - header_bytes; 02188 02189 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", 02190 ssl->in_msglen ) ); 02191 02192 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 02193 ssl->in_msg, ssl->in_msglen ); 02194 02195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 02196 02197 return( 0 ); 02198 } 02199 #endif /* MBEDTLS_ZLIB_SUPPORT */ 02200 02201 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02202 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); 02203 02204 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02205 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) 02206 { 02207 /* If renegotiation is not enforced, retransmit until we would reach max 02208 * timeout if we were using the usual handshake doubling scheme */ 02209 if( ssl->conf->renego_max_records < 0 ) 02210 { 02211 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 02212 unsigned char doublings = 1; 02213 02214 while( ratio != 0 ) 02215 { 02216 ++doublings; 02217 ratio >>= 1; 02218 } 02219 02220 if( ++ssl->renego_records_seen > doublings ) 02221 { 02222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) ); 02223 return( 0 ); 02224 } 02225 } 02226 02227 return( ssl_write_hello_request( ssl ) ); 02228 } 02229 #endif 02230 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02231 02232 /* 02233 * Fill the input message buffer by appending data to it. 02234 * The amount of data already fetched is in ssl->in_left. 02235 * 02236 * If we return 0, is it guaranteed that (at least) nb_want bytes are 02237 * available (from this read and/or a previous one). Otherwise, an error code 02238 * is returned (possibly EOF or WANT_READ). 02239 * 02240 * With stream transport (TLS) on success ssl->in_left == nb_want, but 02241 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 02242 * since we always read a whole datagram at once. 02243 * 02244 * For DTLS, it is up to the caller to set ssl->next_record_offset when 02245 * they're done reading a record. 02246 */ 02247 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 02248 { 02249 int ret; 02250 size_t len; 02251 02252 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 02253 02254 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 02255 { 02256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02257 "or mbedtls_ssl_set_bio()" ) ); 02258 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02259 } 02260 02261 if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 02262 { 02263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 02264 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02265 } 02266 02267 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02268 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02269 { 02270 uint32_t timeout; 02271 02272 /* Just to be sure */ 02273 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) 02274 { 02275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " 02276 "mbedtls_ssl_set_timer_cb() for DTLS" ) ); 02277 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02278 } 02279 02280 /* 02281 * The point is, we need to always read a full datagram at once, so we 02282 * sometimes read more then requested, and handle the additional data. 02283 * It could be the rest of the current record (while fetching the 02284 * header) and/or some other records in the same datagram. 02285 */ 02286 02287 /* 02288 * Move to the next record in the already read datagram if applicable 02289 */ 02290 if( ssl->next_record_offset != 0 ) 02291 { 02292 if( ssl->in_left < ssl->next_record_offset ) 02293 { 02294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02295 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02296 } 02297 02298 ssl->in_left -= ssl->next_record_offset; 02299 02300 if( ssl->in_left != 0 ) 02301 { 02302 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", 02303 ssl->next_record_offset ) ); 02304 memmove( ssl->in_hdr, 02305 ssl->in_hdr + ssl->next_record_offset, 02306 ssl->in_left ); 02307 } 02308 02309 ssl->next_record_offset = 0; 02310 } 02311 02312 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02313 ssl->in_left, nb_want ) ); 02314 02315 /* 02316 * Done if we already have enough data. 02317 */ 02318 if( nb_want <= ssl->in_left) 02319 { 02320 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02321 return( 0 ); 02322 } 02323 02324 /* 02325 * A record can't be split accross datagrams. If we need to read but 02326 * are not at the beginning of a new record, the caller did something 02327 * wrong. 02328 */ 02329 if( ssl->in_left != 0 ) 02330 { 02331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02332 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02333 } 02334 02335 /* 02336 * Don't even try to read if time's out already. 02337 * This avoids by-passing the timer when repeatedly receiving messages 02338 * that will end up being dropped. 02339 */ 02340 if( ssl_check_timer( ssl ) != 0 ) 02341 { 02342 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) ); 02343 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02344 } 02345 else 02346 { 02347 len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); 02348 02349 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02350 timeout = ssl->handshake->retransmit_timeout; 02351 else 02352 timeout = ssl->conf->read_timeout; 02353 02354 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); 02355 02356 if( ssl->f_recv_timeout != NULL ) 02357 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 02358 timeout ); 02359 else 02360 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 02361 02362 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02363 02364 if( ret == 0 ) 02365 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02366 } 02367 02368 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 02369 { 02370 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 02371 ssl_set_timer( ssl, 0 ); 02372 02373 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02374 { 02375 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 02376 { 02377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 02378 return( MBEDTLS_ERR_SSL_TIMEOUT ); 02379 } 02380 02381 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 02382 { 02383 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 02384 return( ret ); 02385 } 02386 02387 return( MBEDTLS_ERR_SSL_WANT_READ ); 02388 } 02389 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02390 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 02391 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 02392 { 02393 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 02394 { 02395 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 02396 return( ret ); 02397 } 02398 02399 return( MBEDTLS_ERR_SSL_WANT_READ ); 02400 } 02401 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02402 } 02403 02404 if( ret < 0 ) 02405 return( ret ); 02406 02407 ssl->in_left = ret; 02408 } 02409 else 02410 #endif 02411 { 02412 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02413 ssl->in_left, nb_want ) ); 02414 02415 while( ssl->in_left < nb_want ) 02416 { 02417 len = nb_want - ssl->in_left; 02418 02419 if( ssl_check_timer( ssl ) != 0 ) 02420 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02421 else 02422 { 02423 if( ssl->f_recv_timeout != NULL ) 02424 { 02425 ret = ssl->f_recv_timeout( ssl->p_bio, 02426 ssl->in_hdr + ssl->in_left, len, 02427 ssl->conf->read_timeout ); 02428 } 02429 else 02430 { 02431 ret = ssl->f_recv( ssl->p_bio, 02432 ssl->in_hdr + ssl->in_left, len ); 02433 } 02434 } 02435 02436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02437 ssl->in_left, nb_want ) ); 02438 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02439 02440 if( ret == 0 ) 02441 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02442 02443 if( ret < 0 ) 02444 return( ret ); 02445 02446 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) ) 02447 { 02448 MBEDTLS_SSL_DEBUG_MSG( 1, 02449 ( "f_recv returned %d bytes but only %lu were requested", 02450 ret, (unsigned long)len ) ); 02451 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02452 } 02453 02454 ssl->in_left += ret; 02455 } 02456 } 02457 02458 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02459 02460 return( 0 ); 02461 } 02462 02463 /* 02464 * Flush any data not yet written 02465 */ 02466 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 02467 { 02468 int ret; 02469 unsigned char *buf, i; 02470 02471 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 02472 02473 if( ssl->f_send == NULL ) 02474 { 02475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02476 "or mbedtls_ssl_set_bio()" ) ); 02477 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02478 } 02479 02480 /* Avoid incrementing counter if data is flushed */ 02481 if( ssl->out_left == 0 ) 02482 { 02483 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02484 return( 0 ); 02485 } 02486 02487 while( ssl->out_left > 0 ) 02488 { 02489 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 02490 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 02491 02492 buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) + 02493 ssl->out_msglen - ssl->out_left; 02494 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 02495 02496 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 02497 02498 if( ret <= 0 ) 02499 return( ret ); 02500 02501 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) ) 02502 { 02503 MBEDTLS_SSL_DEBUG_MSG( 1, 02504 ( "f_send returned %d bytes but only %lu bytes were sent", 02505 ret, (unsigned long)ssl->out_left ) ); 02506 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02507 } 02508 02509 ssl->out_left -= ret; 02510 } 02511 02512 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02513 if( ++ssl->out_ctr[i - 1] != 0 ) 02514 break; 02515 02516 /* The loop goes to its end iff the counter is wrapping */ 02517 if( i == ssl_ep_len( ssl ) ) 02518 { 02519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 02520 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02521 } 02522 02523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02524 02525 return( 0 ); 02526 } 02527 02528 /* 02529 * Functions to handle the DTLS retransmission state machine 02530 */ 02531 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02532 /* 02533 * Append current handshake message to current outgoing flight 02534 */ 02535 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 02536 { 02537 mbedtls_ssl_flight_item *msg; 02538 02539 /* Allocate space for current message */ 02540 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 02541 { 02542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", 02543 sizeof( mbedtls_ssl_flight_item ) ) ); 02544 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02545 } 02546 02547 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 02548 { 02549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) ); 02550 mbedtls_free( msg ); 02551 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02552 } 02553 02554 /* Copy current handshake message with headers */ 02555 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 02556 msg->len = ssl->out_msglen; 02557 msg->type = ssl->out_msgtype; 02558 msg->next = NULL; 02559 02560 /* Append to the current flight */ 02561 if( ssl->handshake->flight == NULL ) 02562 ssl->handshake->flight = msg; 02563 else 02564 { 02565 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 02566 while( cur->next != NULL ) 02567 cur = cur->next; 02568 cur->next = msg; 02569 } 02570 02571 return( 0 ); 02572 } 02573 02574 /* 02575 * Free the current flight of handshake messages 02576 */ 02577 static void ssl_flight_free( mbedtls_ssl_flight_item *flight ) 02578 { 02579 mbedtls_ssl_flight_item *cur = flight; 02580 mbedtls_ssl_flight_item *next; 02581 02582 while( cur != NULL ) 02583 { 02584 next = cur->next; 02585 02586 mbedtls_free( cur->p ); 02587 mbedtls_free( cur ); 02588 02589 cur = next; 02590 } 02591 } 02592 02593 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 02594 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); 02595 #endif 02596 02597 /* 02598 * Swap transform_out and out_ctr with the alternative ones 02599 */ 02600 static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) 02601 { 02602 mbedtls_ssl_transform *tmp_transform; 02603 unsigned char tmp_out_ctr[8]; 02604 02605 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 02606 { 02607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 02608 return; 02609 } 02610 02611 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 02612 02613 /* Swap transforms */ 02614 tmp_transform = ssl->transform_out; 02615 ssl->transform_out = ssl->handshake->alt_transform_out; 02616 ssl->handshake->alt_transform_out = tmp_transform; 02617 02618 /* Swap epoch + sequence_number */ 02619 memcpy( tmp_out_ctr, ssl->out_ctr, 8 ); 02620 memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 ); 02621 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 02622 02623 /* Adjust to the newly activated transform */ 02624 if( ssl->transform_out != NULL && 02625 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 02626 { 02627 ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - 02628 ssl->transform_out->fixed_ivlen; 02629 } 02630 else 02631 ssl->out_msg = ssl->out_iv; 02632 02633 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02634 if( mbedtls_ssl_hw_record_activate != NULL ) 02635 { 02636 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 02637 { 02638 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 02639 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02640 } 02641 } 02642 #endif 02643 } 02644 02645 /* 02646 * Retransmit the current flight of messages. 02647 * 02648 * Need to remember the current message in case flush_output returns 02649 * WANT_WRITE, causing us to exit this function and come back later. 02650 * This function must be called until state is no longer SENDING. 02651 */ 02652 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 02653 { 02654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 02655 02656 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 02657 { 02658 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) ); 02659 02660 ssl->handshake->cur_msg = ssl->handshake->flight; 02661 ssl_swap_epochs( ssl ); 02662 02663 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 02664 } 02665 02666 while( ssl->handshake->cur_msg != NULL ) 02667 { 02668 int ret; 02669 mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg; 02670 02671 /* Swap epochs before sending Finished: we can't do it after 02672 * sending ChangeCipherSpec, in case write returns WANT_READ. 02673 * Must be done before copying, may change out_msg pointer */ 02674 if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 02675 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ) 02676 { 02677 ssl_swap_epochs( ssl ); 02678 } 02679 02680 memcpy( ssl->out_msg, cur->p, cur->len ); 02681 ssl->out_msglen = cur->len; 02682 ssl->out_msgtype = cur->type; 02683 02684 ssl->handshake->cur_msg = cur->next; 02685 02686 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 ); 02687 02688 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02689 { 02690 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02691 return( ret ); 02692 } 02693 } 02694 02695 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 02696 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02697 else 02698 { 02699 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02700 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02701 } 02702 02703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 02704 02705 return( 0 ); 02706 } 02707 02708 /* 02709 * To be called when the last message of an incoming flight is received. 02710 */ 02711 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 02712 { 02713 /* We won't need to resend that one any more */ 02714 ssl_flight_free( ssl->handshake->flight ); 02715 ssl->handshake->flight = NULL; 02716 ssl->handshake->cur_msg = NULL; 02717 02718 /* The next incoming flight will start with this msg_seq */ 02719 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 02720 02721 /* Cancel timer */ 02722 ssl_set_timer( ssl, 0 ); 02723 02724 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02725 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02726 { 02727 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02728 } 02729 else 02730 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 02731 } 02732 02733 /* 02734 * To be called when the last message of an outgoing flight is send. 02735 */ 02736 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 02737 { 02738 ssl_reset_retransmit_timeout( ssl ); 02739 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02740 02741 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02742 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02743 { 02744 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02745 } 02746 else 02747 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02748 } 02749 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02750 02751 /* 02752 * Record layer functions 02753 */ 02754 02755 /* 02756 * Write current record. 02757 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. 02758 */ 02759 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) 02760 { 02761 int ret, done = 0, out_msg_type; 02762 size_t len = ssl->out_msglen; 02763 02764 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 02765 02766 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02767 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02768 ssl->handshake != NULL && 02769 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 02770 { 02771 ; /* Skip special handshake treatment when resending */ 02772 } 02773 else 02774 #endif 02775 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 02776 { 02777 out_msg_type = ssl->out_msg[0]; 02778 02779 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST && 02780 ssl->handshake == NULL ) 02781 { 02782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02783 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02784 } 02785 02786 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 02787 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 02788 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 02789 02790 /* 02791 * DTLS has additional fields in the Handshake layer, 02792 * between the length field and the actual payload: 02793 * uint16 message_seq; 02794 * uint24 fragment_offset; 02795 * uint24 fragment_length; 02796 */ 02797 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02798 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02799 { 02800 /* Make room for the additional DTLS fields */ 02801 if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 ) 02802 { 02803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: " 02804 "size %u, maximum %u", 02805 (unsigned) ( ssl->in_hslen - 4 ), 02806 (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) ); 02807 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02808 } 02809 02810 memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); 02811 ssl->out_msglen += 8; 02812 len += 8; 02813 02814 /* Write message_seq and update it, except for HelloRequest */ 02815 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02816 { 02817 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 02818 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 02819 ++( ssl->handshake->out_msg_seq ); 02820 } 02821 else 02822 { 02823 ssl->out_msg[4] = 0; 02824 ssl->out_msg[5] = 0; 02825 } 02826 02827 /* We don't fragment, so frag_offset = 0 and frag_len = len */ 02828 memset( ssl->out_msg + 6, 0x00, 3 ); 02829 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 02830 } 02831 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02832 02833 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02834 ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); 02835 } 02836 02837 /* Save handshake and CCS messages for resending */ 02838 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02839 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02840 ssl->handshake != NULL && 02841 ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && 02842 ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || 02843 ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) 02844 { 02845 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 02846 { 02847 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 02848 return( ret ); 02849 } 02850 } 02851 #endif 02852 02853 #if defined(MBEDTLS_ZLIB_SUPPORT) 02854 if( ssl->transform_out != NULL && 02855 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 02856 { 02857 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 02858 { 02859 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 02860 return( ret ); 02861 } 02862 02863 len = ssl->out_msglen; 02864 } 02865 #endif /*MBEDTLS_ZLIB_SUPPORT */ 02866 02867 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02868 if( mbedtls_ssl_hw_record_write != NULL ) 02869 { 02870 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 02871 02872 ret = mbedtls_ssl_hw_record_write( ssl ); 02873 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 02874 { 02875 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 02876 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02877 } 02878 02879 if( ret == 0 ) 02880 done = 1; 02881 } 02882 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 02883 if( !done ) 02884 { 02885 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 02886 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02887 ssl->conf->transport, ssl->out_hdr + 1 ); 02888 02889 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02890 ssl->out_len[1] = (unsigned char)( len ); 02891 02892 if( ssl->transform_out != NULL ) 02893 { 02894 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 02895 { 02896 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 02897 return( ret ); 02898 } 02899 02900 len = ssl->out_msglen; 02901 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02902 ssl->out_len[1] = (unsigned char)( len ); 02903 } 02904 02905 ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen; 02906 02907 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 02908 "version = [%d:%d], msglen = %d", 02909 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 02910 ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); 02911 02912 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 02913 ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen ); 02914 } 02915 02916 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 02917 { 02918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 02919 return( ret ); 02920 } 02921 02922 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 02923 02924 return( 0 ); 02925 } 02926 02927 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02928 /* 02929 * Mark bits in bitmask (used for DTLS HS reassembly) 02930 */ 02931 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 02932 { 02933 unsigned int start_bits, end_bits; 02934 02935 start_bits = 8 - ( offset % 8 ); 02936 if( start_bits != 8 ) 02937 { 02938 size_t first_byte_idx = offset / 8; 02939 02940 /* Special case */ 02941 if( len <= start_bits ) 02942 { 02943 for( ; len != 0; len-- ) 02944 mask[first_byte_idx] |= 1 << ( start_bits - len ); 02945 02946 /* Avoid potential issues with offset or len becoming invalid */ 02947 return; 02948 } 02949 02950 offset += start_bits; /* Now offset % 8 == 0 */ 02951 len -= start_bits; 02952 02953 for( ; start_bits != 0; start_bits-- ) 02954 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 02955 } 02956 02957 end_bits = len % 8; 02958 if( end_bits != 0 ) 02959 { 02960 size_t last_byte_idx = ( offset + len ) / 8; 02961 02962 len -= end_bits; /* Now len % 8 == 0 */ 02963 02964 for( ; end_bits != 0; end_bits-- ) 02965 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 02966 } 02967 02968 memset( mask + offset / 8, 0xFF, len / 8 ); 02969 } 02970 02971 /* 02972 * Check that bitmask is full 02973 */ 02974 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 02975 { 02976 size_t i; 02977 02978 for( i = 0; i < len / 8; i++ ) 02979 if( mask[i] != 0xFF ) 02980 return( -1 ); 02981 02982 for( i = 0; i < len % 8; i++ ) 02983 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 02984 return( -1 ); 02985 02986 return( 0 ); 02987 } 02988 02989 /* 02990 * Reassemble fragmented DTLS handshake messages. 02991 * 02992 * Use a temporary buffer for reassembly, divided in two parts: 02993 * - the first holds the reassembled message (including handshake header), 02994 * - the second holds a bitmask indicating which parts of the message 02995 * (excluding headers) have been received so far. 02996 */ 02997 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) 02998 { 02999 unsigned char *msg, *bitmask; 03000 size_t frag_len, frag_off; 03001 size_t msg_len = ssl->in_hslen - 12; /* Without headers */ 03002 03003 if( ssl->handshake == NULL ) 03004 { 03005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); 03006 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03007 } 03008 03009 /* 03010 * For first fragment, check size and allocate buffer 03011 */ 03012 if( ssl->handshake->hs_msg == NULL ) 03013 { 03014 size_t alloc_len; 03015 03016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", 03017 msg_len ) ); 03018 03019 if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03020 { 03021 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) ); 03022 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03023 } 03024 03025 /* The bitmask needs one bit per byte of message excluding header */ 03026 alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 ); 03027 03028 ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); 03029 if( ssl->handshake->hs_msg == NULL ) 03030 { 03031 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); 03032 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03033 } 03034 03035 /* Prepare final header: copy msg_type, length and message_seq, 03036 * then add standardised fragment_offset and fragment_length */ 03037 memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 ); 03038 memset( ssl->handshake->hs_msg + 6, 0, 3 ); 03039 memcpy( ssl->handshake->hs_msg + 9, 03040 ssl->handshake->hs_msg + 1, 3 ); 03041 } 03042 else 03043 { 03044 /* Make sure msg_type and length are consistent */ 03045 if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 ) 03046 { 03047 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) ); 03048 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03049 } 03050 } 03051 03052 msg = ssl->handshake->hs_msg + 12; 03053 bitmask = msg + msg_len; 03054 03055 /* 03056 * Check and copy current fragment 03057 */ 03058 frag_off = ( ssl->in_msg[6] << 16 ) | 03059 ( ssl->in_msg[7] << 8 ) | 03060 ssl->in_msg[8]; 03061 frag_len = ( ssl->in_msg[9] << 16 ) | 03062 ( ssl->in_msg[10] << 8 ) | 03063 ssl->in_msg[11]; 03064 03065 if( frag_off + frag_len > msg_len ) 03066 { 03067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", 03068 frag_off, frag_len, msg_len ) ); 03069 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03070 } 03071 03072 if( frag_len + 12 > ssl->in_msglen ) 03073 { 03074 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", 03075 frag_len, ssl->in_msglen ) ); 03076 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03077 } 03078 03079 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", 03080 frag_off, frag_len ) ); 03081 03082 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 03083 ssl_bitmask_set( bitmask, frag_off, frag_len ); 03084 03085 /* 03086 * Do we have the complete message by now? 03087 * If yes, finalize it, else ask to read the next record. 03088 */ 03089 if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) 03090 { 03091 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); 03092 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 03093 } 03094 03095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); 03096 03097 if( frag_len + 12 < ssl->in_msglen ) 03098 { 03099 /* 03100 * We'got more handshake messages in the same record. 03101 * This case is not handled now because no know implementation does 03102 * that and it's hard to test, so we prefer to fail cleanly for now. 03103 */ 03104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) ); 03105 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03106 } 03107 03108 if( ssl->in_left > ssl->next_record_offset ) 03109 { 03110 /* 03111 * We've got more data in the buffer after the current record, 03112 * that we don't want to overwrite. Move it before writing the 03113 * reassembled message, and adjust in_left and next_record_offset. 03114 */ 03115 unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset; 03116 unsigned char *new_remain = ssl->in_msg + ssl->in_hslen; 03117 size_t remain_len = ssl->in_left - ssl->next_record_offset; 03118 03119 /* First compute and check new lengths */ 03120 ssl->next_record_offset = new_remain - ssl->in_hdr; 03121 ssl->in_left = ssl->next_record_offset + remain_len; 03122 03123 if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - 03124 (size_t)( ssl->in_hdr - ssl->in_buf ) ) 03125 { 03126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); 03127 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03128 } 03129 03130 memmove( new_remain, cur_remain, remain_len ); 03131 } 03132 03133 memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen ); 03134 03135 mbedtls_free( ssl->handshake->hs_msg ); 03136 ssl->handshake->hs_msg = NULL; 03137 03138 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", 03139 ssl->in_msg, ssl->in_hslen ); 03140 03141 return( 0 ); 03142 } 03143 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03144 03145 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 03146 { 03147 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 03148 { 03149 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", 03150 ssl->in_msglen ) ); 03151 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03152 } 03153 03154 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( 03155 ( ssl->in_msg[1] << 16 ) | 03156 ( ssl->in_msg[2] << 8 ) | 03157 ssl->in_msg[3] ); 03158 03159 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 03160 " %d, type = %d, hslen = %d", 03161 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 03162 03163 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03164 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03165 { 03166 int ret; 03167 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 03168 03169 if( ssl->handshake != NULL && 03170 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03171 recv_msg_seq != ssl->handshake->in_msg_seq ) || 03172 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03173 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) 03174 { 03175 /* Retransmit only on last message from previous flight, to avoid 03176 * too many retransmissions. 03177 * Besides, No sane server ever retransmits HelloVerifyRequest */ 03178 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 03179 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 03180 { 03181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 03182 "message_seq = %d, start_of_flight = %d", 03183 recv_msg_seq, 03184 ssl->handshake->in_flight_start_seq ) ); 03185 03186 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03187 { 03188 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03189 return( ret ); 03190 } 03191 } 03192 else 03193 { 03194 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 03195 "message_seq = %d, expected = %d", 03196 recv_msg_seq, 03197 ssl->handshake->in_msg_seq ) ); 03198 } 03199 03200 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 03201 } 03202 /* Wait until message completion to increment in_msg_seq */ 03203 03204 /* Reassemble if current message is fragmented or reassembly is 03205 * already in progress */ 03206 if( ssl->in_msglen < ssl->in_hslen || 03207 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 03208 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 || 03209 ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) ) 03210 { 03211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 03212 03213 if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 ) 03214 { 03215 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret ); 03216 return( ret ); 03217 } 03218 } 03219 } 03220 else 03221 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03222 /* With TLS we don't handle fragmentation (for now) */ 03223 if( ssl->in_msglen < ssl->in_hslen ) 03224 { 03225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 03226 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03227 } 03228 03229 return( 0 ); 03230 } 03231 03232 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) 03233 { 03234 03235 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03236 ssl->handshake != NULL ) 03237 { 03238 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 03239 } 03240 03241 /* Handshake message is complete, increment counter */ 03242 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03243 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03244 ssl->handshake != NULL ) 03245 { 03246 ssl->handshake->in_msg_seq++; 03247 } 03248 #endif 03249 } 03250 03251 /* 03252 * DTLS anti-replay: RFC 6347 4.1.2.6 03253 * 03254 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 03255 * Bit n is set iff record number in_window_top - n has been seen. 03256 * 03257 * Usually, in_window_top is the last record number seen and the lsb of 03258 * in_window is set. The only exception is the initial state (record number 0 03259 * not seen yet). 03260 */ 03261 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03262 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 03263 { 03264 ssl->in_window_top = 0; 03265 ssl->in_window = 0; 03266 } 03267 03268 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 03269 { 03270 return( ( (uint64_t) buf[0] << 40 ) | 03271 ( (uint64_t) buf[1] << 32 ) | 03272 ( (uint64_t) buf[2] << 24 ) | 03273 ( (uint64_t) buf[3] << 16 ) | 03274 ( (uint64_t) buf[4] << 8 ) | 03275 ( (uint64_t) buf[5] ) ); 03276 } 03277 03278 /* 03279 * Return 0 if sequence number is acceptable, -1 otherwise 03280 */ 03281 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) 03282 { 03283 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03284 uint64_t bit; 03285 03286 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03287 return( 0 ); 03288 03289 if( rec_seqnum > ssl->in_window_top ) 03290 return( 0 ); 03291 03292 bit = ssl->in_window_top - rec_seqnum; 03293 03294 if( bit >= 64 ) 03295 return( -1 ); 03296 03297 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 03298 return( -1 ); 03299 03300 return( 0 ); 03301 } 03302 03303 /* 03304 * Update replay window on new validated record 03305 */ 03306 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 03307 { 03308 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03309 03310 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03311 return; 03312 03313 if( rec_seqnum > ssl->in_window_top ) 03314 { 03315 /* Update window_top and the contents of the window */ 03316 uint64_t shift = rec_seqnum - ssl->in_window_top; 03317 03318 if( shift >= 64 ) 03319 ssl->in_window = 1; 03320 else 03321 { 03322 ssl->in_window <<= shift; 03323 ssl->in_window |= 1; 03324 } 03325 03326 ssl->in_window_top = rec_seqnum; 03327 } 03328 else 03329 { 03330 /* Mark that number as seen in the current window */ 03331 uint64_t bit = ssl->in_window_top - rec_seqnum; 03332 03333 if( bit < 64 ) /* Always true, but be extra sure */ 03334 ssl->in_window |= (uint64_t) 1 << bit; 03335 } 03336 } 03337 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 03338 03339 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03340 /* Forward declaration */ 03341 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); 03342 03343 /* 03344 * Without any SSL context, check if a datagram looks like a ClientHello with 03345 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 03346 * Both input and output include full DTLS headers. 03347 * 03348 * - if cookie is valid, return 0 03349 * - if ClientHello looks superficially valid but cookie is not, 03350 * fill obuf and set olen, then 03351 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03352 * - otherwise return a specific error code 03353 */ 03354 static int ssl_check_dtls_clihlo_cookie( 03355 mbedtls_ssl_cookie_write_t *f_cookie_write, 03356 mbedtls_ssl_cookie_check_t *f_cookie_check, 03357 void *p_cookie, 03358 const unsigned char *cli_id, size_t cli_id_len, 03359 const unsigned char *in, size_t in_len, 03360 unsigned char *obuf, size_t buf_len, size_t *olen ) 03361 { 03362 size_t sid_len, cookie_len; 03363 unsigned char *p; 03364 03365 if( f_cookie_write == NULL || f_cookie_check == NULL ) 03366 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03367 03368 /* 03369 * Structure of ClientHello with record and handshake headers, 03370 * and expected values. We don't need to check a lot, more checks will be 03371 * done when actually parsing the ClientHello - skipping those checks 03372 * avoids code duplication and does not make cookie forging any easier. 03373 * 03374 * 0-0 ContentType type; copied, must be handshake 03375 * 1-2 ProtocolVersion version; copied 03376 * 3-4 uint16 epoch; copied, must be 0 03377 * 5-10 uint48 sequence_number; copied 03378 * 11-12 uint16 length; (ignored) 03379 * 03380 * 13-13 HandshakeType msg_type; (ignored) 03381 * 14-16 uint24 length; (ignored) 03382 * 17-18 uint16 message_seq; copied 03383 * 19-21 uint24 fragment_offset; copied, must be 0 03384 * 22-24 uint24 fragment_length; (ignored) 03385 * 03386 * 25-26 ProtocolVersion client_version; (ignored) 03387 * 27-58 Random random; (ignored) 03388 * 59-xx SessionID session_id; 1 byte len + sid_len content 03389 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 03390 * ... 03391 * 03392 * Minimum length is 61 bytes. 03393 */ 03394 if( in_len < 61 || 03395 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 03396 in[3] != 0 || in[4] != 0 || 03397 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 03398 { 03399 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03400 } 03401 03402 sid_len = in[59]; 03403 if( sid_len > in_len - 61 ) 03404 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03405 03406 cookie_len = in[60 + sid_len]; 03407 if( cookie_len > in_len - 60 ) 03408 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03409 03410 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 03411 cli_id, cli_id_len ) == 0 ) 03412 { 03413 /* Valid cookie */ 03414 return( 0 ); 03415 } 03416 03417 /* 03418 * If we get here, we've got an invalid cookie, let's prepare HVR. 03419 * 03420 * 0-0 ContentType type; copied 03421 * 1-2 ProtocolVersion version; copied 03422 * 3-4 uint16 epoch; copied 03423 * 5-10 uint48 sequence_number; copied 03424 * 11-12 uint16 length; olen - 13 03425 * 03426 * 13-13 HandshakeType msg_type; hello_verify_request 03427 * 14-16 uint24 length; olen - 25 03428 * 17-18 uint16 message_seq; copied 03429 * 19-21 uint24 fragment_offset; copied 03430 * 22-24 uint24 fragment_length; olen - 25 03431 * 03432 * 25-26 ProtocolVersion server_version; 0xfe 0xff 03433 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 03434 * 03435 * Minimum length is 28. 03436 */ 03437 if( buf_len < 28 ) 03438 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03439 03440 /* Copy most fields and adapt others */ 03441 memcpy( obuf, in, 25 ); 03442 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 03443 obuf[25] = 0xfe; 03444 obuf[26] = 0xff; 03445 03446 /* Generate and write actual cookie */ 03447 p = obuf + 28; 03448 if( f_cookie_write( p_cookie, 03449 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 03450 { 03451 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03452 } 03453 03454 *olen = p - obuf; 03455 03456 /* Go back and fill length fields */ 03457 obuf[27] = (unsigned char)( *olen - 28 ); 03458 03459 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 03460 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 03461 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 03462 03463 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 03464 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 03465 03466 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03467 } 03468 03469 /* 03470 * Handle possible client reconnect with the same UDP quadruplet 03471 * (RFC 6347 Section 4.2.8). 03472 * 03473 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 03474 * that looks like a ClientHello. 03475 * 03476 * - if the input looks like a ClientHello without cookies, 03477 * send back HelloVerifyRequest, then 03478 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03479 * - if the input looks like a ClientHello with a valid cookie, 03480 * reset the session of the current context, and 03481 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 03482 * - if anything goes wrong, return a specific error code 03483 * 03484 * mbedtls_ssl_read_record() will ignore the record if anything else than 03485 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function 03486 * cannot not return 0. 03487 */ 03488 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 03489 { 03490 int ret; 03491 size_t len; 03492 03493 ret = ssl_check_dtls_clihlo_cookie( 03494 ssl->conf->f_cookie_write, 03495 ssl->conf->f_cookie_check, 03496 ssl->conf->p_cookie, 03497 ssl->cli_id, ssl->cli_id_len, 03498 ssl->in_buf, ssl->in_left, 03499 ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); 03500 03501 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 03502 03503 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 03504 { 03505 /* Don't check write errors as we can't do anything here. 03506 * If the error is permanent we'll catch it later, 03507 * if it's not, then hopefully it'll work next time. */ 03508 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 03509 03510 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03511 } 03512 03513 if( ret == 0 ) 03514 { 03515 /* Got a valid cookie, partially reset context */ 03516 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) 03517 { 03518 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 03519 return( ret ); 03520 } 03521 03522 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 03523 } 03524 03525 return( ret ); 03526 } 03527 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03528 03529 /* 03530 * ContentType type; 03531 * ProtocolVersion version; 03532 * uint16 epoch; // DTLS only 03533 * uint48 sequence_number; // DTLS only 03534 * uint16 length; 03535 * 03536 * Return 0 if header looks sane (and, for DTLS, the record is expected) 03537 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, 03538 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. 03539 * 03540 * With DTLS, mbedtls_ssl_read_record() will: 03541 * 1. proceed with the record if this function returns 0 03542 * 2. drop only the current record if this function returns UNEXPECTED_RECORD 03543 * 3. return CLIENT_RECONNECT if this function return that value 03544 * 4. drop the whole datagram if this function returns anything else. 03545 * Point 2 is needed when the peer is resending, and we have already received 03546 * the first record from a datagram but are still waiting for the others. 03547 */ 03548 static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) 03549 { 03550 int major_ver, minor_ver; 03551 03552 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) ); 03553 03554 ssl->in_msgtype = ssl->in_hdr[0]; 03555 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 03556 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); 03557 03558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 03559 "version = [%d:%d], msglen = %d", 03560 ssl->in_msgtype, 03561 major_ver, minor_ver, ssl->in_msglen ) ); 03562 03563 /* Check record type */ 03564 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 03565 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && 03566 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03567 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 03568 { 03569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 03570 03571 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03572 /* Silently ignore invalid DTLS records as recommended by RFC 6347 03573 * Section 4.1.2.7 */ 03574 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03575 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03576 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03577 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03578 03579 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03580 } 03581 03582 /* Check version */ 03583 if( major_ver != ssl->major_ver ) 03584 { 03585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 03586 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03587 } 03588 03589 if( minor_ver > ssl->conf->max_minor_ver ) 03590 { 03591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 03592 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03593 } 03594 03595 /* Check length against the size of our buffer */ 03596 if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN 03597 - (size_t)( ssl->in_msg - ssl->in_buf ) ) 03598 { 03599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03600 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03601 } 03602 03603 /* 03604 * DTLS-related tests. 03605 * Check epoch before checking length constraint because 03606 * the latter varies with the epoch. E.g., if a ChangeCipherSpec 03607 * message gets duplicated before the corresponding Finished message, 03608 * the second ChangeCipherSpec should be discarded because it belongs 03609 * to an old epoch, but not because its length is shorter than 03610 * the minimum record length for packets using the new record transform. 03611 * Note that these two kinds of failures are handled differently, 03612 * as an unexpected record is silently skipped but an invalid 03613 * record leads to the entire datagram being dropped. 03614 */ 03615 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03616 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03617 { 03618 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 03619 03620 /* Check epoch (and sequence number) with DTLS */ 03621 if( rec_epoch != ssl->in_epoch ) 03622 { 03623 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 03624 "expected %d, received %d", 03625 ssl->in_epoch, rec_epoch ) ); 03626 03627 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03628 /* 03629 * Check for an epoch 0 ClientHello. We can't use in_msg here to 03630 * access the first byte of record content (handshake type), as we 03631 * have an active transform (possibly iv_len != 0), so use the 03632 * fact that the record header len is 13 instead. 03633 */ 03634 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03635 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03636 rec_epoch == 0 && 03637 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03638 ssl->in_left > 13 && 03639 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 03640 { 03641 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 03642 "from the same port" ) ); 03643 return( ssl_handle_possible_reconnect( ssl ) ); 03644 } 03645 else 03646 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03647 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03648 } 03649 03650 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03651 /* Replay detection only works for the current epoch */ 03652 if( rec_epoch == ssl->in_epoch && 03653 mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 03654 { 03655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 03656 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03657 } 03658 #endif 03659 03660 /* Drop unexpected ChangeCipherSpec messages */ 03661 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03662 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 03663 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 03664 { 03665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); 03666 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03667 } 03668 03669 /* Drop unexpected ApplicationData records, 03670 * except at the beginning of renegotiations */ 03671 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 03672 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 03673 #if defined(MBEDTLS_SSL_RENEGOTIATION) 03674 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 03675 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 03676 #endif 03677 ) 03678 { 03679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 03680 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03681 } 03682 } 03683 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03684 03685 03686 /* Check length against bounds of the current transform and version */ 03687 if( ssl->transform_in == NULL ) 03688 { 03689 if( ssl->in_msglen < 1 || 03690 ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03691 { 03692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03693 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03694 } 03695 } 03696 else 03697 { 03698 if( ssl->in_msglen < ssl->transform_in->minlen ) 03699 { 03700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03701 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03702 } 03703 03704 #if defined(MBEDTLS_SSL_PROTO_SSL3) 03705 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03706 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) 03707 { 03708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03709 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03710 } 03711 #endif 03712 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03713 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03714 /* 03715 * TLS encrypted messages can have up to 256 bytes of padding 03716 */ 03717 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && 03718 ssl->in_msglen > ssl->transform_in->minlen + 03719 MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) 03720 { 03721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03722 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03723 } 03724 #endif 03725 } 03726 03727 return( 0 ); 03728 } 03729 03730 /* 03731 * If applicable, decrypt (and decompress) record content 03732 */ 03733 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) 03734 { 03735 int ret, done = 0; 03736 03737 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 03738 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ); 03739 03740 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 03741 if( mbedtls_ssl_hw_record_read != NULL ) 03742 { 03743 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 03744 03745 ret = mbedtls_ssl_hw_record_read( ssl ); 03746 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 03747 { 03748 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 03749 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03750 } 03751 03752 if( ret == 0 ) 03753 done = 1; 03754 } 03755 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 03756 if( !done && ssl->transform_in != NULL ) 03757 { 03758 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 03759 { 03760 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 03761 return( ret ); 03762 } 03763 03764 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 03765 ssl->in_msg, ssl->in_msglen ); 03766 03767 if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03768 { 03769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03770 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03771 } 03772 } 03773 03774 #if defined(MBEDTLS_ZLIB_SUPPORT) 03775 if( ssl->transform_in != NULL && 03776 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 03777 { 03778 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 03779 { 03780 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 03781 return( ret ); 03782 } 03783 } 03784 #endif /* MBEDTLS_ZLIB_SUPPORT */ 03785 03786 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03787 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03788 { 03789 mbedtls_ssl_dtls_replay_update( ssl ); 03790 } 03791 #endif 03792 03793 return( 0 ); 03794 } 03795 03796 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); 03797 03798 /* 03799 * Read a record. 03800 * 03801 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 03802 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 03803 * 03804 */ 03805 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) 03806 { 03807 int ret; 03808 03809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 03810 03811 if( ssl->keep_current_message == 0 ) 03812 { 03813 do { 03814 03815 do ret = mbedtls_ssl_read_record_layer( ssl ); 03816 while( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 03817 03818 if( ret != 0 ) 03819 { 03820 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03821 return( ret ); 03822 } 03823 03824 ret = mbedtls_ssl_handle_message_type( ssl ); 03825 03826 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret || 03827 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret ); 03828 03829 if( 0 != ret ) 03830 { 03831 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); 03832 return( ret ); 03833 } 03834 03835 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 03836 { 03837 mbedtls_ssl_update_handshake_status( ssl ); 03838 } 03839 } 03840 else 03841 { 03842 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= reuse previously read message" ) ); 03843 ssl->keep_current_message = 0; 03844 } 03845 03846 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 03847 03848 return( 0 ); 03849 } 03850 03851 int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl ) 03852 { 03853 int ret; 03854 03855 /* 03856 * Step A 03857 * 03858 * Consume last content-layer message and potentially 03859 * update in_msglen which keeps track of the contents' 03860 * consumption state. 03861 * 03862 * (1) Handshake messages: 03863 * Remove last handshake message, move content 03864 * and adapt in_msglen. 03865 * 03866 * (2) Alert messages: 03867 * Consume whole record content, in_msglen = 0. 03868 * 03869 * (3) Change cipher spec: 03870 * Consume whole record content, in_msglen = 0. 03871 * 03872 * (4) Application data: 03873 * Don't do anything - the record layer provides 03874 * the application data as a stream transport 03875 * and consumes through mbedtls_ssl_read only. 03876 * 03877 */ 03878 03879 /* Case (1): Handshake messages */ 03880 if( ssl->in_hslen != 0 ) 03881 { 03882 /* Hard assertion to be sure that no application data 03883 * is in flight, as corrupting ssl->in_msglen during 03884 * ssl->in_offt != NULL is fatal. */ 03885 if( ssl->in_offt != NULL ) 03886 { 03887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03888 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03889 } 03890 03891 /* 03892 * Get next Handshake message in the current record 03893 */ 03894 03895 /* Notes: 03896 * (1) in_hslen is not necessarily the size of the 03897 * current handshake content: If DTLS handshake 03898 * fragmentation is used, that's the fragment 03899 * size instead. Using the total handshake message 03900 * size here is faulty and should be changed at 03901 * some point. 03902 * (2) While it doesn't seem to cause problems, one 03903 * has to be very careful not to assume that in_hslen 03904 * is always <= in_msglen in a sensible communication. 03905 * Again, it's wrong for DTLS handshake fragmentation. 03906 * The following check is therefore mandatory, and 03907 * should not be treated as a silently corrected assertion. 03908 * Additionally, ssl->in_hslen might be arbitrarily out of 03909 * bounds after handling a DTLS message with an unexpected 03910 * sequence number, see mbedtls_ssl_prepare_handshake_record. 03911 */ 03912 if( ssl->in_hslen < ssl->in_msglen ) 03913 { 03914 ssl->in_msglen -= ssl->in_hslen; 03915 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 03916 ssl->in_msglen ); 03917 03918 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 03919 ssl->in_msg, ssl->in_msglen ); 03920 } 03921 else 03922 { 03923 ssl->in_msglen = 0; 03924 } 03925 03926 ssl->in_hslen = 0; 03927 } 03928 /* Case (4): Application data */ 03929 else if( ssl->in_offt != NULL ) 03930 { 03931 return( 0 ); 03932 } 03933 /* Everything else (CCS & Alerts) */ 03934 else 03935 { 03936 ssl->in_msglen = 0; 03937 } 03938 03939 /* 03940 * Step B 03941 * 03942 * Fetch and decode new record if current one is fully consumed. 03943 * 03944 */ 03945 03946 if( ssl->in_msglen > 0 ) 03947 { 03948 /* There's something left to be processed in the current record. */ 03949 return( 0 ); 03950 } 03951 03952 /* Current record either fully processed or to be discarded. */ 03953 03954 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 ) 03955 { 03956 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03957 return( ret ); 03958 } 03959 03960 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) 03961 { 03962 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03963 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03964 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) 03965 { 03966 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) 03967 { 03968 /* Skip unexpected record (but not whole datagram) */ 03969 ssl->next_record_offset = ssl->in_msglen 03970 + mbedtls_ssl_hdr_len( ssl ); 03971 03972 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " 03973 "(header)" ) ); 03974 } 03975 else 03976 { 03977 /* Skip invalid record and the rest of the datagram */ 03978 ssl->next_record_offset = 0; 03979 ssl->in_left = 0; 03980 03981 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " 03982 "(header)" ) ); 03983 } 03984 03985 /* Get next record */ 03986 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 03987 } 03988 #endif 03989 return( ret ); 03990 } 03991 03992 /* 03993 * Read and optionally decrypt the message contents 03994 */ 03995 if( ( ret = mbedtls_ssl_fetch_input( ssl, 03996 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) 03997 { 03998 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03999 return( ret ); 04000 } 04001 04002 /* Done reading this record, get ready for the next one */ 04003 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04004 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04005 { 04006 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); 04007 if( ssl->next_record_offset < ssl->in_left ) 04008 { 04009 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) ); 04010 } 04011 } 04012 else 04013 #endif 04014 ssl->in_left = 0; 04015 04016 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) 04017 { 04018 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04019 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04020 { 04021 /* Silently discard invalid records */ 04022 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || 04023 ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 04024 { 04025 /* Except when waiting for Finished as a bad mac here 04026 * probably means something went wrong in the handshake 04027 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 04028 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 04029 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 04030 { 04031 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 04032 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 04033 { 04034 mbedtls_ssl_send_alert_message( ssl, 04035 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04036 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 04037 } 04038 #endif 04039 return( ret ); 04040 } 04041 04042 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 04043 if( ssl->conf->badmac_limit != 0 && 04044 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 04045 { 04046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 04047 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 04048 } 04049 #endif 04050 04051 /* As above, invalid records cause 04052 * dismissal of the whole datagram. */ 04053 04054 ssl->next_record_offset = 0; 04055 ssl->in_left = 0; 04056 04057 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 04058 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 04059 } 04060 04061 return( ret ); 04062 } 04063 else 04064 #endif 04065 { 04066 /* Error out (and send alert) on invalid records */ 04067 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 04068 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 04069 { 04070 mbedtls_ssl_send_alert_message( ssl, 04071 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04072 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 04073 } 04074 #endif 04075 return( ret ); 04076 } 04077 } 04078 04079 return( 0 ); 04080 } 04081 04082 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) 04083 { 04084 int ret; 04085 04086 /* 04087 * Handle particular types of records 04088 */ 04089 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 04090 { 04091 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 ) 04092 { 04093 return( ret ); 04094 } 04095 } 04096 04097 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 04098 { 04099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 04100 ssl->in_msg[0], ssl->in_msg[1] ) ); 04101 04102 /* 04103 * Ignore non-fatal alerts, except close_notify and no_renegotiation 04104 */ 04105 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 04106 { 04107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 04108 ssl->in_msg[1] ) ); 04109 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 04110 } 04111 04112 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04113 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 04114 { 04115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 04116 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 04117 } 04118 04119 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 04120 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04121 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 04122 { 04123 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) ); 04124 /* Will be handled when trying to parse ServerHello */ 04125 return( 0 ); 04126 } 04127 #endif 04128 04129 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 04130 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 04131 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04132 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04133 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04134 { 04135 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 04136 /* Will be handled in mbedtls_ssl_parse_certificate() */ 04137 return( 0 ); 04138 } 04139 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 04140 04141 /* Silently ignore: fetch new message */ 04142 return MBEDTLS_ERR_SSL_NON_FATAL; 04143 } 04144 04145 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04146 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04147 ssl->handshake != NULL && 04148 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 04149 { 04150 ssl_handshake_wrapup_free_hs_transform( ssl ); 04151 } 04152 #endif 04153 04154 return( 0 ); 04155 } 04156 04157 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 04158 { 04159 int ret; 04160 04161 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 04162 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04163 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) 04164 { 04165 return( ret ); 04166 } 04167 04168 return( 0 ); 04169 } 04170 04171 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 04172 unsigned char level, 04173 unsigned char message ) 04174 { 04175 int ret; 04176 04177 if( ssl == NULL || ssl->conf == NULL ) 04178 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04179 04180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 04181 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message )); 04182 04183 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04184 ssl->out_msglen = 2; 04185 ssl->out_msg[0] = level; 04186 ssl->out_msg[1] = message; 04187 04188 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04189 { 04190 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04191 return( ret ); 04192 } 04193 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 04194 04195 return( 0 ); 04196 } 04197 04198 /* 04199 * Handshake functions 04200 */ 04201 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 04202 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ 04203 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 04204 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 04205 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ 04206 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 04207 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 04208 /* No certificate support -> dummy functions */ 04209 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04210 { 04211 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04212 04213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04214 04215 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04216 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04217 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04218 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04219 { 04220 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04221 ssl->state++; 04222 return( 0 ); 04223 } 04224 04225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04226 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04227 } 04228 04229 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04230 { 04231 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04232 04233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04234 04235 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04236 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04237 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04238 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04239 { 04240 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04241 ssl->state++; 04242 return( 0 ); 04243 } 04244 04245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04246 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04247 } 04248 04249 #else 04250 /* Some certificate support -> implement write and parse */ 04251 04252 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04253 { 04254 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04255 size_t i, n; 04256 const mbedtls_x509_crt *crt; 04257 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04258 04259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04260 04261 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04262 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04263 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04264 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04265 { 04266 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04267 ssl->state++; 04268 return( 0 ); 04269 } 04270 04271 #if defined(MBEDTLS_SSL_CLI_C) 04272 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 04273 { 04274 if( ssl->client_auth == 0 ) 04275 { 04276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04277 ssl->state++; 04278 return( 0 ); 04279 } 04280 04281 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04282 /* 04283 * If using SSLv3 and got no cert, send an Alert message 04284 * (otherwise an empty Certificate message will be sent). 04285 */ 04286 if( mbedtls_ssl_own_cert( ssl ) == NULL && 04287 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04288 { 04289 ssl->out_msglen = 2; 04290 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04291 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 04292 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT; 04293 04294 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 04295 goto write_msg; 04296 } 04297 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04298 } 04299 #endif /* MBEDTLS_SSL_CLI_C */ 04300 #if defined(MBEDTLS_SSL_SRV_C) 04301 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 04302 { 04303 if( mbedtls_ssl_own_cert( ssl ) == NULL ) 04304 { 04305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 04306 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); 04307 } 04308 } 04309 #endif 04310 04311 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); 04312 04313 /* 04314 * 0 . 0 handshake type 04315 * 1 . 3 handshake length 04316 * 4 . 6 length of all certs 04317 * 7 . 9 length of cert. 1 04318 * 10 . n-1 peer certificate 04319 * n . n+2 length of cert. 2 04320 * n+3 . ... upper level cert, etc. 04321 */ 04322 i = 7; 04323 crt = mbedtls_ssl_own_cert( ssl ); 04324 04325 while( crt != NULL ) 04326 { 04327 n = crt->raw.len; 04328 if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) 04329 { 04330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 04331 i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 04332 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); 04333 } 04334 04335 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 04336 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 04337 ssl->out_msg[i + 2] = (unsigned char)( n ); 04338 04339 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 04340 i += n; crt = crt->next; 04341 } 04342 04343 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 04344 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 04345 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 04346 04347 ssl->out_msglen = i; 04348 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04349 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 04350 04351 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 04352 write_msg: 04353 #endif 04354 04355 ssl->state++; 04356 04357 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04358 { 04359 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04360 return( ret ); 04361 } 04362 04363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 04364 04365 return( ret ); 04366 } 04367 04368 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04369 { 04370 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04371 size_t i, n; 04372 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04373 int authmode = ssl->conf->authmode; 04374 uint8_t alert; 04375 04376 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04377 04378 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04379 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04380 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04381 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04382 { 04383 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04384 ssl->state++; 04385 return( 0 ); 04386 } 04387 04388 #if defined(MBEDTLS_SSL_SRV_C) 04389 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04390 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04391 { 04392 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04393 ssl->state++; 04394 return( 0 ); 04395 } 04396 04397 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04398 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 04399 authmode = ssl->handshake->sni_authmode; 04400 #endif 04401 04402 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04403 authmode == MBEDTLS_SSL_VERIFY_NONE ) 04404 { 04405 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 04406 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04407 ssl->state++; 04408 return( 0 ); 04409 } 04410 #endif 04411 04412 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04413 { 04414 /* mbedtls_ssl_read_record may have sent an alert already. We 04415 let it decide whether to alert. */ 04416 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04417 return( ret ); 04418 } 04419 04420 ssl->state++; 04421 04422 #if defined(MBEDTLS_SSL_SRV_C) 04423 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04424 /* 04425 * Check if the client sent an empty certificate 04426 */ 04427 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04428 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04429 { 04430 if( ssl->in_msglen == 2 && 04431 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && 04432 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04433 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04434 { 04435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 04436 04437 /* The client was asked for a certificate but didn't send 04438 one. The client should know what's going on, so we 04439 don't send an alert. */ 04440 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04441 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04442 return( 0 ); 04443 else 04444 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04445 } 04446 } 04447 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04448 04449 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 04450 defined(MBEDTLS_SSL_PROTO_TLS1_2) 04451 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04452 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 04453 { 04454 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && 04455 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04456 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 04457 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) 04458 { 04459 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 04460 04461 /* The client was asked for a certificate but didn't send 04462 one. The client should know what's going on, so we 04463 don't send an alert. */ 04464 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04465 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04466 return( 0 ); 04467 else 04468 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04469 } 04470 } 04471 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 04472 MBEDTLS_SSL_PROTO_TLS1_2 */ 04473 #endif /* MBEDTLS_SSL_SRV_C */ 04474 04475 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 04476 { 04477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04478 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04479 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 04480 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04481 } 04482 04483 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || 04484 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) 04485 { 04486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04487 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04488 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04489 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04490 } 04491 04492 i = mbedtls_ssl_hs_hdr_len( ssl ); 04493 04494 /* 04495 * Same message structure as in mbedtls_ssl_write_certificate() 04496 */ 04497 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2]; 04498 04499 if( ssl->in_msg[i] != 0 || 04500 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) ) 04501 { 04502 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04503 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04504 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04505 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04506 } 04507 04508 /* In case we tried to reuse a session but it failed */ 04509 if( ssl->session_negotiate->peer_cert != NULL ) 04510 { 04511 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); 04512 mbedtls_free( ssl->session_negotiate->peer_cert ); 04513 } 04514 04515 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, 04516 sizeof( mbedtls_x509_crt ) ) ) == NULL ) 04517 { 04518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 04519 sizeof( mbedtls_x509_crt ) ) ); 04520 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04521 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 04522 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 04523 } 04524 04525 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); 04526 04527 i += 3; 04528 04529 while( i < ssl->in_hslen ) 04530 { 04531 if( ssl->in_msg[i] != 0 ) 04532 { 04533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04534 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04535 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04536 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04537 } 04538 04539 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 04540 | (unsigned int) ssl->in_msg[i + 2]; 04541 i += 3; 04542 04543 if( n < 128 || i + n > ssl->in_hslen ) 04544 { 04545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04546 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04547 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04548 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04549 } 04550 04551 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, 04552 ssl->in_msg + i, n ); 04553 switch( ret ) 04554 { 04555 case 0: /*ok*/ 04556 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 04557 /* Ignore certificate with an unknown algorithm: maybe a 04558 prior certificate was already trusted. */ 04559 break; 04560 04561 case MBEDTLS_ERR_X509_ALLOC_FAILED: 04562 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 04563 goto crt_parse_der_failed; 04564 04565 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 04566 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04567 goto crt_parse_der_failed; 04568 04569 default: 04570 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 04571 crt_parse_der_failed: 04572 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert ); 04573 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); 04574 return( ret ); 04575 } 04576 04577 i += n; 04578 } 04579 04580 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); 04581 04582 /* 04583 * On client, make sure the server cert doesn't change during renego to 04584 * avoid "triple handshake" attack: https://secure-resumption.com/ 04585 */ 04586 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 04587 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 04588 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04589 { 04590 if( ssl->session->peer_cert == NULL ) 04591 { 04592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); 04593 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04594 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); 04595 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04596 } 04597 04598 if( ssl->session->peer_cert->raw.len != 04599 ssl->session_negotiate->peer_cert->raw.len || 04600 memcmp( ssl->session->peer_cert->raw.p, 04601 ssl->session_negotiate->peer_cert->raw.p, 04602 ssl->session->peer_cert->raw.len ) != 0 ) 04603 { 04604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) ); 04605 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04606 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); 04607 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04608 } 04609 } 04610 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 04611 04612 if( authmode != MBEDTLS_SSL_VERIFY_NONE ) 04613 { 04614 mbedtls_x509_crt *ca_chain; 04615 mbedtls_x509_crl *ca_crl; 04616 04617 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04618 if( ssl->handshake->sni_ca_chain != NULL ) 04619 { 04620 ca_chain = ssl->handshake->sni_ca_chain; 04621 ca_crl = ssl->handshake->sni_ca_crl; 04622 } 04623 else 04624 #endif 04625 { 04626 ca_chain = ssl->conf->ca_chain; 04627 ca_crl = ssl->conf->ca_crl; 04628 } 04629 04630 /* 04631 * Main check: verify certificate 04632 */ 04633 ret = mbedtls_x509_crt_verify_with_profile( 04634 ssl->session_negotiate->peer_cert, 04635 ca_chain, ca_crl, 04636 ssl->conf->cert_profile, 04637 ssl->hostname, 04638 &ssl->session_negotiate->verify_result, 04639 ssl->conf->f_vrfy, ssl->conf->p_vrfy ); 04640 04641 if( ret != 0 ) 04642 { 04643 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 04644 } 04645 04646 /* 04647 * Secondary checks: always done, but change 'ret' only if it was 0 04648 */ 04649 04650 #if defined(MBEDTLS_ECP_C) 04651 { 04652 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; 04653 04654 /* If certificate uses an EC key, make sure the curve is OK */ 04655 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && 04656 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id ) != 0 ) 04657 { 04658 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; 04659 04660 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); 04661 if( ret == 0 ) 04662 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04663 } 04664 } 04665 #endif /* MBEDTLS_ECP_C */ 04666 04667 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, 04668 ciphersuite_info, 04669 ! ssl->conf->endpoint, 04670 &ssl->session_negotiate->verify_result ) != 0 ) 04671 { 04672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); 04673 if( ret == 0 ) 04674 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04675 } 04676 04677 /* mbedtls_x509_crt_verify_with_profile is supposed to report a 04678 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, 04679 * with details encoded in the verification flags. All other kinds 04680 * of error codes, including those from the user provided f_vrfy 04681 * functions, are treated as fatal and lead to a failure of 04682 * ssl_parse_certificate even if verification was optional. */ 04683 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 04684 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 04685 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) 04686 { 04687 ret = 0; 04688 } 04689 04690 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) 04691 { 04692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 04693 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 04694 } 04695 04696 if( ret != 0 ) 04697 { 04698 /* The certificate may have been rejected for several reasons. 04699 Pick one and send the corresponding alert. Which alert to send 04700 may be a subject of debate in some cases. */ 04701 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) 04702 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 04703 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) 04704 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 04705 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) 04706 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04707 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) 04708 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04709 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) 04710 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04711 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) 04712 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04713 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) 04714 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04715 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) 04716 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 04717 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) 04718 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 04719 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) 04720 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 04721 else 04722 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 04723 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04724 alert ); 04725 } 04726 04727 #if defined(MBEDTLS_DEBUG_C) 04728 if( ssl->session_negotiate->verify_result != 0 ) 04729 { 04730 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", 04731 ssl->session_negotiate->verify_result ) ); 04732 } 04733 else 04734 { 04735 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); 04736 } 04737 #endif /* MBEDTLS_DEBUG_C */ 04738 } 04739 04740 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 04741 04742 return( ret ); 04743 } 04744 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 04745 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 04746 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 04747 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 04748 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 04749 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 04750 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 04751 04752 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 04753 { 04754 int ret; 04755 04756 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 04757 04758 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 04759 ssl->out_msglen = 1; 04760 ssl->out_msg[0] = 1; 04761 04762 ssl->state++; 04763 04764 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04765 { 04766 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04767 return( ret ); 04768 } 04769 04770 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 04771 04772 return( 0 ); 04773 } 04774 04775 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 04776 { 04777 int ret; 04778 04779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 04780 04781 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04782 { 04783 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04784 return( ret ); 04785 } 04786 04787 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 04788 { 04789 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04790 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04791 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 04792 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04793 } 04794 04795 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 04796 { 04797 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04798 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04799 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04800 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 04801 } 04802 04803 /* 04804 * Switch to our negotiated transform and session parameters for inbound 04805 * data. 04806 */ 04807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 04808 ssl->transform_in = ssl->transform_negotiate; 04809 ssl->session_in = ssl->session_negotiate; 04810 04811 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04812 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04813 { 04814 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 04815 ssl_dtls_replay_reset( ssl ); 04816 #endif 04817 04818 /* Increment epoch */ 04819 if( ++ssl->in_epoch == 0 ) 04820 { 04821 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 04822 /* This is highly unlikely to happen for legitimate reasons, so 04823 treat it as an attack and don't send an alert. */ 04824 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 04825 } 04826 } 04827 else 04828 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04829 memset( ssl->in_ctr, 0, 8 ); 04830 04831 /* 04832 * Set the in_msg pointer to the correct location based on IV length 04833 */ 04834 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04835 { 04836 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen - 04837 ssl->transform_negotiate->fixed_ivlen; 04838 } 04839 else 04840 ssl->in_msg = ssl->in_iv; 04841 04842 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 04843 if( mbedtls_ssl_hw_record_activate != NULL ) 04844 { 04845 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 04846 { 04847 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 04848 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04849 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 04850 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 04851 } 04852 } 04853 #endif 04854 04855 ssl->state++; 04856 04857 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 04858 04859 return( 0 ); 04860 } 04861 04862 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 04863 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) 04864 { 04865 ((void) ciphersuite_info); 04866 04867 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04868 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04869 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 04870 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; 04871 else 04872 #endif 04873 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04874 #if defined(MBEDTLS_SHA512_C) 04875 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 04876 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 04877 else 04878 #endif 04879 #if defined(MBEDTLS_SHA256_C) 04880 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) 04881 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 04882 else 04883 #endif 04884 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04885 { 04886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04887 return; 04888 } 04889 } 04890 04891 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) 04892 { 04893 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04894 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04895 mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 ); 04896 mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 ); 04897 #endif 04898 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04899 #if defined(MBEDTLS_SHA256_C) 04900 mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 ); 04901 #endif 04902 #if defined(MBEDTLS_SHA512_C) 04903 mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); 04904 #endif 04905 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04906 } 04907 04908 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, 04909 const unsigned char *buf, size_t len ) 04910 { 04911 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04912 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04913 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); 04914 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); 04915 #endif 04916 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04917 #if defined(MBEDTLS_SHA256_C) 04918 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); 04919 #endif 04920 #if defined(MBEDTLS_SHA512_C) 04921 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); 04922 #endif 04923 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04924 } 04925 04926 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04927 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04928 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, 04929 const unsigned char *buf, size_t len ) 04930 { 04931 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); 04932 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); 04933 } 04934 #endif 04935 04936 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04937 #if defined(MBEDTLS_SHA256_C) 04938 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, 04939 const unsigned char *buf, size_t len ) 04940 { 04941 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); 04942 } 04943 #endif 04944 04945 #if defined(MBEDTLS_SHA512_C) 04946 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, 04947 const unsigned char *buf, size_t len ) 04948 { 04949 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); 04950 } 04951 #endif 04952 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04953 04954 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04955 static void ssl_calc_finished_ssl( 04956 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04957 { 04958 const char *sender; 04959 mbedtls_md5_context md5; 04960 mbedtls_sha1_context sha1; 04961 04962 unsigned char padbuf[48]; 04963 unsigned char md5sum[16]; 04964 unsigned char sha1sum[20]; 04965 04966 mbedtls_ssl_session *session = ssl->session_negotiate; 04967 if( !session ) 04968 session = ssl->session; 04969 04970 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) ); 04971 04972 mbedtls_md5_init( &md5 ); 04973 mbedtls_sha1_init( &sha1 ); 04974 04975 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04976 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04977 04978 /* 04979 * SSLv3: 04980 * hash = 04981 * MD5( master + pad2 + 04982 * MD5( handshake + sender + master + pad1 ) ) 04983 * + SHA1( master + pad2 + 04984 * SHA1( handshake + sender + master + pad1 ) ) 04985 */ 04986 04987 #if !defined(MBEDTLS_MD5_ALT) 04988 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04989 md5.state , sizeof( md5.state ) ); 04990 #endif 04991 04992 #if !defined(MBEDTLS_SHA1_ALT) 04993 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04994 sha1.state , sizeof( sha1.state ) ); 04995 #endif 04996 04997 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT" 04998 : "SRVR"; 04999 05000 memset( padbuf, 0x36, 48 ); 05001 05002 mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 ); 05003 mbedtls_md5_update_ret( &md5, session->master, 48 ); 05004 mbedtls_md5_update_ret( &md5, padbuf, 48 ); 05005 mbedtls_md5_finish_ret( &md5, md5sum ); 05006 05007 mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 ); 05008 mbedtls_sha1_update_ret( &sha1, session->master, 48 ); 05009 mbedtls_sha1_update_ret( &sha1, padbuf, 40 ); 05010 mbedtls_sha1_finish_ret( &sha1, sha1sum ); 05011 05012 memset( padbuf, 0x5C, 48 ); 05013 05014 mbedtls_md5_starts_ret( &md5 ); 05015 mbedtls_md5_update_ret( &md5, session->master, 48 ); 05016 mbedtls_md5_update_ret( &md5, padbuf, 48 ); 05017 mbedtls_md5_update_ret( &md5, md5sum, 16 ); 05018 mbedtls_md5_finish_ret( &md5, buf ); 05019 05020 mbedtls_sha1_starts_ret( &sha1 ); 05021 mbedtls_sha1_update_ret( &sha1, session->master, 48 ); 05022 mbedtls_sha1_update_ret( &sha1, padbuf , 40 ); 05023 mbedtls_sha1_update_ret( &sha1, sha1sum, 20 ); 05024 mbedtls_sha1_finish_ret( &sha1, buf + 16 ); 05025 05026 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); 05027 05028 mbedtls_md5_free( &md5 ); 05029 mbedtls_sha1_free( &sha1 ); 05030 05031 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); 05032 mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) ); 05033 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) ); 05034 05035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05036 } 05037 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 05038 05039 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 05040 static void ssl_calc_finished_tls( 05041 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05042 { 05043 int len = 12; 05044 const char *sender; 05045 mbedtls_md5_context md5; 05046 mbedtls_sha1_context sha1; 05047 unsigned char padbuf[36]; 05048 05049 mbedtls_ssl_session *session = ssl->session_negotiate; 05050 if( !session ) 05051 session = ssl->session; 05052 05053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); 05054 05055 mbedtls_md5_init( &md5 ); 05056 mbedtls_sha1_init( &sha1 ); 05057 05058 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 05059 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 05060 05061 /* 05062 * TLSv1: 05063 * hash = PRF( master, finished_label, 05064 * MD5( handshake ) + SHA1( handshake ) )[0..11] 05065 */ 05066 05067 #if !defined(MBEDTLS_MD5_ALT) 05068 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 05069 md5.state , sizeof( md5.state ) ); 05070 #endif 05071 05072 #if !defined(MBEDTLS_SHA1_ALT) 05073 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 05074 sha1.state , sizeof( sha1.state ) ); 05075 #endif 05076 05077 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05078 ? "client finished" 05079 : "server finished"; 05080 05081 mbedtls_md5_finish_ret( &md5, padbuf ); 05082 mbedtls_sha1_finish_ret( &sha1, padbuf + 16 ); 05083 05084 ssl->handshake->tls_prf( session->master, 48, sender, 05085 padbuf, 36, buf, len ); 05086 05087 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05088 05089 mbedtls_md5_free( &md5 ); 05090 mbedtls_sha1_free( &sha1 ); 05091 05092 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); 05093 05094 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05095 } 05096 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 05097 05098 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05099 #if defined(MBEDTLS_SHA256_C) 05100 static void ssl_calc_finished_tls_sha256( 05101 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05102 { 05103 int len = 12; 05104 const char *sender; 05105 mbedtls_sha256_context sha256; 05106 unsigned char padbuf[32]; 05107 05108 mbedtls_ssl_session *session = ssl->session_negotiate; 05109 if( !session ) 05110 session = ssl->session; 05111 05112 mbedtls_sha256_init( &sha256 ); 05113 05114 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); 05115 05116 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 05117 05118 /* 05119 * TLSv1.2: 05120 * hash = PRF( master, finished_label, 05121 * Hash( handshake ) )[0.11] 05122 */ 05123 05124 #if !defined(MBEDTLS_SHA256_ALT) 05125 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) 05126 sha256.state , sizeof( sha256.state ) ); 05127 #endif 05128 05129 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05130 ? "client finished" 05131 : "server finished"; 05132 05133 mbedtls_sha256_finish_ret( &sha256, padbuf ); 05134 05135 ssl->handshake->tls_prf( session->master, 48, sender, 05136 padbuf, 32, buf, len ); 05137 05138 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05139 05140 mbedtls_sha256_free( &sha256 ); 05141 05142 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); 05143 05144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05145 } 05146 #endif /* MBEDTLS_SHA256_C */ 05147 05148 #if defined(MBEDTLS_SHA512_C) 05149 static void ssl_calc_finished_tls_sha384( 05150 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05151 { 05152 int len = 12; 05153 const char *sender; 05154 mbedtls_sha512_context sha512; 05155 unsigned char padbuf[48]; 05156 05157 mbedtls_ssl_session *session = ssl->session_negotiate; 05158 if( !session ) 05159 session = ssl->session; 05160 05161 mbedtls_sha512_init( &sha512 ); 05162 05163 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); 05164 05165 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 05166 05167 /* 05168 * TLSv1.2: 05169 * hash = PRF( master, finished_label, 05170 * Hash( handshake ) )[0.11] 05171 */ 05172 05173 #if !defined(MBEDTLS_SHA512_ALT) 05174 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) 05175 sha512.state , sizeof( sha512.state ) ); 05176 #endif 05177 05178 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05179 ? "client finished" 05180 : "server finished"; 05181 05182 mbedtls_sha512_finish_ret( &sha512, padbuf ); 05183 05184 ssl->handshake->tls_prf( session->master, 48, sender, 05185 padbuf, 48, buf, len ); 05186 05187 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05188 05189 mbedtls_sha512_free( &sha512 ); 05190 05191 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); 05192 05193 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05194 } 05195 #endif /* MBEDTLS_SHA512_C */ 05196 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05197 05198 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) 05199 { 05200 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) ); 05201 05202 /* 05203 * Free our handshake params 05204 */ 05205 mbedtls_ssl_handshake_free( ssl->handshake ); 05206 mbedtls_free( ssl->handshake ); 05207 ssl->handshake = NULL; 05208 05209 /* 05210 * Free the previous transform and swith in the current one 05211 */ 05212 if( ssl->transform ) 05213 { 05214 mbedtls_ssl_transform_free( ssl->transform ); 05215 mbedtls_free( ssl->transform ); 05216 } 05217 ssl->transform = ssl->transform_negotiate; 05218 ssl->transform_negotiate = NULL; 05219 05220 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) ); 05221 } 05222 05223 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) 05224 { 05225 int resume = ssl->handshake->resume; 05226 05227 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); 05228 05229 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05230 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 05231 { 05232 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 05233 ssl->renego_records_seen = 0; 05234 } 05235 #endif 05236 05237 /* 05238 * Free the previous session and switch in the current one 05239 */ 05240 if( ssl->session ) 05241 { 05242 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 05243 /* RFC 7366 3.1: keep the EtM state */ 05244 ssl->session_negotiate->encrypt_then_mac = 05245 ssl->session->encrypt_then_mac; 05246 #endif 05247 05248 mbedtls_ssl_session_free( ssl->session ); 05249 mbedtls_free( ssl->session ); 05250 } 05251 ssl->session = ssl->session_negotiate; 05252 ssl->session_negotiate = NULL; 05253 05254 /* 05255 * Add cache entry 05256 */ 05257 if( ssl->conf->f_set_cache != NULL && 05258 ssl->session->id_len != 0 && 05259 resume == 0 ) 05260 { 05261 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) 05262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); 05263 } 05264 05265 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05266 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 05267 ssl->handshake->flight != NULL ) 05268 { 05269 /* Cancel handshake timer */ 05270 ssl_set_timer( ssl, 0 ); 05271 05272 /* Keep last flight around in case we need to resend it: 05273 * we need the handshake and transform structures for that */ 05274 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); 05275 } 05276 else 05277 #endif 05278 ssl_handshake_wrapup_free_hs_transform( ssl ); 05279 05280 ssl->state++; 05281 05282 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); 05283 } 05284 05285 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) 05286 { 05287 int ret, hash_len; 05288 05289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 05290 05291 /* 05292 * Set the out_msg pointer to the correct location based on IV length 05293 */ 05294 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 05295 { 05296 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen - 05297 ssl->transform_negotiate->fixed_ivlen; 05298 } 05299 else 05300 ssl->out_msg = ssl->out_iv; 05301 05302 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); 05303 05304 /* 05305 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 05306 * may define some other value. Currently (early 2016), no defined 05307 * ciphersuite does this (and this is unlikely to change as activity has 05308 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 05309 */ 05310 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; 05311 05312 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05313 ssl->verify_data_len = hash_len; 05314 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); 05315 #endif 05316 05317 ssl->out_msglen = 4 + hash_len; 05318 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 05319 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 05320 05321 /* 05322 * In case of session resuming, invert the client and server 05323 * ChangeCipherSpec messages order. 05324 */ 05325 if( ssl->handshake->resume != 0 ) 05326 { 05327 #if defined(MBEDTLS_SSL_CLI_C) 05328 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05329 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05330 #endif 05331 #if defined(MBEDTLS_SSL_SRV_C) 05332 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05333 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05334 #endif 05335 } 05336 else 05337 ssl->state++; 05338 05339 /* 05340 * Switch to our negotiated transform and session parameters for outbound 05341 * data. 05342 */ 05343 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); 05344 05345 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05346 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05347 { 05348 unsigned char i; 05349 05350 /* Remember current epoch settings for resending */ 05351 ssl->handshake->alt_transform_out = ssl->transform_out; 05352 memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); 05353 05354 /* Set sequence_number to zero */ 05355 memset( ssl->out_ctr + 2, 0, 6 ); 05356 05357 /* Increment epoch */ 05358 for( i = 2; i > 0; i-- ) 05359 if( ++ssl->out_ctr[i - 1] != 0 ) 05360 break; 05361 05362 /* The loop goes to its end iff the counter is wrapping */ 05363 if( i == 0 ) 05364 { 05365 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 05366 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 05367 } 05368 } 05369 else 05370 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 05371 memset( ssl->out_ctr, 0, 8 ); 05372 05373 ssl->transform_out = ssl->transform_negotiate; 05374 ssl->session_out = ssl->session_negotiate; 05375 05376 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05377 if( mbedtls_ssl_hw_record_activate != NULL ) 05378 { 05379 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 05380 { 05381 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 05382 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05383 } 05384 } 05385 #endif 05386 05387 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05388 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05389 mbedtls_ssl_send_flight_completed( ssl ); 05390 #endif 05391 05392 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 05393 { 05394 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 05395 return( ret ); 05396 } 05397 05398 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 05399 05400 return( 0 ); 05401 } 05402 05403 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05404 #define SSL_MAX_HASH_LEN 36 05405 #else 05406 #define SSL_MAX_HASH_LEN 12 05407 #endif 05408 05409 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) 05410 { 05411 int ret; 05412 unsigned int hash_len; 05413 unsigned char buf[SSL_MAX_HASH_LEN]; 05414 05415 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 05416 05417 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); 05418 05419 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 05420 { 05421 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 05422 return( ret ); 05423 } 05424 05425 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 05426 { 05427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05428 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05429 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 05430 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 05431 } 05432 05433 /* There is currently no ciphersuite using another length with TLS 1.2 */ 05434 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05435 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 05436 hash_len = 36; 05437 else 05438 #endif 05439 hash_len = 12; 05440 05441 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || 05442 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) 05443 { 05444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05445 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05446 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 05447 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05448 } 05449 05450 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), 05451 buf, hash_len ) != 0 ) 05452 { 05453 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05454 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05455 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 05456 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05457 } 05458 05459 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05460 ssl->verify_data_len = hash_len; 05461 memcpy( ssl->peer_verify_data, buf, hash_len ); 05462 #endif 05463 05464 if( ssl->handshake->resume != 0 ) 05465 { 05466 #if defined(MBEDTLS_SSL_CLI_C) 05467 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05468 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05469 #endif 05470 #if defined(MBEDTLS_SSL_SRV_C) 05471 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05472 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05473 #endif 05474 } 05475 else 05476 ssl->state++; 05477 05478 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05479 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05480 mbedtls_ssl_recv_flight_completed( ssl ); 05481 #endif 05482 05483 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 05484 05485 return( 0 ); 05486 } 05487 05488 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) 05489 { 05490 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); 05491 05492 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 05493 defined(MBEDTLS_SSL_PROTO_TLS1_1) 05494 mbedtls_md5_init( &handshake->fin_md5 ); 05495 mbedtls_sha1_init( &handshake->fin_sha1 ); 05496 mbedtls_md5_starts_ret( &handshake->fin_md5 ); 05497 mbedtls_sha1_starts_ret( &handshake->fin_sha1 ); 05498 #endif 05499 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05500 #if defined(MBEDTLS_SHA256_C) 05501 mbedtls_sha256_init( &handshake->fin_sha256 ); 05502 mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 ); 05503 #endif 05504 #if defined(MBEDTLS_SHA512_C) 05505 mbedtls_sha512_init( &handshake->fin_sha512 ); 05506 mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 ); 05507 #endif 05508 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05509 05510 handshake->update_checksum = ssl_update_checksum_start; 05511 05512 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 05513 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 05514 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs ); 05515 #endif 05516 05517 #if defined(MBEDTLS_DHM_C) 05518 mbedtls_dhm_init( &handshake->dhm_ctx ); 05519 #endif 05520 #if defined(MBEDTLS_ECDH_C) 05521 mbedtls_ecdh_init( &handshake->ecdh_ctx ); 05522 #endif 05523 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05524 mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); 05525 #if defined(MBEDTLS_SSL_CLI_C) 05526 handshake->ecjpake_cache = NULL; 05527 handshake->ecjpake_cache_len = 0; 05528 #endif 05529 #endif 05530 05531 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05532 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 05533 #endif 05534 } 05535 05536 static void ssl_transform_init( mbedtls_ssl_transform *transform ) 05537 { 05538 memset( transform, 0, sizeof(mbedtls_ssl_transform) ); 05539 05540 mbedtls_cipher_init( &transform->cipher_ctx_enc ); 05541 mbedtls_cipher_init( &transform->cipher_ctx_dec ); 05542 05543 mbedtls_md_init( &transform->md_ctx_enc ); 05544 mbedtls_md_init( &transform->md_ctx_dec ); 05545 } 05546 05547 void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) 05548 { 05549 memset( session, 0, sizeof(mbedtls_ssl_session) ); 05550 } 05551 05552 static int ssl_handshake_init( mbedtls_ssl_context *ssl ) 05553 { 05554 /* Clear old handshake information if present */ 05555 if( ssl->transform_negotiate ) 05556 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 05557 if( ssl->session_negotiate ) 05558 mbedtls_ssl_session_free( ssl->session_negotiate ); 05559 if( ssl->handshake ) 05560 mbedtls_ssl_handshake_free( ssl->handshake ); 05561 05562 /* 05563 * Either the pointers are now NULL or cleared properly and can be freed. 05564 * Now allocate missing structures. 05565 */ 05566 if( ssl->transform_negotiate == NULL ) 05567 { 05568 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); 05569 } 05570 05571 if( ssl->session_negotiate == NULL ) 05572 { 05573 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) ); 05574 } 05575 05576 if( ssl->handshake == NULL ) 05577 { 05578 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) ); 05579 } 05580 05581 /* All pointers should exist and can be directly freed without issue */ 05582 if( ssl->handshake == NULL || 05583 ssl->transform_negotiate == NULL || 05584 ssl->session_negotiate == NULL ) 05585 { 05586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); 05587 05588 mbedtls_free( ssl->handshake ); 05589 mbedtls_free( ssl->transform_negotiate ); 05590 mbedtls_free( ssl->session_negotiate ); 05591 05592 ssl->handshake = NULL; 05593 ssl->transform_negotiate = NULL; 05594 ssl->session_negotiate = NULL; 05595 05596 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05597 } 05598 05599 /* Initialize structures */ 05600 mbedtls_ssl_session_init( ssl->session_negotiate ); 05601 ssl_transform_init( ssl->transform_negotiate ); 05602 ssl_handshake_params_init( ssl->handshake ); 05603 05604 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05605 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05606 { 05607 ssl->handshake->alt_transform_out = ssl->transform_out; 05608 05609 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05610 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 05611 else 05612 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 05613 05614 ssl_set_timer( ssl, 0 ); 05615 } 05616 #endif 05617 05618 return( 0 ); 05619 } 05620 05621 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05622 /* Dummy cookie callbacks for defaults */ 05623 static int ssl_cookie_write_dummy( void *ctx, 05624 unsigned char **p, unsigned char *end, 05625 const unsigned char *cli_id, size_t cli_id_len ) 05626 { 05627 ((void) ctx); 05628 ((void) p); 05629 ((void) end); 05630 ((void) cli_id); 05631 ((void) cli_id_len); 05632 05633 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05634 } 05635 05636 static int ssl_cookie_check_dummy( void *ctx, 05637 const unsigned char *cookie, size_t cookie_len, 05638 const unsigned char *cli_id, size_t cli_id_len ) 05639 { 05640 ((void) ctx); 05641 ((void) cookie); 05642 ((void) cookie_len); 05643 ((void) cli_id); 05644 ((void) cli_id_len); 05645 05646 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05647 } 05648 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 05649 05650 /* 05651 * Initialize an SSL context 05652 */ 05653 void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) 05654 { 05655 memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); 05656 } 05657 05658 /* 05659 * Setup an SSL context 05660 */ 05661 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, 05662 const mbedtls_ssl_config *conf ) 05663 { 05664 int ret; 05665 const size_t len = MBEDTLS_SSL_BUFFER_LEN; 05666 05667 ssl->conf = conf; 05668 05669 /* 05670 * Prepare base structures 05671 */ 05672 if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || 05673 ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) 05674 { 05675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); 05676 mbedtls_free( ssl->in_buf ); 05677 ssl->in_buf = NULL; 05678 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05679 } 05680 05681 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05682 if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05683 { 05684 ssl->out_hdr = ssl->out_buf; 05685 ssl->out_ctr = ssl->out_buf + 3; 05686 ssl->out_len = ssl->out_buf + 11; 05687 ssl->out_iv = ssl->out_buf + 13; 05688 ssl->out_msg = ssl->out_buf + 13; 05689 05690 ssl->in_hdr = ssl->in_buf; 05691 ssl->in_ctr = ssl->in_buf + 3; 05692 ssl->in_len = ssl->in_buf + 11; 05693 ssl->in_iv = ssl->in_buf + 13; 05694 ssl->in_msg = ssl->in_buf + 13; 05695 } 05696 else 05697 #endif 05698 { 05699 ssl->out_ctr = ssl->out_buf; 05700 ssl->out_hdr = ssl->out_buf + 8; 05701 ssl->out_len = ssl->out_buf + 11; 05702 ssl->out_iv = ssl->out_buf + 13; 05703 ssl->out_msg = ssl->out_buf + 13; 05704 05705 ssl->in_ctr = ssl->in_buf; 05706 ssl->in_hdr = ssl->in_buf + 8; 05707 ssl->in_len = ssl->in_buf + 11; 05708 ssl->in_iv = ssl->in_buf + 13; 05709 ssl->in_msg = ssl->in_buf + 13; 05710 } 05711 05712 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05713 return( ret ); 05714 05715 return( 0 ); 05716 } 05717 05718 /* 05719 * Reset an initialized and used SSL context for re-use while retaining 05720 * all application-set variables, function pointers and data. 05721 * 05722 * If partial is non-zero, keep data in the input buffer and client ID. 05723 * (Use when a DTLS client reconnects from the same port.) 05724 */ 05725 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) 05726 { 05727 int ret; 05728 05729 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 05730 05731 /* Cancel any possibly running timer */ 05732 ssl_set_timer( ssl, 0 ); 05733 05734 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05735 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 05736 ssl->renego_records_seen = 0; 05737 05738 ssl->verify_data_len = 0; 05739 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05740 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05741 #endif 05742 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 05743 05744 ssl->in_offt = NULL; 05745 05746 ssl->in_msg = ssl->in_buf + 13; 05747 ssl->in_msgtype = 0; 05748 ssl->in_msglen = 0; 05749 if( partial == 0 ) 05750 ssl->in_left = 0; 05751 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05752 ssl->next_record_offset = 0; 05753 ssl->in_epoch = 0; 05754 #endif 05755 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05756 ssl_dtls_replay_reset( ssl ); 05757 #endif 05758 05759 ssl->in_hslen = 0; 05760 ssl->nb_zero = 0; 05761 05762 ssl->keep_current_message = 0; 05763 05764 ssl->out_msg = ssl->out_buf + 13; 05765 ssl->out_msgtype = 0; 05766 ssl->out_msglen = 0; 05767 ssl->out_left = 0; 05768 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 05769 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) 05770 ssl->split_done = 0; 05771 #endif 05772 05773 ssl->transform_in = NULL; 05774 ssl->transform_out = NULL; 05775 05776 memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05777 if( partial == 0 ) 05778 memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05779 05780 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05781 if( mbedtls_ssl_hw_record_reset != NULL ) 05782 { 05783 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) ); 05784 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 ) 05785 { 05786 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret ); 05787 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05788 } 05789 } 05790 #endif 05791 05792 if( ssl->transform ) 05793 { 05794 mbedtls_ssl_transform_free( ssl->transform ); 05795 mbedtls_free( ssl->transform ); 05796 ssl->transform = NULL; 05797 } 05798 05799 if( ssl->session ) 05800 { 05801 mbedtls_ssl_session_free( ssl->session ); 05802 mbedtls_free( ssl->session ); 05803 ssl->session = NULL; 05804 } 05805 05806 #if defined(MBEDTLS_SSL_ALPN) 05807 ssl->alpn_chosen = NULL; 05808 #endif 05809 05810 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05811 if( partial == 0 ) 05812 { 05813 mbedtls_free( ssl->cli_id ); 05814 ssl->cli_id = NULL; 05815 ssl->cli_id_len = 0; 05816 } 05817 #endif 05818 05819 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05820 return( ret ); 05821 05822 return( 0 ); 05823 } 05824 05825 /* 05826 * Reset an initialized and used SSL context for re-use while retaining 05827 * all application-set variables, function pointers and data. 05828 */ 05829 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) 05830 { 05831 return( ssl_session_reset_int( ssl, 0 ) ); 05832 } 05833 05834 /* 05835 * SSL set accessors 05836 */ 05837 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) 05838 { 05839 conf->endpoint = endpoint; 05840 } 05841 05842 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) 05843 { 05844 conf->transport = transport; 05845 } 05846 05847 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05848 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) 05849 { 05850 conf->anti_replay = mode; 05851 } 05852 #endif 05853 05854 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 05855 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) 05856 { 05857 conf->badmac_limit = limit; 05858 } 05859 #endif 05860 05861 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05862 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) 05863 { 05864 conf->hs_timeout_min = min; 05865 conf->hs_timeout_max = max; 05866 } 05867 #endif 05868 05869 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) 05870 { 05871 conf->authmode = authmode; 05872 } 05873 05874 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05875 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, 05876 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 05877 void *p_vrfy ) 05878 { 05879 conf->f_vrfy = f_vrfy; 05880 conf->p_vrfy = p_vrfy; 05881 } 05882 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05883 05884 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, 05885 int (*f_rng)(void *, unsigned char *, size_t), 05886 void *p_rng ) 05887 { 05888 conf->f_rng = f_rng; 05889 conf->p_rng = p_rng; 05890 } 05891 05892 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, 05893 void (*f_dbg)(void *, int, const char *, int, const char *), 05894 void *p_dbg ) 05895 { 05896 conf->f_dbg = f_dbg; 05897 conf->p_dbg = p_dbg; 05898 } 05899 05900 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, 05901 void *p_bio, 05902 mbedtls_ssl_send_t *f_send, 05903 mbedtls_ssl_recv_t *f_recv, 05904 mbedtls_ssl_recv_timeout_t *f_recv_timeout ) 05905 { 05906 ssl->p_bio = p_bio; 05907 ssl->f_send = f_send; 05908 ssl->f_recv = f_recv; 05909 ssl->f_recv_timeout = f_recv_timeout; 05910 } 05911 05912 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) 05913 { 05914 conf->read_timeout = timeout; 05915 } 05916 05917 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, 05918 void *p_timer, 05919 mbedtls_ssl_set_timer_t *f_set_timer, 05920 mbedtls_ssl_get_timer_t *f_get_timer ) 05921 { 05922 ssl->p_timer = p_timer; 05923 ssl->f_set_timer = f_set_timer; 05924 ssl->f_get_timer = f_get_timer; 05925 05926 /* Make sure we start with no timer running */ 05927 ssl_set_timer( ssl, 0 ); 05928 } 05929 05930 #if defined(MBEDTLS_SSL_SRV_C) 05931 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, 05932 void *p_cache, 05933 int (*f_get_cache)(void *, mbedtls_ssl_session *), 05934 int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) 05935 { 05936 conf->p_cache = p_cache; 05937 conf->f_get_cache = f_get_cache; 05938 conf->f_set_cache = f_set_cache; 05939 } 05940 #endif /* MBEDTLS_SSL_SRV_C */ 05941 05942 #if defined(MBEDTLS_SSL_CLI_C) 05943 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) 05944 { 05945 int ret; 05946 05947 if( ssl == NULL || 05948 session == NULL || 05949 ssl->session_negotiate == NULL || 05950 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 05951 { 05952 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05953 } 05954 05955 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) 05956 return( ret ); 05957 05958 ssl->handshake->resume = 1; 05959 05960 return( 0 ); 05961 } 05962 #endif /* MBEDTLS_SSL_CLI_C */ 05963 05964 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, 05965 const int *ciphersuites ) 05966 { 05967 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; 05968 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; 05969 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; 05970 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; 05971 } 05972 05973 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, 05974 const int *ciphersuites, 05975 int major, int minor ) 05976 { 05977 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) 05978 return; 05979 05980 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) 05981 return; 05982 05983 conf->ciphersuite_list [minor] = ciphersuites; 05984 } 05985 05986 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05987 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, 05988 const mbedtls_x509_crt_profile *profile ) 05989 { 05990 conf->cert_profile = profile; 05991 } 05992 05993 /* Append a new keycert entry to a (possibly empty) list */ 05994 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, 05995 mbedtls_x509_crt *cert, 05996 mbedtls_pk_context *key ) 05997 { 05998 mbedtls_ssl_key_cert *new; 05999 06000 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) ); 06001 if( new == NULL ) 06002 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06003 06004 new->cert = cert; 06005 new->key = key; 06006 new->next = NULL; 06007 06008 /* Update head is the list was null, else add to the end */ 06009 if( *head == NULL ) 06010 { 06011 *head = new; 06012 } 06013 else 06014 { 06015 mbedtls_ssl_key_cert *cur = *head; 06016 while( cur->next != NULL ) 06017 cur = cur->next; 06018 cur->next = new; 06019 } 06020 06021 return( 0 ); 06022 } 06023 06024 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, 06025 mbedtls_x509_crt *own_cert, 06026 mbedtls_pk_context *pk_key ) 06027 { 06028 return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) ); 06029 } 06030 06031 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, 06032 mbedtls_x509_crt *ca_chain, 06033 mbedtls_x509_crl *ca_crl ) 06034 { 06035 conf->ca_chain = ca_chain; 06036 conf->ca_crl = ca_crl; 06037 } 06038 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06039 06040 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06041 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, 06042 mbedtls_x509_crt *own_cert, 06043 mbedtls_pk_context *pk_key ) 06044 { 06045 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, 06046 own_cert, pk_key ) ); 06047 } 06048 06049 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, 06050 mbedtls_x509_crt *ca_chain, 06051 mbedtls_x509_crl *ca_crl ) 06052 { 06053 ssl->handshake->sni_ca_chain = ca_chain; 06054 ssl->handshake->sni_ca_crl = ca_crl; 06055 } 06056 06057 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, 06058 int authmode ) 06059 { 06060 ssl->handshake->sni_authmode = authmode; 06061 } 06062 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06063 06064 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06065 /* 06066 * Set EC J-PAKE password for current handshake 06067 */ 06068 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, 06069 const unsigned char *pw, 06070 size_t pw_len ) 06071 { 06072 mbedtls_ecjpake_role role; 06073 06074 if( ssl->handshake == NULL || ssl->conf == NULL ) 06075 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06076 06077 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06078 role = MBEDTLS_ECJPAKE_SERVER; 06079 else 06080 role = MBEDTLS_ECJPAKE_CLIENT; 06081 06082 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, 06083 role, 06084 MBEDTLS_MD_SHA256, 06085 MBEDTLS_ECP_DP_SECP256R1, 06086 pw, pw_len ) ); 06087 } 06088 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 06089 06090 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 06091 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, 06092 const unsigned char *psk, size_t psk_len, 06093 const unsigned char *psk_identity, size_t psk_identity_len ) 06094 { 06095 if( psk == NULL || psk_identity == NULL ) 06096 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06097 06098 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 06099 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06100 06101 /* Identity len will be encoded on two bytes */ 06102 if( ( psk_identity_len >> 16 ) != 0 || 06103 psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06104 { 06105 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06106 } 06107 06108 if( conf->psk != NULL ) 06109 { 06110 mbedtls_platform_zeroize( conf->psk , conf->psk_len ); 06111 06112 mbedtls_free( conf->psk ); 06113 conf->psk = NULL; 06114 conf->psk_len = 0; 06115 } 06116 if( conf->psk_identity != NULL ) 06117 { 06118 mbedtls_free( conf->psk_identity ); 06119 conf->psk_identity = NULL; 06120 conf->psk_identity_len = 0; 06121 } 06122 06123 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || 06124 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL ) 06125 { 06126 mbedtls_free( conf->psk ); 06127 mbedtls_free( conf->psk_identity ); 06128 conf->psk = NULL; 06129 conf->psk_identity = NULL; 06130 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06131 } 06132 06133 conf->psk_len = psk_len; 06134 conf->psk_identity_len = psk_identity_len; 06135 06136 memcpy( conf->psk , psk, conf->psk_len ); 06137 memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len ); 06138 06139 return( 0 ); 06140 } 06141 06142 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, 06143 const unsigned char *psk, size_t psk_len ) 06144 { 06145 if( psk == NULL || ssl->handshake == NULL ) 06146 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06147 06148 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 06149 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06150 06151 if( ssl->handshake->psk != NULL ) 06152 { 06153 mbedtls_platform_zeroize( ssl->handshake->psk, 06154 ssl->handshake->psk_len ); 06155 mbedtls_free( ssl->handshake->psk ); 06156 ssl->handshake->psk_len = 0; 06157 } 06158 06159 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) 06160 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06161 06162 ssl->handshake->psk_len = psk_len; 06163 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); 06164 06165 return( 0 ); 06166 } 06167 06168 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, 06169 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 06170 size_t), 06171 void *p_psk ) 06172 { 06173 conf->f_psk = f_psk; 06174 conf->p_psk = p_psk; 06175 } 06176 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 06177 06178 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 06179 06180 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 06181 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) 06182 { 06183 int ret; 06184 06185 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 || 06186 ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 ) 06187 { 06188 mbedtls_mpi_free( &conf->dhm_P ); 06189 mbedtls_mpi_free( &conf->dhm_G ); 06190 return( ret ); 06191 } 06192 06193 return( 0 ); 06194 } 06195 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 06196 06197 int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, 06198 const unsigned char *dhm_P, size_t P_len, 06199 const unsigned char *dhm_G, size_t G_len ) 06200 { 06201 int ret; 06202 06203 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P , dhm_P, P_len ) ) != 0 || 06204 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G , dhm_G, G_len ) ) != 0 ) 06205 { 06206 mbedtls_mpi_free( &conf->dhm_P ); 06207 mbedtls_mpi_free( &conf->dhm_G ); 06208 return( ret ); 06209 } 06210 06211 return( 0 ); 06212 } 06213 06214 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) 06215 { 06216 int ret; 06217 06218 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P ) ) != 0 || 06219 ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G ) ) != 0 ) 06220 { 06221 mbedtls_mpi_free( &conf->dhm_P ); 06222 mbedtls_mpi_free( &conf->dhm_G ); 06223 return( ret ); 06224 } 06225 06226 return( 0 ); 06227 } 06228 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 06229 06230 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 06231 /* 06232 * Set the minimum length for Diffie-Hellman parameters 06233 */ 06234 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, 06235 unsigned int bitlen ) 06236 { 06237 conf->dhm_min_bitlen = bitlen; 06238 } 06239 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 06240 06241 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 06242 /* 06243 * Set allowed/preferred hashes for handshake signatures 06244 */ 06245 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, 06246 const int *hashes ) 06247 { 06248 conf->sig_hashes = hashes; 06249 } 06250 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 06251 06252 #if defined(MBEDTLS_ECP_C) 06253 /* 06254 * Set the allowed elliptic curves 06255 */ 06256 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, 06257 const mbedtls_ecp_group_id *curve_list ) 06258 { 06259 conf->curve_list = curve_list; 06260 } 06261 #endif /* MBEDTLS_ECP_C */ 06262 06263 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06264 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) 06265 { 06266 /* Initialize to suppress unnecessary compiler warning */ 06267 size_t hostname_len = 0; 06268 06269 /* Check if new hostname is valid before 06270 * making any change to current one */ 06271 if( hostname != NULL ) 06272 { 06273 hostname_len = strlen( hostname ); 06274 06275 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) 06276 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06277 } 06278 06279 /* Now it's clear that we will overwrite the old hostname, 06280 * so we can free it safely */ 06281 06282 if( ssl->hostname != NULL ) 06283 { 06284 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 06285 mbedtls_free( ssl->hostname ); 06286 } 06287 06288 /* Passing NULL as hostname shall clear the old one */ 06289 06290 if( hostname == NULL ) 06291 { 06292 ssl->hostname = NULL; 06293 } 06294 else 06295 { 06296 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); 06297 if( ssl->hostname == NULL ) 06298 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06299 06300 memcpy( ssl->hostname, hostname, hostname_len ); 06301 06302 ssl->hostname[hostname_len] = '\0'; 06303 } 06304 06305 return( 0 ); 06306 } 06307 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06308 06309 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06310 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, 06311 int (*f_sni)(void *, mbedtls_ssl_context *, 06312 const unsigned char *, size_t), 06313 void *p_sni ) 06314 { 06315 conf->f_sni = f_sni; 06316 conf->p_sni = p_sni; 06317 } 06318 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06319 06320 #if defined(MBEDTLS_SSL_ALPN) 06321 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) 06322 { 06323 size_t cur_len, tot_len; 06324 const char **p; 06325 06326 /* 06327 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 06328 * MUST NOT be truncated." 06329 * We check lengths now rather than later. 06330 */ 06331 tot_len = 0; 06332 for( p = protos; *p != NULL; p++ ) 06333 { 06334 cur_len = strlen( *p ); 06335 tot_len += cur_len; 06336 06337 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 ) 06338 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06339 } 06340 06341 conf->alpn_list = protos; 06342 06343 return( 0 ); 06344 } 06345 06346 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) 06347 { 06348 return( ssl->alpn_chosen ); 06349 } 06350 #endif /* MBEDTLS_SSL_ALPN */ 06351 06352 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) 06353 { 06354 conf->max_major_ver = major; 06355 conf->max_minor_ver = minor; 06356 } 06357 06358 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) 06359 { 06360 conf->min_major_ver = major; 06361 conf->min_minor_ver = minor; 06362 } 06363 06364 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) 06365 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) 06366 { 06367 conf->fallback = fallback; 06368 } 06369 #endif 06370 06371 #if defined(MBEDTLS_SSL_SRV_C) 06372 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, 06373 char cert_req_ca_list ) 06374 { 06375 conf->cert_req_ca_list = cert_req_ca_list; 06376 } 06377 #endif 06378 06379 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 06380 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) 06381 { 06382 conf->encrypt_then_mac = etm; 06383 } 06384 #endif 06385 06386 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 06387 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) 06388 { 06389 conf->extended_ms = ems; 06390 } 06391 #endif 06392 06393 #if defined(MBEDTLS_ARC4_C) 06394 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) 06395 { 06396 conf->arc4_disabled = arc4; 06397 } 06398 #endif 06399 06400 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06401 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) 06402 { 06403 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 06404 mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06405 { 06406 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06407 } 06408 06409 conf->mfl_code = mfl_code; 06410 06411 return( 0 ); 06412 } 06413 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06414 06415 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 06416 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) 06417 { 06418 conf->trunc_hmac = truncate; 06419 } 06420 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 06421 06422 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06423 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) 06424 { 06425 conf->cbc_record_splitting = split; 06426 } 06427 #endif 06428 06429 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) 06430 { 06431 conf->allow_legacy_renegotiation = allow_legacy; 06432 } 06433 06434 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06435 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) 06436 { 06437 conf->disable_renegotiation = renegotiation; 06438 } 06439 06440 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) 06441 { 06442 conf->renego_max_records = max_records; 06443 } 06444 06445 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, 06446 const unsigned char period[8] ) 06447 { 06448 memcpy( conf->renego_period , period, 8 ); 06449 } 06450 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06451 06452 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 06453 #if defined(MBEDTLS_SSL_CLI_C) 06454 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) 06455 { 06456 conf->session_tickets = use_tickets; 06457 } 06458 #endif 06459 06460 #if defined(MBEDTLS_SSL_SRV_C) 06461 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, 06462 mbedtls_ssl_ticket_write_t *f_ticket_write, 06463 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 06464 void *p_ticket ) 06465 { 06466 conf->f_ticket_write = f_ticket_write; 06467 conf->f_ticket_parse = f_ticket_parse; 06468 conf->p_ticket = p_ticket; 06469 } 06470 #endif 06471 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 06472 06473 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 06474 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, 06475 mbedtls_ssl_export_keys_t *f_export_keys, 06476 void *p_export_keys ) 06477 { 06478 conf->f_export_keys = f_export_keys; 06479 conf->p_export_keys = p_export_keys; 06480 } 06481 #endif 06482 06483 /* 06484 * SSL get accessors 06485 */ 06486 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 06487 { 06488 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 06489 } 06490 06491 int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl ) 06492 { 06493 /* 06494 * Case A: We're currently holding back 06495 * a message for further processing. 06496 */ 06497 06498 if( ssl->keep_current_message == 1 ) 06499 { 06500 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) ); 06501 return( 1 ); 06502 } 06503 06504 /* 06505 * Case B: Further records are pending in the current datagram. 06506 */ 06507 06508 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06509 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06510 ssl->in_left > ssl->next_record_offset ) 06511 { 06512 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) ); 06513 return( 1 ); 06514 } 06515 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 06516 06517 /* 06518 * Case C: A handshake message is being processed. 06519 */ 06520 06521 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen ) 06522 { 06523 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) ); 06524 return( 1 ); 06525 } 06526 06527 /* 06528 * Case D: An application data message is being processed 06529 */ 06530 if( ssl->in_offt != NULL ) 06531 { 06532 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) ); 06533 return( 1 ); 06534 } 06535 06536 /* 06537 * In all other cases, the rest of the message can be dropped. 06538 * As in ssl_read_record_layer, this needs to be adapted if 06539 * we implement support for multiple alerts in single records. 06540 */ 06541 06542 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) ); 06543 return( 0 ); 06544 } 06545 06546 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) 06547 { 06548 if( ssl->session != NULL ) 06549 return( ssl->session->verify_result ); 06550 06551 if( ssl->session_negotiate != NULL ) 06552 return( ssl->session_negotiate->verify_result ); 06553 06554 return( 0xFFFFFFFF ); 06555 } 06556 06557 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) 06558 { 06559 if( ssl == NULL || ssl->session == NULL ) 06560 return( NULL ); 06561 06562 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 06563 } 06564 06565 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) 06566 { 06567 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06568 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06569 { 06570 switch( ssl->minor_ver ) 06571 { 06572 case MBEDTLS_SSL_MINOR_VERSION_2: 06573 return( "DTLSv1.0" ); 06574 06575 case MBEDTLS_SSL_MINOR_VERSION_3: 06576 return( "DTLSv1.2" ); 06577 06578 default: 06579 return( "unknown (DTLS)" ); 06580 } 06581 } 06582 #endif 06583 06584 switch( ssl->minor_ver ) 06585 { 06586 case MBEDTLS_SSL_MINOR_VERSION_0: 06587 return( "SSLv3.0" ); 06588 06589 case MBEDTLS_SSL_MINOR_VERSION_1: 06590 return( "TLSv1.0" ); 06591 06592 case MBEDTLS_SSL_MINOR_VERSION_2: 06593 return( "TLSv1.1" ); 06594 06595 case MBEDTLS_SSL_MINOR_VERSION_3: 06596 return( "TLSv1.2" ); 06597 06598 default: 06599 return( "unknown" ); 06600 } 06601 } 06602 06603 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 06604 { 06605 size_t transform_expansion; 06606 const mbedtls_ssl_transform *transform = ssl->transform_out; 06607 06608 #if defined(MBEDTLS_ZLIB_SUPPORT) 06609 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 06610 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 06611 #endif 06612 06613 if( transform == NULL ) 06614 return( (int) mbedtls_ssl_hdr_len( ssl ) ); 06615 06616 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 06617 { 06618 case MBEDTLS_MODE_GCM: 06619 case MBEDTLS_MODE_CCM: 06620 case MBEDTLS_MODE_STREAM: 06621 transform_expansion = transform->minlen; 06622 break; 06623 06624 case MBEDTLS_MODE_CBC: 06625 transform_expansion = transform->maclen 06626 + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); 06627 break; 06628 06629 default: 06630 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06631 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06632 } 06633 06634 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); 06635 } 06636 06637 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06638 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) 06639 { 06640 size_t max_len; 06641 06642 /* 06643 * Assume mfl_code is correct since it was checked when set 06644 */ 06645 max_len = mfl_code_to_length[ssl->conf->mfl_code]; 06646 06647 /* 06648 * Check if a smaller max length was negotiated 06649 */ 06650 if( ssl->session_out != NULL && 06651 mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) 06652 { 06653 max_len = mfl_code_to_length[ssl->session_out->mfl_code]; 06654 } 06655 06656 return max_len; 06657 } 06658 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06659 06660 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06661 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) 06662 { 06663 if( ssl == NULL || ssl->session == NULL ) 06664 return( NULL ); 06665 06666 return( ssl->session->peer_cert ); 06667 } 06668 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06669 06670 #if defined(MBEDTLS_SSL_CLI_C) 06671 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) 06672 { 06673 if( ssl == NULL || 06674 dst == NULL || 06675 ssl->session == NULL || 06676 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 06677 { 06678 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06679 } 06680 06681 return( ssl_session_copy( dst, ssl->session ) ); 06682 } 06683 #endif /* MBEDTLS_SSL_CLI_C */ 06684 06685 /* 06686 * Perform a single step of the SSL handshake 06687 */ 06688 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) 06689 { 06690 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06691 06692 if( ssl == NULL || ssl->conf == NULL ) 06693 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06694 06695 #if defined(MBEDTLS_SSL_CLI_C) 06696 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06697 ret = mbedtls_ssl_handshake_client_step( ssl ); 06698 #endif 06699 #if defined(MBEDTLS_SSL_SRV_C) 06700 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06701 ret = mbedtls_ssl_handshake_server_step( ssl ); 06702 #endif 06703 06704 return( ret ); 06705 } 06706 06707 /* 06708 * Perform the SSL handshake 06709 */ 06710 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) 06711 { 06712 int ret = 0; 06713 06714 if( ssl == NULL || ssl->conf == NULL ) 06715 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06716 06717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 06718 06719 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06720 { 06721 ret = mbedtls_ssl_handshake_step( ssl ); 06722 06723 if( ret != 0 ) 06724 break; 06725 } 06726 06727 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 06728 06729 return( ret ); 06730 } 06731 06732 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06733 #if defined(MBEDTLS_SSL_SRV_C) 06734 /* 06735 * Write HelloRequest to request renegotiation on server 06736 */ 06737 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ) 06738 { 06739 int ret; 06740 06741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); 06742 06743 ssl->out_msglen = 4; 06744 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 06745 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 06746 06747 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06748 { 06749 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06750 return( ret ); 06751 } 06752 06753 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); 06754 06755 return( 0 ); 06756 } 06757 #endif /* MBEDTLS_SSL_SRV_C */ 06758 06759 /* 06760 * Actually renegotiate current connection, triggered by either: 06761 * - any side: calling mbedtls_ssl_renegotiate(), 06762 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 06763 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 06764 * the initial handshake is completed. 06765 * If the handshake doesn't complete due to waiting for I/O, it will continue 06766 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 06767 */ 06768 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) 06769 { 06770 int ret; 06771 06772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); 06773 06774 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 06775 return( ret ); 06776 06777 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 06778 * the ServerHello will have message_seq = 1" */ 06779 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06780 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06781 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06782 { 06783 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06784 ssl->handshake->out_msg_seq = 1; 06785 else 06786 ssl->handshake->in_msg_seq = 1; 06787 } 06788 #endif 06789 06790 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 06791 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 06792 06793 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06794 { 06795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06796 return( ret ); 06797 } 06798 06799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) ); 06800 06801 return( 0 ); 06802 } 06803 06804 /* 06805 * Renegotiate current connection on client, 06806 * or request renegotiation on server 06807 */ 06808 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) 06809 { 06810 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06811 06812 if( ssl == NULL || ssl->conf == NULL ) 06813 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06814 06815 #if defined(MBEDTLS_SSL_SRV_C) 06816 /* On server, just send the request */ 06817 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06818 { 06819 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06820 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06821 06822 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06823 06824 /* Did we already try/start sending HelloRequest? */ 06825 if( ssl->out_left != 0 ) 06826 return( mbedtls_ssl_flush_output( ssl ) ); 06827 06828 return( ssl_write_hello_request( ssl ) ); 06829 } 06830 #endif /* MBEDTLS_SSL_SRV_C */ 06831 06832 #if defined(MBEDTLS_SSL_CLI_C) 06833 /* 06834 * On client, either start the renegotiation process or, 06835 * if already in progress, continue the handshake 06836 */ 06837 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 06838 { 06839 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06840 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06841 06842 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) 06843 { 06844 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06845 return( ret ); 06846 } 06847 } 06848 else 06849 { 06850 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06851 { 06852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06853 return( ret ); 06854 } 06855 } 06856 #endif /* MBEDTLS_SSL_CLI_C */ 06857 06858 return( ret ); 06859 } 06860 06861 /* 06862 * Check record counters and renegotiate if they're above the limit. 06863 */ 06864 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 06865 { 06866 size_t ep_len = ssl_ep_len( ssl ); 06867 int in_ctr_cmp; 06868 int out_ctr_cmp; 06869 06870 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 06871 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 06872 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 06873 { 06874 return( 0 ); 06875 } 06876 06877 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, 06878 ssl->conf->renego_period + ep_len, 8 - ep_len ); 06879 out_ctr_cmp = memcmp( ssl->out_ctr + ep_len, 06880 ssl->conf->renego_period + ep_len, 8 - ep_len ); 06881 06882 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) 06883 { 06884 return( 0 ); 06885 } 06886 06887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 06888 return( mbedtls_ssl_renegotiate( ssl ) ); 06889 } 06890 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06891 06892 /* 06893 * Receive application data decrypted from the SSL layer 06894 */ 06895 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 06896 { 06897 int ret; 06898 size_t n; 06899 06900 if( ssl == NULL || ssl->conf == NULL ) 06901 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06902 06903 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 06904 06905 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06906 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06907 { 06908 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06909 return( ret ); 06910 06911 if( ssl->handshake != NULL && 06912 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 06913 { 06914 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 06915 return( ret ); 06916 } 06917 } 06918 #endif 06919 06920 /* 06921 * Check if renegotiation is necessary and/or handshake is 06922 * in process. If yes, perform/continue, and fall through 06923 * if an unexpected packet is received while the client 06924 * is waiting for the ServerHello. 06925 * 06926 * (There is no equivalent to the last condition on 06927 * the server-side as it is not treated as within 06928 * a handshake while waiting for the ClientHello 06929 * after a renegotiation request.) 06930 */ 06931 06932 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06933 ret = ssl_check_ctr_renegotiate( ssl ); 06934 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06935 ret != 0 ) 06936 { 06937 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06938 return( ret ); 06939 } 06940 #endif 06941 06942 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06943 { 06944 ret = mbedtls_ssl_handshake( ssl ); 06945 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06946 ret != 0 ) 06947 { 06948 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06949 return( ret ); 06950 } 06951 } 06952 06953 /* Loop as long as no application data record is available */ 06954 while( ssl->in_offt == NULL ) 06955 { 06956 /* Start timer if not already running */ 06957 if( ssl->f_get_timer != NULL && 06958 ssl->f_get_timer( ssl->p_timer ) == -1 ) 06959 { 06960 ssl_set_timer( ssl, ssl->conf->read_timeout ); 06961 } 06962 06963 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06964 { 06965 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06966 return( 0 ); 06967 06968 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06969 return( ret ); 06970 } 06971 06972 if( ssl->in_msglen == 0 && 06973 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06974 { 06975 /* 06976 * OpenSSL sends empty messages to randomize the IV 06977 */ 06978 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06979 { 06980 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06981 return( 0 ); 06982 06983 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06984 return( ret ); 06985 } 06986 } 06987 06988 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 06989 { 06990 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 06991 06992 /* 06993 * - For client-side, expect SERVER_HELLO_REQUEST. 06994 * - For server-side, expect CLIENT_HELLO. 06995 * - Fail (TLS) or silently drop record (DTLS) in other cases. 06996 */ 06997 06998 #if defined(MBEDTLS_SSL_CLI_C) 06999 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 07000 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 07001 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 07002 { 07003 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 07004 07005 /* With DTLS, drop the packet (probably from last handshake) */ 07006 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07007 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07008 { 07009 continue; 07010 } 07011 #endif 07012 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07013 } 07014 #endif /* MBEDTLS_SSL_CLI_C */ 07015 07016 #if defined(MBEDTLS_SSL_SRV_C) 07017 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 07018 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 07019 { 07020 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 07021 07022 /* With DTLS, drop the packet (probably from last handshake) */ 07023 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07024 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07025 { 07026 continue; 07027 } 07028 #endif 07029 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07030 } 07031 #endif /* MBEDTLS_SSL_SRV_C */ 07032 07033 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07034 /* Determine whether renegotiation attempt should be accepted */ 07035 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 07036 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 07037 ssl->conf->allow_legacy_renegotiation == 07038 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) 07039 { 07040 /* 07041 * Accept renegotiation request 07042 */ 07043 07044 /* DTLS clients need to know renego is server-initiated */ 07045 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07046 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 07047 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 07048 { 07049 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 07050 } 07051 #endif 07052 ret = ssl_start_renegotiation( ssl ); 07053 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 07054 ret != 0 ) 07055 { 07056 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 07057 return( ret ); 07058 } 07059 } 07060 else 07061 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 07062 { 07063 /* 07064 * Refuse renegotiation 07065 */ 07066 07067 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 07068 07069 #if defined(MBEDTLS_SSL_PROTO_SSL3) 07070 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 07071 { 07072 /* SSLv3 does not have a "no_renegotiation" warning, so 07073 we send a fatal alert and abort the connection. */ 07074 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 07075 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 07076 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07077 } 07078 else 07079 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 07080 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 07081 defined(MBEDTLS_SSL_PROTO_TLS1_2) 07082 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 07083 { 07084 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 07085 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 07086 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 07087 { 07088 return( ret ); 07089 } 07090 } 07091 else 07092 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 07093 MBEDTLS_SSL_PROTO_TLS1_2 */ 07094 { 07095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 07096 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 07097 } 07098 } 07099 07100 /* At this point, we don't know whether the renegotiation has been 07101 * completed or not. The cases to consider are the following: 07102 * 1) The renegotiation is complete. In this case, no new record 07103 * has been read yet. 07104 * 2) The renegotiation is incomplete because the client received 07105 * an application data record while awaiting the ServerHello. 07106 * 3) The renegotiation is incomplete because the client received 07107 * a non-handshake, non-application data message while awaiting 07108 * the ServerHello. 07109 * In each of these case, looping will be the proper action: 07110 * - For 1), the next iteration will read a new record and check 07111 * if it's application data. 07112 * - For 2), the loop condition isn't satisfied as application data 07113 * is present, hence continue is the same as break 07114 * - For 3), the loop condition is satisfied and read_record 07115 * will re-deliver the message that was held back by the client 07116 * when expecting the ServerHello. 07117 */ 07118 continue; 07119 } 07120 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07121 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 07122 { 07123 if( ssl->conf->renego_max_records >= 0 ) 07124 { 07125 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 07126 { 07127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 07128 "but not honored by client" ) ); 07129 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07130 } 07131 } 07132 } 07133 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 07134 07135 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 07136 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 07137 { 07138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 07139 return( MBEDTLS_ERR_SSL_WANT_READ ); 07140 } 07141 07142 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 07143 { 07144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 07145 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07146 } 07147 07148 ssl->in_offt = ssl->in_msg; 07149 07150 /* We're going to return something now, cancel timer, 07151 * except if handshake (renegotiation) is in progress */ 07152 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 07153 ssl_set_timer( ssl, 0 ); 07154 07155 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07156 /* If we requested renego but received AppData, resend HelloRequest. 07157 * Do it now, after setting in_offt, to avoid taking this branch 07158 * again if ssl_write_hello_request() returns WANT_WRITE */ 07159 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 07160 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 07161 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 07162 { 07163 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 07164 { 07165 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 07166 return( ret ); 07167 } 07168 } 07169 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 07170 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 07171 } 07172 07173 n = ( len < ssl->in_msglen ) 07174 ? len : ssl->in_msglen; 07175 07176 memcpy( buf, ssl->in_offt, n ); 07177 ssl->in_msglen -= n; 07178 07179 if( ssl->in_msglen == 0 ) 07180 { 07181 /* all bytes consumed */ 07182 ssl->in_offt = NULL; 07183 ssl->keep_current_message = 0; 07184 } 07185 else 07186 { 07187 /* more data available */ 07188 ssl->in_offt += n; 07189 } 07190 07191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 07192 07193 return( (int) n ); 07194 } 07195 07196 /* 07197 * Send application data to be encrypted by the SSL layer, 07198 * taking care of max fragment length and buffer size 07199 */ 07200 static int ssl_write_real( mbedtls_ssl_context *ssl, 07201 const unsigned char *buf, size_t len ) 07202 { 07203 int ret; 07204 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 07205 size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); 07206 #else 07207 size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN; 07208 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 07209 if( len > max_len ) 07210 { 07211 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07212 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07213 { 07214 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 07215 "maximum fragment length: %d > %d", 07216 len, max_len ) ); 07217 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07218 } 07219 else 07220 #endif 07221 len = max_len; 07222 } 07223 07224 if( ssl->out_left != 0 ) 07225 { 07226 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 07227 { 07228 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 07229 return( ret ); 07230 } 07231 } 07232 else 07233 { 07234 ssl->out_msglen = len; 07235 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 07236 memcpy( ssl->out_msg, buf, len ); 07237 07238 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 07239 { 07240 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 07241 return( ret ); 07242 } 07243 } 07244 07245 return( (int) len ); 07246 } 07247 07248 /* 07249 * Write application data, doing 1/n-1 splitting if necessary. 07250 * 07251 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 07252 * then the caller will call us again with the same arguments, so 07253 * remember whether we already did the split or not. 07254 */ 07255 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07256 static int ssl_write_split( mbedtls_ssl_context *ssl, 07257 const unsigned char *buf, size_t len ) 07258 { 07259 int ret; 07260 07261 if( ssl->conf->cbc_record_splitting == 07262 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 07263 len <= 1 || 07264 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 07265 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 07266 != MBEDTLS_MODE_CBC ) 07267 { 07268 return( ssl_write_real( ssl, buf, len ) ); 07269 } 07270 07271 if( ssl->split_done == 0 ) 07272 { 07273 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 07274 return( ret ); 07275 ssl->split_done = 1; 07276 } 07277 07278 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 07279 return( ret ); 07280 ssl->split_done = 0; 07281 07282 return( ret + 1 ); 07283 } 07284 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 07285 07286 /* 07287 * Write application data (public-facing wrapper) 07288 */ 07289 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 07290 { 07291 int ret; 07292 07293 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 07294 07295 if( ssl == NULL || ssl->conf == NULL ) 07296 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07297 07298 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07299 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 07300 { 07301 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 07302 return( ret ); 07303 } 07304 #endif 07305 07306 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 07307 { 07308 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 07309 { 07310 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 07311 return( ret ); 07312 } 07313 } 07314 07315 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07316 ret = ssl_write_split( ssl, buf, len ); 07317 #else 07318 ret = ssl_write_real( ssl, buf, len ); 07319 #endif 07320 07321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 07322 07323 return( ret ); 07324 } 07325 07326 /* 07327 * Notify the peer that the connection is being closed 07328 */ 07329 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 07330 { 07331 int ret; 07332 07333 if( ssl == NULL || ssl->conf == NULL ) 07334 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07335 07336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 07337 07338 if( ssl->out_left != 0 ) 07339 return( mbedtls_ssl_flush_output( ssl ) ); 07340 07341 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 07342 { 07343 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 07344 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 07345 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 07346 { 07347 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 07348 return( ret ); 07349 } 07350 } 07351 07352 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 07353 07354 return( 0 ); 07355 } 07356 07357 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 07358 { 07359 if( transform == NULL ) 07360 return; 07361 07362 #if defined(MBEDTLS_ZLIB_SUPPORT) 07363 deflateEnd( &transform->ctx_deflate ); 07364 inflateEnd( &transform->ctx_inflate ); 07365 #endif 07366 07367 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 07368 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 07369 07370 mbedtls_md_free( &transform->md_ctx_enc ); 07371 mbedtls_md_free( &transform->md_ctx_dec ); 07372 07373 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 07374 } 07375 07376 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07377 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert ) 07378 { 07379 mbedtls_ssl_key_cert *cur = key_cert, *next; 07380 07381 while( cur != NULL ) 07382 { 07383 next = cur->next; 07384 mbedtls_free( cur ); 07385 cur = next; 07386 } 07387 } 07388 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07389 07390 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) 07391 { 07392 if( handshake == NULL ) 07393 return; 07394 07395 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 07396 defined(MBEDTLS_SSL_PROTO_TLS1_1) 07397 mbedtls_md5_free( &handshake->fin_md5 ); 07398 mbedtls_sha1_free( &handshake->fin_sha1 ); 07399 #endif 07400 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 07401 #if defined(MBEDTLS_SHA256_C) 07402 mbedtls_sha256_free( &handshake->fin_sha256 ); 07403 #endif 07404 #if defined(MBEDTLS_SHA512_C) 07405 mbedtls_sha512_free( &handshake->fin_sha512 ); 07406 #endif 07407 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 07408 07409 #if defined(MBEDTLS_DHM_C) 07410 mbedtls_dhm_free( &handshake->dhm_ctx ); 07411 #endif 07412 #if defined(MBEDTLS_ECDH_C) 07413 mbedtls_ecdh_free( &handshake->ecdh_ctx ); 07414 #endif 07415 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 07416 mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); 07417 #if defined(MBEDTLS_SSL_CLI_C) 07418 mbedtls_free( handshake->ecjpake_cache ); 07419 handshake->ecjpake_cache = NULL; 07420 handshake->ecjpake_cache_len = 0; 07421 #endif 07422 #endif 07423 07424 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 07425 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 07426 /* explicit void pointer cast for buggy MS compiler */ 07427 mbedtls_free( (void *) handshake->curves ); 07428 #endif 07429 07430 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07431 if( handshake->psk != NULL ) 07432 { 07433 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len ); 07434 mbedtls_free( handshake->psk ); 07435 } 07436 #endif 07437 07438 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 07439 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 07440 /* 07441 * Free only the linked list wrapper, not the keys themselves 07442 * since the belong to the SNI callback 07443 */ 07444 if( handshake->sni_key_cert != NULL ) 07445 { 07446 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next; 07447 07448 while( cur != NULL ) 07449 { 07450 next = cur->next; 07451 mbedtls_free( cur ); 07452 cur = next; 07453 } 07454 } 07455 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 07456 07457 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07458 mbedtls_free( handshake->verify_cookie ); 07459 mbedtls_free( handshake->hs_msg ); 07460 ssl_flight_free( handshake->flight ); 07461 #endif 07462 07463 mbedtls_platform_zeroize( handshake, 07464 sizeof( mbedtls_ssl_handshake_params ) ); 07465 } 07466 07467 void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) 07468 { 07469 if( session == NULL ) 07470 return; 07471 07472 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07473 if( session->peer_cert != NULL ) 07474 { 07475 mbedtls_x509_crt_free( session->peer_cert ); 07476 mbedtls_free( session->peer_cert ); 07477 } 07478 #endif 07479 07480 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 07481 mbedtls_free( session->ticket ); 07482 #endif 07483 07484 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) ); 07485 } 07486 07487 /* 07488 * Free an SSL context 07489 */ 07490 void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) 07491 { 07492 if( ssl == NULL ) 07493 return; 07494 07495 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) ); 07496 07497 if( ssl->out_buf != NULL ) 07498 { 07499 mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN ); 07500 mbedtls_free( ssl->out_buf ); 07501 } 07502 07503 if( ssl->in_buf != NULL ) 07504 { 07505 mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN ); 07506 mbedtls_free( ssl->in_buf ); 07507 } 07508 07509 #if defined(MBEDTLS_ZLIB_SUPPORT) 07510 if( ssl->compress_buf != NULL ) 07511 { 07512 mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN ); 07513 mbedtls_free( ssl->compress_buf ); 07514 } 07515 #endif 07516 07517 if( ssl->transform ) 07518 { 07519 mbedtls_ssl_transform_free( ssl->transform ); 07520 mbedtls_free( ssl->transform ); 07521 } 07522 07523 if( ssl->handshake ) 07524 { 07525 mbedtls_ssl_handshake_free( ssl->handshake ); 07526 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 07527 mbedtls_ssl_session_free( ssl->session_negotiate ); 07528 07529 mbedtls_free( ssl->handshake ); 07530 mbedtls_free( ssl->transform_negotiate ); 07531 mbedtls_free( ssl->session_negotiate ); 07532 } 07533 07534 if( ssl->session ) 07535 { 07536 mbedtls_ssl_session_free( ssl->session ); 07537 mbedtls_free( ssl->session ); 07538 } 07539 07540 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07541 if( ssl->hostname != NULL ) 07542 { 07543 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 07544 mbedtls_free( ssl->hostname ); 07545 } 07546 #endif 07547 07548 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 07549 if( mbedtls_ssl_hw_record_finish != NULL ) 07550 { 07551 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) ); 07552 mbedtls_ssl_hw_record_finish( ssl ); 07553 } 07554 #endif 07555 07556 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07557 mbedtls_free( ssl->cli_id ); 07558 #endif 07559 07560 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); 07561 07562 /* Actually clear after last debug message */ 07563 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); 07564 } 07565 07566 /* 07567 * Initialze mbedtls_ssl_config 07568 */ 07569 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) 07570 { 07571 memset( conf, 0, sizeof( mbedtls_ssl_config ) ); 07572 } 07573 07574 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07575 static int ssl_preset_default_hashes[] = { 07576 #if defined(MBEDTLS_SHA512_C) 07577 MBEDTLS_MD_SHA512, 07578 MBEDTLS_MD_SHA384, 07579 #endif 07580 #if defined(MBEDTLS_SHA256_C) 07581 MBEDTLS_MD_SHA256, 07582 MBEDTLS_MD_SHA224, 07583 #endif 07584 #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE) 07585 MBEDTLS_MD_SHA1, 07586 #endif 07587 MBEDTLS_MD_NONE 07588 }; 07589 #endif 07590 07591 static int ssl_preset_suiteb_ciphersuites[] = { 07592 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 07593 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 07594 0 07595 }; 07596 07597 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07598 static int ssl_preset_suiteb_hashes[] = { 07599 MBEDTLS_MD_SHA256, 07600 MBEDTLS_MD_SHA384, 07601 MBEDTLS_MD_NONE 07602 }; 07603 #endif 07604 07605 #if defined(MBEDTLS_ECP_C) 07606 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { 07607 MBEDTLS_ECP_DP_SECP256R1, 07608 MBEDTLS_ECP_DP_SECP384R1, 07609 MBEDTLS_ECP_DP_NONE 07610 }; 07611 #endif 07612 07613 /* 07614 * Load default in mbedtls_ssl_config 07615 */ 07616 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, 07617 int endpoint, int transport, int preset ) 07618 { 07619 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07620 int ret; 07621 #endif 07622 07623 /* Use the functions here so that they are covered in tests, 07624 * but otherwise access member directly for efficiency */ 07625 mbedtls_ssl_conf_endpoint( conf, endpoint ); 07626 mbedtls_ssl_conf_transport( conf, transport ); 07627 07628 /* 07629 * Things that are common to all presets 07630 */ 07631 #if defined(MBEDTLS_SSL_CLI_C) 07632 if( endpoint == MBEDTLS_SSL_IS_CLIENT ) 07633 { 07634 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 07635 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 07636 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 07637 #endif 07638 } 07639 #endif 07640 07641 #if defined(MBEDTLS_ARC4_C) 07642 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; 07643 #endif 07644 07645 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 07646 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 07647 #endif 07648 07649 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 07650 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 07651 #endif 07652 07653 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07654 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; 07655 #endif 07656 07657 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07658 conf->f_cookie_write = ssl_cookie_write_dummy; 07659 conf->f_cookie_check = ssl_cookie_check_dummy; 07660 #endif 07661 07662 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 07663 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 07664 #endif 07665 07666 #if defined(MBEDTLS_SSL_SRV_C) 07667 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 07668 #endif 07669 07670 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07671 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 07672 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 07673 #endif 07674 07675 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07676 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 07677 memset( conf->renego_period , 0x00, 2 ); 07678 memset( conf->renego_period + 2, 0xFF, 6 ); 07679 #endif 07680 07681 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07682 if( endpoint == MBEDTLS_SSL_IS_SERVER ) 07683 { 07684 const unsigned char dhm_p[] = 07685 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; 07686 const unsigned char dhm_g[] = 07687 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; 07688 07689 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf, 07690 dhm_p, sizeof( dhm_p ), 07691 dhm_g, sizeof( dhm_g ) ) ) != 0 ) 07692 { 07693 return( ret ); 07694 } 07695 } 07696 #endif 07697 07698 /* 07699 * Preset-specific defaults 07700 */ 07701 switch( preset ) 07702 { 07703 /* 07704 * NSA Suite B 07705 */ 07706 case MBEDTLS_SSL_PRESET_SUITEB: 07707 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07708 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */ 07709 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07710 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07711 07712 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07713 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07714 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07715 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07716 ssl_preset_suiteb_ciphersuites; 07717 07718 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07719 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 07720 #endif 07721 07722 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07723 conf->sig_hashes = ssl_preset_suiteb_hashes; 07724 #endif 07725 07726 #if defined(MBEDTLS_ECP_C) 07727 conf->curve_list = ssl_preset_suiteb_curves; 07728 #endif 07729 break; 07730 07731 /* 07732 * Default 07733 */ 07734 default: 07735 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION > 07736 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ? 07737 MBEDTLS_SSL_MIN_MAJOR_VERSION : 07738 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION; 07739 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION > 07740 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ? 07741 MBEDTLS_SSL_MIN_MINOR_VERSION : 07742 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION; 07743 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07744 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07745 07746 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07747 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07748 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; 07749 #endif 07750 07751 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07752 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07753 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07754 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07755 mbedtls_ssl_list_ciphersuites(); 07756 07757 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07758 conf->cert_profile = &mbedtls_x509_crt_profile_default; 07759 #endif 07760 07761 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07762 conf->sig_hashes = ssl_preset_default_hashes; 07763 #endif 07764 07765 #if defined(MBEDTLS_ECP_C) 07766 conf->curve_list = mbedtls_ecp_grp_id_list(); 07767 #endif 07768 07769 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 07770 conf->dhm_min_bitlen = 1024; 07771 #endif 07772 } 07773 07774 return( 0 ); 07775 } 07776 07777 /* 07778 * Free mbedtls_ssl_config 07779 */ 07780 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) 07781 { 07782 #if defined(MBEDTLS_DHM_C) 07783 mbedtls_mpi_free( &conf->dhm_P ); 07784 mbedtls_mpi_free( &conf->dhm_G ); 07785 #endif 07786 07787 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07788 if( conf->psk != NULL ) 07789 { 07790 mbedtls_platform_zeroize( conf->psk , conf->psk_len ); 07791 mbedtls_free( conf->psk ); 07792 conf->psk = NULL; 07793 conf->psk_len = 0; 07794 } 07795 07796 if( conf->psk_identity != NULL ) 07797 { 07798 mbedtls_platform_zeroize( conf->psk_identity , conf->psk_identity_len ); 07799 mbedtls_free( conf->psk_identity ); 07800 conf->psk_identity = NULL; 07801 conf->psk_identity_len = 0; 07802 } 07803 #endif 07804 07805 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07806 ssl_key_cert_free( conf->key_cert ); 07807 #endif 07808 07809 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) ); 07810 } 07811 07812 #if defined(MBEDTLS_PK_C) && \ 07813 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) 07814 /* 07815 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 07816 */ 07817 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ) 07818 { 07819 #if defined(MBEDTLS_RSA_C) 07820 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) ) 07821 return( MBEDTLS_SSL_SIG_RSA ); 07822 #endif 07823 #if defined(MBEDTLS_ECDSA_C) 07824 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) ) 07825 return( MBEDTLS_SSL_SIG_ECDSA ); 07826 #endif 07827 return( MBEDTLS_SSL_SIG_ANON ); 07828 } 07829 07830 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type ) 07831 { 07832 switch( type ) { 07833 case MBEDTLS_PK_RSA: 07834 return( MBEDTLS_SSL_SIG_RSA ); 07835 case MBEDTLS_PK_ECDSA: 07836 case MBEDTLS_PK_ECKEY: 07837 return( MBEDTLS_SSL_SIG_ECDSA ); 07838 default: 07839 return( MBEDTLS_SSL_SIG_ANON ); 07840 } 07841 } 07842 07843 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) 07844 { 07845 switch( sig ) 07846 { 07847 #if defined(MBEDTLS_RSA_C) 07848 case MBEDTLS_SSL_SIG_RSA: 07849 return( MBEDTLS_PK_RSA ); 07850 #endif 07851 #if defined(MBEDTLS_ECDSA_C) 07852 case MBEDTLS_SSL_SIG_ECDSA: 07853 return( MBEDTLS_PK_ECDSA ); 07854 #endif 07855 default: 07856 return( MBEDTLS_PK_NONE ); 07857 } 07858 } 07859 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ 07860 07861 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 07862 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07863 07864 /* Find an entry in a signature-hash set matching a given hash algorithm. */ 07865 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, 07866 mbedtls_pk_type_t sig_alg ) 07867 { 07868 switch( sig_alg ) 07869 { 07870 case MBEDTLS_PK_RSA: 07871 return( set->rsa ); 07872 case MBEDTLS_PK_ECDSA: 07873 return( set->ecdsa ); 07874 default: 07875 return( MBEDTLS_MD_NONE ); 07876 } 07877 } 07878 07879 /* Add a signature-hash-pair to a signature-hash set */ 07880 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set, 07881 mbedtls_pk_type_t sig_alg, 07882 mbedtls_md_type_t md_alg ) 07883 { 07884 switch( sig_alg ) 07885 { 07886 case MBEDTLS_PK_RSA: 07887 if( set->rsa == MBEDTLS_MD_NONE ) 07888 set->rsa = md_alg; 07889 break; 07890 07891 case MBEDTLS_PK_ECDSA: 07892 if( set->ecdsa == MBEDTLS_MD_NONE ) 07893 set->ecdsa = md_alg; 07894 break; 07895 07896 default: 07897 break; 07898 } 07899 } 07900 07901 /* Allow exactly one hash algorithm for each signature. */ 07902 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set, 07903 mbedtls_md_type_t md_alg ) 07904 { 07905 set->rsa = md_alg; 07906 set->ecdsa = md_alg; 07907 } 07908 07909 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) && 07910 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07911 07912 /* 07913 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 07914 */ 07915 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) 07916 { 07917 switch( hash ) 07918 { 07919 #if defined(MBEDTLS_MD5_C) 07920 case MBEDTLS_SSL_HASH_MD5: 07921 return( MBEDTLS_MD_MD5 ); 07922 #endif 07923 #if defined(MBEDTLS_SHA1_C) 07924 case MBEDTLS_SSL_HASH_SHA1: 07925 return( MBEDTLS_MD_SHA1 ); 07926 #endif 07927 #if defined(MBEDTLS_SHA256_C) 07928 case MBEDTLS_SSL_HASH_SHA224: 07929 return( MBEDTLS_MD_SHA224 ); 07930 case MBEDTLS_SSL_HASH_SHA256: 07931 return( MBEDTLS_MD_SHA256 ); 07932 #endif 07933 #if defined(MBEDTLS_SHA512_C) 07934 case MBEDTLS_SSL_HASH_SHA384: 07935 return( MBEDTLS_MD_SHA384 ); 07936 case MBEDTLS_SSL_HASH_SHA512: 07937 return( MBEDTLS_MD_SHA512 ); 07938 #endif 07939 default: 07940 return( MBEDTLS_MD_NONE ); 07941 } 07942 } 07943 07944 /* 07945 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 07946 */ 07947 unsigned char mbedtls_ssl_hash_from_md_alg( int md ) 07948 { 07949 switch( md ) 07950 { 07951 #if defined(MBEDTLS_MD5_C) 07952 case MBEDTLS_MD_MD5: 07953 return( MBEDTLS_SSL_HASH_MD5 ); 07954 #endif 07955 #if defined(MBEDTLS_SHA1_C) 07956 case MBEDTLS_MD_SHA1: 07957 return( MBEDTLS_SSL_HASH_SHA1 ); 07958 #endif 07959 #if defined(MBEDTLS_SHA256_C) 07960 case MBEDTLS_MD_SHA224: 07961 return( MBEDTLS_SSL_HASH_SHA224 ); 07962 case MBEDTLS_MD_SHA256: 07963 return( MBEDTLS_SSL_HASH_SHA256 ); 07964 #endif 07965 #if defined(MBEDTLS_SHA512_C) 07966 case MBEDTLS_MD_SHA384: 07967 return( MBEDTLS_SSL_HASH_SHA384 ); 07968 case MBEDTLS_MD_SHA512: 07969 return( MBEDTLS_SSL_HASH_SHA512 ); 07970 #endif 07971 default: 07972 return( MBEDTLS_SSL_HASH_NONE ); 07973 } 07974 } 07975 07976 #if defined(MBEDTLS_ECP_C) 07977 /* 07978 * Check if a curve proposed by the peer is in our list. 07979 * Return 0 if we're willing to use it, -1 otherwise. 07980 */ 07981 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) 07982 { 07983 const mbedtls_ecp_group_id *gid; 07984 07985 if( ssl->conf->curve_list == NULL ) 07986 return( -1 ); 07987 07988 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 07989 if( *gid == grp_id ) 07990 return( 0 ); 07991 07992 return( -1 ); 07993 } 07994 #endif /* MBEDTLS_ECP_C */ 07995 07996 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07997 /* 07998 * Check if a hash proposed by the peer is in our list. 07999 * Return 0 if we're willing to use it, -1 otherwise. 08000 */ 08001 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 08002 mbedtls_md_type_t md ) 08003 { 08004 const int *cur; 08005 08006 if( ssl->conf->sig_hashes == NULL ) 08007 return( -1 ); 08008 08009 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 08010 if( *cur == (int) md ) 08011 return( 0 ); 08012 08013 return( -1 ); 08014 } 08015 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 08016 08017 #if defined(MBEDTLS_X509_CRT_PARSE_C) 08018 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 08019 const mbedtls_ssl_ciphersuite_t *ciphersuite, 08020 int cert_endpoint, 08021 uint32_t *flags ) 08022 { 08023 int ret = 0; 08024 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 08025 int usage = 0; 08026 #endif 08027 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 08028 const char *ext_oid; 08029 size_t ext_len; 08030 #endif 08031 08032 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ 08033 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 08034 ((void) cert); 08035 ((void) cert_endpoint); 08036 ((void) flags); 08037 #endif 08038 08039 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 08040 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 08041 { 08042 /* Server part of the key exchange */ 08043 switch( ciphersuite->key_exchange ) 08044 { 08045 case MBEDTLS_KEY_EXCHANGE_RSA: 08046 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 08047 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 08048 break; 08049 08050 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 08051 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 08052 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 08053 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 08054 break; 08055 08056 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 08057 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 08058 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 08059 break; 08060 08061 /* Don't use default: we want warnings when adding new values */ 08062 case MBEDTLS_KEY_EXCHANGE_NONE: 08063 case MBEDTLS_KEY_EXCHANGE_PSK: 08064 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 08065 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 08066 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 08067 usage = 0; 08068 } 08069 } 08070 else 08071 { 08072 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 08073 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 08074 } 08075 08076 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 ) 08077 { 08078 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 08079 ret = -1; 08080 } 08081 #else 08082 ((void) ciphersuite); 08083 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ 08084 08085 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 08086 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 08087 { 08088 ext_oid = MBEDTLS_OID_SERVER_AUTH; 08089 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); 08090 } 08091 else 08092 { 08093 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 08094 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); 08095 } 08096 08097 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) 08098 { 08099 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 08100 ret = -1; 08101 } 08102 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 08103 08104 return( ret ); 08105 } 08106 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 08107 08108 /* 08109 * Convert version numbers to/from wire format 08110 * and, for DTLS, to/from TLS equivalent. 08111 * 08112 * For TLS this is the identity. 08113 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows: 08114 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 08115 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 08116 */ 08117 void mbedtls_ssl_write_version( int major, int minor, int transport, 08118 unsigned char ver[2] ) 08119 { 08120 #if defined(MBEDTLS_SSL_PROTO_DTLS) 08121 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 08122 { 08123 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 08124 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 08125 08126 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 08127 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 08128 } 08129 else 08130 #else 08131 ((void) transport); 08132 #endif 08133 { 08134 ver[0] = (unsigned char) major; 08135 ver[1] = (unsigned char) minor; 08136 } 08137 } 08138 08139 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 08140 const unsigned char ver[2] ) 08141 { 08142 #if defined(MBEDTLS_SSL_PROTO_DTLS) 08143 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 08144 { 08145 *major = 255 - ver[0] + 2; 08146 *minor = 255 - ver[1] + 1; 08147 08148 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 08149 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 08150 } 08151 else 08152 #else 08153 ((void) transport); 08154 #endif 08155 { 08156 *major = ver[0]; 08157 *minor = ver[1]; 08158 } 08159 } 08160 08161 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) 08162 { 08163 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 08164 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 08165 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08166 08167 switch( md ) 08168 { 08169 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 08170 #if defined(MBEDTLS_MD5_C) 08171 case MBEDTLS_SSL_HASH_MD5: 08172 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08173 #endif 08174 #if defined(MBEDTLS_SHA1_C) 08175 case MBEDTLS_SSL_HASH_SHA1: 08176 ssl->handshake->calc_verify = ssl_calc_verify_tls; 08177 break; 08178 #endif 08179 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 08180 #if defined(MBEDTLS_SHA512_C) 08181 case MBEDTLS_SSL_HASH_SHA384: 08182 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 08183 break; 08184 #endif 08185 #if defined(MBEDTLS_SHA256_C) 08186 case MBEDTLS_SSL_HASH_SHA256: 08187 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 08188 break; 08189 #endif 08190 default: 08191 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08192 } 08193 08194 return 0; 08195 #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */ 08196 (void) ssl; 08197 (void) md; 08198 08199 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08200 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 08201 } 08202 08203 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 08204 defined(MBEDTLS_SSL_PROTO_TLS1_1) 08205 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, 08206 unsigned char *output, 08207 unsigned char *data, size_t data_len ) 08208 { 08209 int ret = 0; 08210 mbedtls_md5_context mbedtls_md5; 08211 mbedtls_sha1_context mbedtls_sha1; 08212 08213 mbedtls_md5_init( &mbedtls_md5 ); 08214 mbedtls_sha1_init( &mbedtls_sha1 ); 08215 08216 /* 08217 * digitally-signed struct { 08218 * opaque md5_hash[16]; 08219 * opaque sha_hash[20]; 08220 * }; 08221 * 08222 * md5_hash 08223 * MD5(ClientHello.random + ServerHello.random 08224 * + ServerParams); 08225 * sha_hash 08226 * SHA(ClientHello.random + ServerHello.random 08227 * + ServerParams); 08228 */ 08229 if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 ) 08230 { 08231 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret ); 08232 goto exit; 08233 } 08234 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, 08235 ssl->handshake->randbytes, 64 ) ) != 0 ) 08236 { 08237 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); 08238 goto exit; 08239 } 08240 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 ) 08241 { 08242 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); 08243 goto exit; 08244 } 08245 if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 ) 08246 { 08247 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret ); 08248 goto exit; 08249 } 08250 08251 if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 ) 08252 { 08253 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret ); 08254 goto exit; 08255 } 08256 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, 08257 ssl->handshake->randbytes, 64 ) ) != 0 ) 08258 { 08259 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); 08260 goto exit; 08261 } 08262 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data, 08263 data_len ) ) != 0 ) 08264 { 08265 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); 08266 goto exit; 08267 } 08268 if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1, 08269 output + 16 ) ) != 0 ) 08270 { 08271 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret ); 08272 goto exit; 08273 } 08274 08275 exit: 08276 mbedtls_md5_free( &mbedtls_md5 ); 08277 mbedtls_sha1_free( &mbedtls_sha1 ); 08278 08279 if( ret != 0 ) 08280 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 08281 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 08282 08283 return( ret ); 08284 08285 } 08286 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 08287 MBEDTLS_SSL_PROTO_TLS1_1 */ 08288 08289 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 08290 defined(MBEDTLS_SSL_PROTO_TLS1_2) 08291 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, 08292 unsigned char *output, 08293 unsigned char *data, size_t data_len, 08294 mbedtls_md_type_t md_alg ) 08295 { 08296 int ret = 0; 08297 mbedtls_md_context_t ctx; 08298 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 08299 08300 mbedtls_md_init( &ctx ); 08301 08302 /* 08303 * digitally-signed struct { 08304 * opaque client_random[32]; 08305 * opaque server_random[32]; 08306 * ServerDHParams params; 08307 * }; 08308 */ 08309 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) 08310 { 08311 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 08312 goto exit; 08313 } 08314 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 ) 08315 { 08316 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret ); 08317 goto exit; 08318 } 08319 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 ) 08320 { 08321 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret ); 08322 goto exit; 08323 } 08324 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 ) 08325 { 08326 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret ); 08327 goto exit; 08328 } 08329 if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 ) 08330 { 08331 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret ); 08332 goto exit; 08333 } 08334 08335 exit: 08336 mbedtls_md_free( &ctx ); 08337 08338 if( ret != 0 ) 08339 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 08340 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 08341 08342 return( ret ); 08343 } 08344 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 08345 MBEDTLS_SSL_PROTO_TLS1_2 */ 08346 08347 #endif /* MBEDTLS_SSL_TLS_C */
Generated on Tue Jul 12 2022 12:45:49 by
