Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: MAX44000 PWM_Tone_Library nexpaq_mdk
Fork of LED_Demo by
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_SRV_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #define mbedtls_time time 00037 #define mbedtls_time_t time_t 00038 #endif 00039 00040 #include "mbedtls/debug.h" 00041 #include "mbedtls/ssl.h" 00042 #include "mbedtls/ssl_internal.h" 00043 00044 #include <string.h> 00045 00046 #if defined(MBEDTLS_ECP_C) 00047 #include "mbedtls/ecp.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_HAVE_TIME) 00051 #include <time.h> 00052 #endif 00053 00054 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00055 /* Implementation that should never be optimized out by the compiler */ 00056 static void mbedtls_zeroize( void *v, size_t n ) { 00057 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00058 } 00059 #endif 00060 00061 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 00062 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, 00063 const unsigned char *info, 00064 size_t ilen ) 00065 { 00066 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) 00067 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00068 00069 mbedtls_free( ssl->cli_id ); 00070 00071 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) 00072 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00073 00074 memcpy( ssl->cli_id, info, ilen ); 00075 ssl->cli_id_len = ilen; 00076 00077 return( 0 ); 00078 } 00079 00080 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, 00081 mbedtls_ssl_cookie_write_t *f_cookie_write, 00082 mbedtls_ssl_cookie_check_t *f_cookie_check, 00083 void *p_cookie ) 00084 { 00085 conf->f_cookie_write = f_cookie_write; 00086 conf->f_cookie_check = f_cookie_check; 00087 conf->p_cookie = p_cookie; 00088 } 00089 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 00090 00091 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00092 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, 00093 const unsigned char *buf, 00094 size_t len ) 00095 { 00096 int ret; 00097 size_t servername_list_size, hostname_len; 00098 const unsigned char *p; 00099 00100 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00101 00102 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00103 if( servername_list_size + 2 != len ) 00104 { 00105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00106 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00107 } 00108 00109 p = buf + 2; 00110 while( servername_list_size > 0 ) 00111 { 00112 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00113 if( hostname_len + 3 > servername_list_size ) 00114 { 00115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00116 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00117 } 00118 00119 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) 00120 { 00121 ret = ssl->conf->f_sni( ssl->conf->p_sni, 00122 ssl, p + 3, hostname_len ); 00123 if( ret != 0 ) 00124 { 00125 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00126 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00127 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00128 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00129 } 00130 return( 0 ); 00131 } 00132 00133 servername_list_size -= hostname_len + 3; 00134 p += hostname_len + 3; 00135 } 00136 00137 if( servername_list_size != 0 ) 00138 { 00139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00140 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00141 } 00142 00143 return( 0 ); 00144 } 00145 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00146 00147 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 00148 const unsigned char *buf, 00149 size_t len ) 00150 { 00151 int ret; 00152 00153 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00154 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00155 { 00156 /* Check verify-data in constant-time. The length OTOH is no secret */ 00157 if( len != 1 + ssl->verify_data_len || 00158 buf[0] != ssl->verify_data_len || 00159 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, 00160 ssl->verify_data_len ) != 0 ) 00161 { 00162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00163 00164 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00165 return( ret ); 00166 00167 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00168 } 00169 } 00170 else 00171 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00172 { 00173 if( len != 1 || buf[0] != 0x0 ) 00174 { 00175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00176 00177 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00178 return( ret ); 00179 00180 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00181 } 00182 00183 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00184 } 00185 00186 return( 0 ); 00187 } 00188 00189 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00190 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00191 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00192 const unsigned char *buf, 00193 size_t len ) 00194 { 00195 size_t sig_alg_list_size; 00196 const unsigned char *p; 00197 const unsigned char *end = buf + len; 00198 const int *md_cur; 00199 00200 00201 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00202 if( sig_alg_list_size + 2 != len || 00203 sig_alg_list_size % 2 != 0 ) 00204 { 00205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00206 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00207 } 00208 00209 /* 00210 * For now, ignore the SignatureAlgorithm part and rely on offered 00211 * ciphersuites only for that part. To be fixed later. 00212 * 00213 * So, just look at the HashAlgorithm part. 00214 */ 00215 for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) { 00216 for( p = buf + 2; p < end; p += 2 ) { 00217 if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) { 00218 ssl->handshake->sig_alg = p[0]; 00219 goto have_sig_alg; 00220 } 00221 } 00222 } 00223 00224 /* Some key echanges do not need signatures at all */ 00225 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) ); 00226 return( 0 ); 00227 00228 have_sig_alg: 00229 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 00230 ssl->handshake->sig_alg ) ); 00231 00232 return( 0 ); 00233 } 00234 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00235 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00236 00237 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00238 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00239 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, 00240 const unsigned char *buf, 00241 size_t len ) 00242 { 00243 size_t list_size, our_size; 00244 const unsigned char *p; 00245 const mbedtls_ecp_curve_info *curve_info, **curves; 00246 00247 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00248 if( list_size + 2 != len || 00249 list_size % 2 != 0 ) 00250 { 00251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00252 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00253 } 00254 00255 /* Should never happen unless client duplicates the extension */ 00256 if( ssl->handshake->curves != NULL ) 00257 { 00258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00259 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00260 } 00261 00262 /* Don't allow our peer to make us allocate too much memory, 00263 * and leave room for a final 0 */ 00264 our_size = list_size / 2 + 1; 00265 if( our_size > MBEDTLS_ECP_DP_MAX ) 00266 our_size = MBEDTLS_ECP_DP_MAX; 00267 00268 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) 00269 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00270 00271 ssl->handshake->curves = curves; 00272 00273 p = buf + 2; 00274 while( list_size > 0 && our_size > 1 ) 00275 { 00276 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00277 00278 if( curve_info != NULL ) 00279 { 00280 *curves++ = curve_info; 00281 our_size--; 00282 } 00283 00284 list_size -= 2; 00285 p += 2; 00286 } 00287 00288 return( 0 ); 00289 } 00290 00291 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, 00292 const unsigned char *buf, 00293 size_t len ) 00294 { 00295 size_t list_size; 00296 const unsigned char *p; 00297 00298 list_size = buf[0]; 00299 if( list_size + 1 != len ) 00300 { 00301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00302 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00303 } 00304 00305 p = buf + 1; 00306 while( list_size > 0 ) 00307 { 00308 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 00309 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 00310 { 00311 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00312 ssl->handshake->ecdh_ctx.point_format = p[0]; 00313 #endif 00314 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00315 ssl->handshake->ecjpake_ctx.point_format = p[0]; 00316 #endif 00317 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00318 return( 0 ); 00319 } 00320 00321 list_size--; 00322 p++; 00323 } 00324 00325 return( 0 ); 00326 } 00327 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00328 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00329 00330 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00331 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 00332 const unsigned char *buf, 00333 size_t len ) 00334 { 00335 int ret; 00336 00337 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00338 { 00339 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 00340 return( 0 ); 00341 } 00342 00343 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 00344 buf, len ) ) != 0 ) 00345 { 00346 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 00347 return( ret ); 00348 } 00349 00350 /* Only mark the extension as OK when we're sure it is */ 00351 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 00352 00353 return( 0 ); 00354 } 00355 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00356 00357 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00358 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00359 const unsigned char *buf, 00360 size_t len ) 00361 { 00362 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) 00363 { 00364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00365 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00366 } 00367 00368 ssl->session_negotiate->mfl_code = buf[0]; 00369 00370 return( 0 ); 00371 } 00372 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00373 00374 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00375 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00376 const unsigned char *buf, 00377 size_t len ) 00378 { 00379 if( len != 0 ) 00380 { 00381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00382 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00383 } 00384 00385 ((void) buf); 00386 00387 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00388 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 00389 00390 return( 0 ); 00391 } 00392 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00393 00394 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00395 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00396 const unsigned char *buf, 00397 size_t len ) 00398 { 00399 if( len != 0 ) 00400 { 00401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00402 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00403 } 00404 00405 ((void) buf); 00406 00407 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 00408 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00409 { 00410 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 00411 } 00412 00413 return( 0 ); 00414 } 00415 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00416 00417 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00418 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 00419 const unsigned char *buf, 00420 size_t len ) 00421 { 00422 if( len != 0 ) 00423 { 00424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00425 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00426 } 00427 00428 ((void) buf); 00429 00430 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && 00431 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00432 { 00433 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 00434 } 00435 00436 return( 0 ); 00437 } 00438 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00439 00440 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00441 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 00442 unsigned char *buf, 00443 size_t len ) 00444 { 00445 int ret; 00446 mbedtls_ssl_session session; 00447 00448 mbedtls_ssl_session_init( &session ); 00449 00450 if( ssl->conf->f_ticket_parse == NULL || 00451 ssl->conf->f_ticket_write == NULL ) 00452 { 00453 return( 0 ); 00454 } 00455 00456 /* Remember the client asked us to send a new ticket */ 00457 ssl->handshake->new_session_ticket = 1; 00458 00459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00460 00461 if( len == 0 ) 00462 return( 0 ); 00463 00464 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00465 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00466 { 00467 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00468 return( 0 ); 00469 } 00470 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00471 00472 /* 00473 * Failures are ok: just ignore the ticket and proceed. 00474 */ 00475 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, 00476 buf, len ) ) != 0 ) 00477 { 00478 mbedtls_ssl_session_free( &session ); 00479 00480 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 00481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); 00482 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) 00483 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); 00484 else 00485 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); 00486 00487 return( 0 ); 00488 } 00489 00490 /* 00491 * Keep the session ID sent by the client, since we MUST send it back to 00492 * inform them we're accepting the ticket (RFC 5077 section 3.4) 00493 */ 00494 session.id_len = ssl->session_negotiate->id_len; 00495 memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); 00496 00497 mbedtls_ssl_session_free( ssl->session_negotiate ); 00498 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); 00499 00500 /* Zeroize instead of free as we copied the content */ 00501 mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) ); 00502 00503 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00504 00505 ssl->handshake->resume = 1; 00506 00507 /* Don't send a new ticket after all, this one is OK */ 00508 ssl->handshake->new_session_ticket = 0; 00509 00510 return( 0 ); 00511 } 00512 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00513 00514 #if defined(MBEDTLS_SSL_ALPN) 00515 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 00516 const unsigned char *buf, size_t len ) 00517 { 00518 size_t list_len, cur_len, ours_len; 00519 const unsigned char *theirs, *start, *end; 00520 const char **ours; 00521 00522 /* If ALPN not configured, just ignore the extension */ 00523 if( ssl->conf->alpn_list == NULL ) 00524 return( 0 ); 00525 00526 /* 00527 * opaque ProtocolName<1..2^8-1>; 00528 * 00529 * struct { 00530 * ProtocolName protocol_name_list<2..2^16-1> 00531 * } ProtocolNameList; 00532 */ 00533 00534 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00535 if( len < 4 ) 00536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00537 00538 list_len = ( buf[0] << 8 ) | buf[1]; 00539 if( list_len != len - 2 ) 00540 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00541 00542 /* 00543 * Use our order of preference 00544 */ 00545 start = buf + 2; 00546 end = buf + len; 00547 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) 00548 { 00549 ours_len = strlen( *ours ); 00550 for( theirs = start; theirs != end; theirs += cur_len ) 00551 { 00552 /* If the list is well formed, we should get equality first */ 00553 if( theirs > end ) 00554 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00555 00556 cur_len = *theirs++; 00557 00558 /* Empty strings MUST NOT be included */ 00559 if( cur_len == 0 ) 00560 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00561 00562 if( cur_len == ours_len && 00563 memcmp( theirs, *ours, cur_len ) == 0 ) 00564 { 00565 ssl->alpn_chosen = *ours; 00566 return( 0 ); 00567 } 00568 } 00569 } 00570 00571 /* If we get there, no match was found */ 00572 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00573 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00574 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00575 } 00576 #endif /* MBEDTLS_SSL_ALPN */ 00577 00578 /* 00579 * Auxiliary functions for ServerHello parsing and related actions 00580 */ 00581 00582 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00583 /* 00584 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00585 */ 00586 #if defined(MBEDTLS_ECDSA_C) 00587 static int ssl_check_key_curve( mbedtls_pk_context *pk, 00588 const mbedtls_ecp_curve_info **curves ) 00589 { 00590 const mbedtls_ecp_curve_info **crv = curves; 00591 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ; 00592 00593 while( *crv != NULL ) 00594 { 00595 if( (*crv)->grp_id == grp_id ) 00596 return( 0 ); 00597 crv++; 00598 } 00599 00600 return( -1 ); 00601 } 00602 #endif /* MBEDTLS_ECDSA_C */ 00603 00604 /* 00605 * Try picking a certificate for this ciphersuite, 00606 * return 0 on success and -1 on failure. 00607 */ 00608 static int ssl_pick_cert( mbedtls_ssl_context *ssl, 00609 const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) 00610 { 00611 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; 00612 mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00613 uint32_t flags; 00614 00615 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00616 if( ssl->handshake->sni_key_cert != NULL ) 00617 list = ssl->handshake->sni_key_cert; 00618 else 00619 #endif 00620 list = ssl->conf->key_cert; 00621 00622 if( pk_alg == MBEDTLS_PK_NONE ) 00623 return( 0 ); 00624 00625 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00626 00627 if( list == NULL ) 00628 { 00629 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); 00630 return( -1 ); 00631 } 00632 00633 for( cur = list; cur != NULL; cur = cur->next ) 00634 { 00635 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00636 cur->cert ); 00637 00638 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) ) 00639 { 00640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00641 continue; 00642 } 00643 00644 /* 00645 * This avoids sending the client a cert it'll reject based on 00646 * keyUsage or other extensions. 00647 * 00648 * It also allows the user to provision different certificates for 00649 * different uses based on keyUsage, eg if they want to avoid signing 00650 * and decrypting with the same RSA key. 00651 */ 00652 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, 00653 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) 00654 { 00655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00656 "(extended) key usage extension" ) ); 00657 continue; 00658 } 00659 00660 #if defined(MBEDTLS_ECDSA_C) 00661 if( pk_alg == MBEDTLS_PK_ECDSA && 00662 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) 00663 { 00664 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00665 continue; 00666 } 00667 #endif 00668 00669 /* 00670 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00671 * present them a SHA-higher cert rather than failing if it's the only 00672 * one we got that satisfies the other conditions. 00673 */ 00674 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && 00675 cur->cert->sig_md != MBEDTLS_MD_SHA1 ) 00676 { 00677 if( fallback == NULL ) 00678 fallback = cur; 00679 { 00680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00681 "sha-2 with pre-TLS 1.2 client" ) ); 00682 continue; 00683 } 00684 } 00685 00686 /* If we get there, we got a winner */ 00687 break; 00688 } 00689 00690 if( cur == NULL ) 00691 cur = fallback; 00692 00693 /* Do not update ssl->handshake->key_cert unless there is a match */ 00694 if( cur != NULL ) 00695 { 00696 ssl->handshake->key_cert = cur; 00697 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00698 ssl->handshake->key_cert->cert ); 00699 return( 0 ); 00700 } 00701 00702 return( -1 ); 00703 } 00704 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00705 00706 /* 00707 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00708 * Sets ciphersuite_info only if the suite matches. 00709 */ 00710 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, 00711 const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) 00712 { 00713 const mbedtls_ssl_ciphersuite_t *suite_info; 00714 00715 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); 00716 if( suite_info == NULL ) 00717 { 00718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00720 } 00721 00722 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00723 00724 if( suite_info->min_minor_ver > ssl->minor_ver || 00725 suite_info->max_minor_ver < ssl->minor_ver ) 00726 { 00727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00728 return( 0 ); 00729 } 00730 00731 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00732 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00733 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00734 return( 0 ); 00735 #endif 00736 00737 #if defined(MBEDTLS_ARC4_C) 00738 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00739 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00740 { 00741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00742 return( 0 ); 00743 } 00744 #endif 00745 00746 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00747 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00748 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) 00749 { 00750 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " 00751 "not configured or ext missing" ) ); 00752 return( 0 ); 00753 } 00754 #endif 00755 00756 00757 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00758 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && 00759 ( ssl->handshake->curves == NULL || 00760 ssl->handshake->curves[0] == NULL ) ) 00761 { 00762 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00763 "no common elliptic curve" ) ); 00764 return( 0 ); 00765 } 00766 #endif 00767 00768 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00769 /* If the ciphersuite requires a pre-shared key and we don't 00770 * have one, skip it now rather than failing later */ 00771 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00772 ssl->conf->f_psk == NULL && 00773 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 00774 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 00775 { 00776 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00777 return( 0 ); 00778 } 00779 #endif 00780 00781 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00782 /* 00783 * Final check: if ciphersuite requires us to have a 00784 * certificate/key of a particular type: 00785 * - select the appropriate certificate if we have one, or 00786 * - try the next ciphersuite if we don't 00787 * This must be done last since we modify the key_cert list. 00788 */ 00789 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00790 { 00791 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00792 "no suitable certificate" ) ); 00793 return( 0 ); 00794 } 00795 #endif 00796 00797 *ciphersuite_info = suite_info; 00798 return( 0 ); 00799 } 00800 00801 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00802 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) 00803 { 00804 int ret, got_common_suite; 00805 unsigned int i, j; 00806 size_t n; 00807 unsigned int ciph_len, sess_len, chal_len; 00808 unsigned char *buf, *p; 00809 const int *ciphersuites; 00810 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00811 00812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 00813 00814 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00815 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00816 { 00817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 00818 00819 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00820 return( ret ); 00821 00822 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00823 } 00824 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00825 00826 buf = ssl->in_hdr; 00827 00828 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00829 00830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00831 buf[2] ) ); 00832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00833 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00834 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00835 buf[3], buf[4] ) ); 00836 00837 /* 00838 * SSLv2 Client Hello 00839 * 00840 * Record layer: 00841 * 0 . 1 message length 00842 * 00843 * SSL layer: 00844 * 2 . 2 message type 00845 * 3 . 4 protocol version 00846 */ 00847 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || 00848 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) 00849 { 00850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00851 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00852 } 00853 00854 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00855 00856 if( n < 17 || n > 512 ) 00857 { 00858 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00859 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00860 } 00861 00862 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 00863 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) 00864 ? buf[4] : ssl->conf->max_minor_ver; 00865 00866 if( ssl->minor_ver < ssl->conf->min_minor_ver ) 00867 { 00868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 00869 " [%d:%d] < [%d:%d]", 00870 ssl->major_ver, ssl->minor_ver, 00871 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 00872 00873 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00874 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 00875 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00876 } 00877 00878 ssl->handshake->max_major_ver = buf[3]; 00879 ssl->handshake->max_minor_ver = buf[4]; 00880 00881 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00882 { 00883 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 00884 return( ret ); 00885 } 00886 00887 ssl->handshake->update_checksum( ssl, buf + 2, n ); 00888 00889 buf = ssl->in_msg; 00890 n = ssl->in_left - 5; 00891 00892 /* 00893 * 0 . 1 ciphersuitelist length 00894 * 2 . 3 session id length 00895 * 4 . 5 challenge length 00896 * 6 . .. ciphersuitelist 00897 * .. . .. session id 00898 * .. . .. challenge 00899 */ 00900 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00901 00902 ciph_len = ( buf[0] << 8 ) | buf[1]; 00903 sess_len = ( buf[2] << 8 ) | buf[3]; 00904 chal_len = ( buf[4] << 8 ) | buf[5]; 00905 00906 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 00907 ciph_len, sess_len, chal_len ) ); 00908 00909 /* 00910 * Make sure each parameter length is valid 00911 */ 00912 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 00913 { 00914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00915 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00916 } 00917 00918 if( sess_len > 32 ) 00919 { 00920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00921 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00922 } 00923 00924 if( chal_len < 8 || chal_len > 32 ) 00925 { 00926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00927 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00928 } 00929 00930 if( n != 6 + ciph_len + sess_len + chal_len ) 00931 { 00932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00933 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00934 } 00935 00936 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 00937 buf + 6, ciph_len ); 00938 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", 00939 buf + 6 + ciph_len, sess_len ); 00940 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", 00941 buf + 6 + ciph_len + sess_len, chal_len ); 00942 00943 p = buf + 6 + ciph_len; 00944 ssl->session_negotiate->id_len = sess_len; 00945 memset( ssl->session_negotiate->id, 0, 00946 sizeof( ssl->session_negotiate->id ) ); 00947 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); 00948 00949 p += sess_len; 00950 memset( ssl->handshake->randbytes, 0, 64 ); 00951 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 00952 00953 /* 00954 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00955 */ 00956 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 00957 { 00958 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 00959 { 00960 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 00961 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00962 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00963 { 00964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 00965 "during renegotiation" ) ); 00966 00967 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00968 return( ret ); 00969 00970 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00971 } 00972 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00973 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00974 break; 00975 } 00976 } 00977 00978 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00979 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 00980 { 00981 if( p[0] == 0 && 00982 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 00983 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 00984 { 00985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 00986 00987 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 00988 { 00989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 00990 00991 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00992 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 00993 00994 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00995 } 00996 00997 break; 00998 } 00999 } 01000 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01001 01002 got_common_suite = 0; 01003 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01004 ciphersuite_info = NULL; 01005 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01006 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01007 { 01008 for( i = 0; ciphersuites[i] != 0; i++ ) 01009 #else 01010 for( i = 0; ciphersuites[i] != 0; i++ ) 01011 { 01012 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01013 #endif 01014 { 01015 if( p[0] != 0 || 01016 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01017 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01018 continue; 01019 01020 got_common_suite = 1; 01021 01022 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01023 &ciphersuite_info ) ) != 0 ) 01024 return( ret ); 01025 01026 if( ciphersuite_info != NULL ) 01027 goto have_ciphersuite_v2; 01028 } 01029 } 01030 01031 if( got_common_suite ) 01032 { 01033 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01034 "but none of them usable" ) ); 01035 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01036 } 01037 else 01038 { 01039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01040 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01041 } 01042 01043 have_ciphersuite_v2: 01044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01045 01046 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01047 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01048 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01049 01050 /* 01051 * SSLv2 Client Hello relevant renegotiation security checks 01052 */ 01053 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01054 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01055 { 01056 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01057 01058 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01059 return( ret ); 01060 01061 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01062 } 01063 01064 ssl->in_left = 0; 01065 ssl->state++; 01066 01067 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01068 01069 return( 0 ); 01070 } 01071 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01072 01073 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) 01074 { 01075 int ret, got_common_suite; 01076 size_t i, j; 01077 size_t ciph_offset, comp_offset, ext_offset; 01078 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 01079 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01080 size_t cookie_offset, cookie_len; 01081 #endif 01082 unsigned char *buf, *p, *ext; 01083 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01084 int renegotiation_info_seen = 0; 01085 #endif 01086 int handshake_failure = 0; 01087 const int *ciphersuites; 01088 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01089 int major, minor; 01090 01091 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01092 01093 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01094 read_record_header: 01095 #endif 01096 /* 01097 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 01098 * otherwise read it ourselves manually in order to support SSLv2 01099 * ClientHello, which doesn't use the same record layer format. 01100 */ 01101 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01102 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01103 #endif 01104 { 01105 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) 01106 { 01107 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01108 return( ret ); 01109 } 01110 } 01111 01112 buf = ssl->in_hdr; 01113 01114 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01115 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01116 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 01117 #endif 01118 if( ( buf[0] & 0x80 ) != 0 ) 01119 return ssl_parse_client_hello_v2( ssl ); 01120 #endif 01121 01122 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) ); 01123 01124 /* 01125 * SSLv3/TLS Client Hello 01126 * 01127 * Record layer: 01128 * 0 . 0 message type 01129 * 1 . 2 protocol version 01130 * 3 . 11 DTLS: epoch + record sequence number 01131 * 3 . 4 message length 01132 */ 01133 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01134 buf[0] ) ); 01135 01136 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) 01137 { 01138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01139 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01140 } 01141 01142 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01143 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); 01144 01145 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", 01146 buf[1], buf[2] ) ); 01147 01148 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); 01149 01150 /* According to RFC 5246 Appendix E.1, the version here is typically 01151 * "{03,00}, the lowest version number supported by the client, [or] the 01152 * value of ClientHello.client_version", so the only meaningful check here 01153 * is the major version shouldn't be less than 3 */ 01154 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) 01155 { 01156 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01157 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01158 } 01159 01160 /* For DTLS if this is the initial handshake, remember the client sequence 01161 * number to use it in our next message (RFC 6347 4.2.1) */ 01162 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01163 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 01164 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01165 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01166 #endif 01167 ) 01168 { 01169 /* Epoch should be 0 for initial handshakes */ 01170 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) 01171 { 01172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01173 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01174 } 01175 01176 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); 01177 01178 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01179 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 01180 { 01181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); 01182 ssl->next_record_offset = 0; 01183 ssl->in_left = 0; 01184 goto read_record_header; 01185 } 01186 01187 /* No MAC to check yet, so we can update right now */ 01188 mbedtls_ssl_dtls_replay_update( ssl ); 01189 #endif 01190 } 01191 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01192 01193 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 01194 01195 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01196 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01197 { 01198 /* Set by mbedtls_ssl_read_record() */ 01199 msg_len = ssl->in_hslen; 01200 } 01201 else 01202 #endif 01203 { 01204 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01205 { 01206 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01207 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01208 } 01209 01210 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 ) 01211 { 01212 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01213 return( ret ); 01214 } 01215 01216 /* Done reading this record, get ready for the next one */ 01217 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01218 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01219 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); 01220 else 01221 #endif 01222 ssl->in_left = 0; 01223 } 01224 01225 buf = ssl->in_msg; 01226 01227 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); 01228 01229 ssl->handshake->update_checksum( ssl, buf, msg_len ); 01230 01231 /* 01232 * Handshake layer: 01233 * 0 . 0 handshake type 01234 * 1 . 3 handshake length 01235 * 4 . 5 DTLS only: message seqence number 01236 * 6 . 8 DTLS only: fragment offset 01237 * 9 . 11 DTLS only: fragment length 01238 */ 01239 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) 01240 { 01241 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01242 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01243 } 01244 01245 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); 01246 01247 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 01248 { 01249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01250 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01251 } 01252 01253 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01254 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01255 01256 /* We don't support fragmentation of ClientHello (yet?) */ 01257 if( buf[1] != 0 || 01258 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) 01259 { 01260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01262 } 01263 01264 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01265 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01266 { 01267 /* 01268 * Copy the client's handshake message_seq on initial handshakes, 01269 * check sequence number on renego. 01270 */ 01271 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01272 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01273 { 01274 /* This couldn't be done in ssl_prepare_handshake_record() */ 01275 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01276 ssl->in_msg[5]; 01277 01278 if( cli_msg_seq != ssl->handshake->in_msg_seq ) 01279 { 01280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " 01281 "%d (expected %d)", cli_msg_seq, 01282 ssl->handshake->in_msg_seq ) ); 01283 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01284 } 01285 01286 ssl->handshake->in_msg_seq++; 01287 } 01288 else 01289 #endif 01290 { 01291 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01292 ssl->in_msg[5]; 01293 ssl->handshake->out_msg_seq = cli_msg_seq; 01294 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 01295 } 01296 01297 /* 01298 * For now we don't support fragmentation, so make sure 01299 * fragment_offset == 0 and fragment_length == length 01300 */ 01301 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || 01302 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) 01303 { 01304 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); 01305 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01306 } 01307 } 01308 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01309 01310 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01311 msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); 01312 01313 /* 01314 * ClientHello layer: 01315 * 0 . 1 protocol version 01316 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 01317 * 34 . 35 session id length (1 byte) 01318 * 35 . 34+x session id 01319 * 35+x . 35+x DTLS only: cookie length (1 byte) 01320 * 36+x . .. DTLS only: cookie 01321 * .. . .. ciphersuite list length (2 bytes) 01322 * .. . .. ciphersuite list 01323 * .. . .. compression alg. list length (1 byte) 01324 * .. . .. compression alg. list 01325 * .. . .. extensions length (2 bytes, optional) 01326 * .. . .. extensions (optional) 01327 */ 01328 01329 /* 01330 * Minimal length (with everything empty and extensions ommitted) is 01331 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 01332 * read at least up to session id length without worrying. 01333 */ 01334 if( msg_len < 38 ) 01335 { 01336 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01337 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01338 } 01339 01340 /* 01341 * Check and save the protocol version 01342 */ 01343 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); 01344 01345 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01346 ssl->conf->transport, buf ); 01347 01348 ssl->handshake->max_major_ver = ssl->major_ver; 01349 ssl->handshake->max_minor_ver = ssl->minor_ver; 01350 01351 if( ssl->major_ver < ssl->conf->min_major_ver || 01352 ssl->minor_ver < ssl->conf->min_minor_ver ) 01353 { 01354 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01355 " [%d:%d] < [%d:%d]", 01356 ssl->major_ver, ssl->minor_ver, 01357 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01358 01359 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01360 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01361 01362 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01363 } 01364 01365 if( ssl->major_ver > ssl->conf->max_major_ver ) 01366 { 01367 ssl->major_ver = ssl->conf->max_major_ver; 01368 ssl->minor_ver = ssl->conf->max_minor_ver; 01369 } 01370 else if( ssl->minor_ver > ssl->conf->max_minor_ver ) 01371 ssl->minor_ver = ssl->conf->max_minor_ver; 01372 01373 /* 01374 * Save client random (inc. Unix time) 01375 */ 01376 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); 01377 01378 memcpy( ssl->handshake->randbytes, buf + 2, 32 ); 01379 01380 /* 01381 * Check the session ID length and save session ID 01382 */ 01383 sess_len = buf[34]; 01384 01385 if( sess_len > sizeof( ssl->session_negotiate->id ) || 01386 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ 01387 { 01388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01389 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01390 } 01391 01392 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); 01393 01394 ssl->session_negotiate->id_len = sess_len; 01395 memset( ssl->session_negotiate->id, 0, 01396 sizeof( ssl->session_negotiate->id ) ); 01397 memcpy( ssl->session_negotiate->id, buf + 35, 01398 ssl->session_negotiate->id_len ); 01399 01400 /* 01401 * Check the cookie length and content 01402 */ 01403 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01404 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01405 { 01406 cookie_offset = 35 + sess_len; 01407 cookie_len = buf[cookie_offset]; 01408 01409 if( cookie_offset + 1 + cookie_len + 2 > msg_len ) 01410 { 01411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01412 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01413 } 01414 01415 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 01416 buf + cookie_offset + 1, cookie_len ); 01417 01418 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 01419 if( ssl->conf->f_cookie_check != NULL 01420 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01421 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01422 #endif 01423 ) 01424 { 01425 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, 01426 buf + cookie_offset + 1, cookie_len, 01427 ssl->cli_id, ssl->cli_id_len ) != 0 ) 01428 { 01429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); 01430 ssl->handshake->verify_cookie_len = 1; 01431 } 01432 else 01433 { 01434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); 01435 ssl->handshake->verify_cookie_len = 0; 01436 } 01437 } 01438 else 01439 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 01440 { 01441 /* We know we didn't send a cookie, so it should be empty */ 01442 if( cookie_len != 0 ) 01443 { 01444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01445 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01446 } 01447 01448 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); 01449 } 01450 01451 /* 01452 * Check the ciphersuitelist length (will be parsed later) 01453 */ 01454 ciph_offset = cookie_offset + 1 + cookie_len; 01455 } 01456 else 01457 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01458 ciph_offset = 35 + sess_len; 01459 01460 ciph_len = ( buf[ciph_offset + 0] << 8 ) 01461 | ( buf[ciph_offset + 1] ); 01462 01463 if( ciph_len < 2 || 01464 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 01465 ( ciph_len % 2 ) != 0 ) 01466 { 01467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01468 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01469 } 01470 01471 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01472 buf + ciph_offset + 2, ciph_len ); 01473 01474 /* 01475 * Check the compression algorithms length and pick one 01476 */ 01477 comp_offset = ciph_offset + 2 + ciph_len; 01478 01479 comp_len = buf[comp_offset]; 01480 01481 if( comp_len < 1 || 01482 comp_len > 16 || 01483 comp_len + comp_offset + 1 > msg_len ) 01484 { 01485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01486 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01487 } 01488 01489 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", 01490 buf + comp_offset + 1, comp_len ); 01491 01492 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01493 #if defined(MBEDTLS_ZLIB_SUPPORT) 01494 for( i = 0; i < comp_len; ++i ) 01495 { 01496 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) 01497 { 01498 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; 01499 break; 01500 } 01501 } 01502 #endif 01503 01504 /* See comments in ssl_write_client_hello() */ 01505 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01506 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01507 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01508 #endif 01509 01510 /* Do not parse the extensions if the protocol is SSLv3 */ 01511 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01512 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 01513 { 01514 #endif 01515 /* 01516 * Check the extension length 01517 */ 01518 ext_offset = comp_offset + 1 + comp_len; 01519 if( msg_len > ext_offset ) 01520 { 01521 if( msg_len < ext_offset + 2 ) 01522 { 01523 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01524 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01525 } 01526 01527 ext_len = ( buf[ext_offset + 0] << 8 ) 01528 | ( buf[ext_offset + 1] ); 01529 01530 if( ( ext_len > 0 && ext_len < 4 ) || 01531 msg_len != ext_offset + 2 + ext_len ) 01532 { 01533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01534 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01535 } 01536 } 01537 else 01538 ext_len = 0; 01539 01540 ext = buf + ext_offset + 2; 01541 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); 01542 01543 while( ext_len != 0 ) 01544 { 01545 unsigned int ext_id = ( ( ext[0] << 8 ) 01546 | ( ext[1] ) ); 01547 unsigned int ext_size = ( ( ext[2] << 8 ) 01548 | ( ext[3] ) ); 01549 01550 if( ext_size + 4 > ext_len ) 01551 { 01552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01553 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01554 } 01555 switch( ext_id ) 01556 { 01557 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01558 case MBEDTLS_TLS_EXT_SERVERNAME: 01559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01560 if( ssl->conf->f_sni == NULL ) 01561 break; 01562 01563 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01564 if( ret != 0 ) 01565 return( ret ); 01566 break; 01567 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 01568 01569 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01570 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01571 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01572 renegotiation_info_seen = 1; 01573 #endif 01574 01575 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01576 if( ret != 0 ) 01577 return( ret ); 01578 break; 01579 01580 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01581 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01582 case MBEDTLS_TLS_EXT_SIG_ALG: 01583 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01584 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01585 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01586 break; 01587 #endif 01588 01589 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01590 if( ret != 0 ) 01591 return( ret ); 01592 break; 01593 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01594 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01595 01596 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01597 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01598 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01599 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01600 01601 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01602 if( ret != 0 ) 01603 return( ret ); 01604 break; 01605 01606 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01608 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01609 01610 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01611 if( ret != 0 ) 01612 return( ret ); 01613 break; 01614 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01615 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01616 01617 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01618 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01619 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); 01620 01621 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); 01622 if( ret != 0 ) 01623 return( ret ); 01624 break; 01625 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01626 01627 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01628 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01629 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01630 01631 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01632 if( ret != 0 ) 01633 return( ret ); 01634 break; 01635 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01636 01637 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01638 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01639 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01640 01641 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01642 if( ret != 0 ) 01643 return( ret ); 01644 break; 01645 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01646 01647 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01648 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01650 01651 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01652 if( ret != 0 ) 01653 return( ret ); 01654 break; 01655 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01656 01657 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01658 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01659 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01660 01661 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01662 if( ret != 0 ) 01663 return( ret ); 01664 break; 01665 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01666 01667 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01668 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01669 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01670 01671 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01672 if( ret != 0 ) 01673 return( ret ); 01674 break; 01675 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01676 01677 #if defined(MBEDTLS_SSL_ALPN) 01678 case MBEDTLS_TLS_EXT_ALPN: 01679 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01680 01681 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01682 if( ret != 0 ) 01683 return( ret ); 01684 break; 01685 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01686 01687 default: 01688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01689 ext_id ) ); 01690 } 01691 01692 ext_len -= 4 + ext_size; 01693 ext += 4 + ext_size; 01694 01695 if( ext_len > 0 && ext_len < 4 ) 01696 { 01697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01698 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01699 } 01700 } 01701 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01702 } 01703 #endif 01704 01705 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01706 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) 01707 { 01708 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01709 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01710 { 01711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); 01712 01713 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01714 { 01715 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01716 01717 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01718 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01719 01720 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01721 } 01722 01723 break; 01724 } 01725 } 01726 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01727 01728 /* 01729 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01730 */ 01731 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01732 { 01733 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01734 { 01735 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01736 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01737 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01738 { 01739 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); 01740 01741 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01742 return( ret ); 01743 01744 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01745 } 01746 #endif 01747 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01748 break; 01749 } 01750 } 01751 01752 /* 01753 * Renegotiation security checks 01754 */ 01755 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 01756 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01757 { 01758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01759 handshake_failure = 1; 01760 } 01761 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01762 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01763 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01764 renegotiation_info_seen == 0 ) 01765 { 01766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01767 handshake_failure = 1; 01768 } 01769 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01770 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01771 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01772 { 01773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01774 handshake_failure = 1; 01775 } 01776 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01777 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01778 renegotiation_info_seen == 1 ) 01779 { 01780 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01781 handshake_failure = 1; 01782 } 01783 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01784 01785 if( handshake_failure == 1 ) 01786 { 01787 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01788 return( ret ); 01789 01790 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01791 } 01792 01793 /* 01794 * Search for a matching ciphersuite 01795 * (At the end because we need information from the EC-based extensions 01796 * and certificate from the SNI callback triggered by the SNI extension.) 01797 */ 01798 got_common_suite = 0; 01799 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01800 ciphersuite_info = NULL; 01801 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01802 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01803 { 01804 for( i = 0; ciphersuites[i] != 0; i++ ) 01805 #else 01806 for( i = 0; ciphersuites[i] != 0; i++ ) 01807 { 01808 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01809 #endif 01810 { 01811 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01812 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01813 continue; 01814 01815 got_common_suite = 1; 01816 01817 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01818 &ciphersuite_info ) ) != 0 ) 01819 return( ret ); 01820 01821 if( ciphersuite_info != NULL ) 01822 goto have_ciphersuite; 01823 } 01824 } 01825 01826 if( got_common_suite ) 01827 { 01828 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01829 "but none of them usable" ) ); 01830 mbedtls_ssl_send_fatal_handshake_failure( ssl ); 01831 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01832 } 01833 else 01834 { 01835 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01836 mbedtls_ssl_send_fatal_handshake_failure( ssl ); 01837 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01838 } 01839 01840 have_ciphersuite: 01841 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01842 01843 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01844 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01845 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01846 01847 ssl->state++; 01848 01849 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01850 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01851 mbedtls_ssl_recv_flight_completed( ssl ); 01852 #endif 01853 01854 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 01855 01856 return( 0 ); 01857 } 01858 01859 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01860 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01861 unsigned char *buf, 01862 size_t *olen ) 01863 { 01864 unsigned char *p = buf; 01865 01866 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 01867 { 01868 *olen = 0; 01869 return; 01870 } 01871 01872 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 01873 01874 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 01875 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 01876 01877 *p++ = 0x00; 01878 *p++ = 0x00; 01879 01880 *olen = 4; 01881 } 01882 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01883 01884 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01885 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01886 unsigned char *buf, 01887 size_t *olen ) 01888 { 01889 unsigned char *p = buf; 01890 const mbedtls_ssl_ciphersuite_t *suite = NULL; 01891 const mbedtls_cipher_info_t *cipher = NULL; 01892 01893 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01894 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01895 { 01896 *olen = 0; 01897 return; 01898 } 01899 01900 /* 01901 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 01902 * from a client and then selects a stream or Authenticated Encryption 01903 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 01904 * encrypt-then-MAC response extension back to the client." 01905 */ 01906 if( ( suite = mbedtls_ssl_ciphersuite_from_id( 01907 ssl->session_negotiate->ciphersuite ) ) == NULL || 01908 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || 01909 cipher->mode != MBEDTLS_MODE_CBC ) 01910 { 01911 *olen = 0; 01912 return; 01913 } 01914 01915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 01916 01917 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 01918 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 01919 01920 *p++ = 0x00; 01921 *p++ = 0x00; 01922 01923 *olen = 4; 01924 } 01925 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01926 01927 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01928 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 01929 unsigned char *buf, 01930 size_t *olen ) 01931 { 01932 unsigned char *p = buf; 01933 01934 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01935 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01936 { 01937 *olen = 0; 01938 return; 01939 } 01940 01941 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 01942 "extension" ) ); 01943 01944 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 01945 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 01946 01947 *p++ = 0x00; 01948 *p++ = 0x00; 01949 01950 *olen = 4; 01951 } 01952 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01953 01954 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01955 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 01956 unsigned char *buf, 01957 size_t *olen ) 01958 { 01959 unsigned char *p = buf; 01960 01961 if( ssl->handshake->new_session_ticket == 0 ) 01962 { 01963 *olen = 0; 01964 return; 01965 } 01966 01967 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 01968 01969 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 01970 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 01971 01972 *p++ = 0x00; 01973 *p++ = 0x00; 01974 01975 *olen = 4; 01976 } 01977 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01978 01979 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 01980 unsigned char *buf, 01981 size_t *olen ) 01982 { 01983 unsigned char *p = buf; 01984 01985 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) 01986 { 01987 *olen = 0; 01988 return; 01989 } 01990 01991 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 01992 01993 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 01994 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 01995 01996 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01997 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01998 { 01999 *p++ = 0x00; 02000 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 02001 *p++ = ssl->verify_data_len * 2 & 0xFF; 02002 02003 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 02004 p += ssl->verify_data_len; 02005 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 02006 p += ssl->verify_data_len; 02007 } 02008 else 02009 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02010 { 02011 *p++ = 0x00; 02012 *p++ = 0x01; 02013 *p++ = 0x00; 02014 } 02015 02016 *olen = p - buf; 02017 } 02018 02019 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02020 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 02021 unsigned char *buf, 02022 size_t *olen ) 02023 { 02024 unsigned char *p = buf; 02025 02026 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 02027 { 02028 *olen = 0; 02029 return; 02030 } 02031 02032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 02033 02034 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 02035 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 02036 02037 *p++ = 0x00; 02038 *p++ = 1; 02039 02040 *p++ = ssl->session_negotiate->mfl_code; 02041 02042 *olen = 5; 02043 } 02044 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 02045 02046 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02047 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02048 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 02049 unsigned char *buf, 02050 size_t *olen ) 02051 { 02052 unsigned char *p = buf; 02053 ((void) ssl); 02054 02055 if( ( ssl->handshake->cli_exts & 02056 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02057 { 02058 *olen = 0; 02059 return; 02060 } 02061 02062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02063 02064 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02065 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02066 02067 *p++ = 0x00; 02068 *p++ = 2; 02069 02070 *p++ = 1; 02071 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 02072 02073 *olen = 6; 02074 } 02075 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02076 02077 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02078 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 02079 unsigned char *buf, 02080 size_t *olen ) 02081 { 02082 int ret; 02083 unsigned char *p = buf; 02084 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02085 size_t kkpp_len; 02086 02087 *olen = 0; 02088 02089 /* Skip costly computation if not needed */ 02090 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 02091 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02092 return; 02093 02094 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); 02095 02096 if( end - p < 4 ) 02097 { 02098 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02099 return; 02100 } 02101 02102 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 02103 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 02104 02105 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 02106 p + 2, end - p - 2, &kkpp_len, 02107 ssl->conf->f_rng, ssl->conf->p_rng ); 02108 if( ret != 0 ) 02109 { 02110 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 02111 return; 02112 } 02113 02114 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 02115 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 02116 02117 *olen = kkpp_len + 4; 02118 } 02119 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02120 02121 #if defined(MBEDTLS_SSL_ALPN ) 02122 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 02123 unsigned char *buf, size_t *olen ) 02124 { 02125 if( ssl->alpn_chosen == NULL ) 02126 { 02127 *olen = 0; 02128 return; 02129 } 02130 02131 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02132 02133 /* 02134 * 0 . 1 ext identifier 02135 * 2 . 3 ext length 02136 * 4 . 5 protocol list length 02137 * 6 . 6 protocol name length 02138 * 7 . 7+n protocol name 02139 */ 02140 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 02141 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 02142 02143 *olen = 7 + strlen( ssl->alpn_chosen ); 02144 02145 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02146 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02147 02148 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02149 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02150 02151 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02152 02153 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02154 } 02155 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 02156 02157 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02158 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) 02159 { 02160 int ret; 02161 unsigned char *p = ssl->out_msg + 4; 02162 unsigned char *cookie_len_byte; 02163 02164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); 02165 02166 /* 02167 * struct { 02168 * ProtocolVersion server_version; 02169 * opaque cookie<0..2^8-1>; 02170 * } HelloVerifyRequest; 02171 */ 02172 02173 /* The RFC is not clear on this point, but sending the actual negotiated 02174 * version looks like the most interoperable thing to do. */ 02175 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02176 ssl->conf->transport, p ); 02177 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 02178 p += 2; 02179 02180 /* If we get here, f_cookie_check is not null */ 02181 if( ssl->conf->f_cookie_write == NULL ) 02182 { 02183 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); 02184 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02185 } 02186 02187 /* Skip length byte until we know the length */ 02188 cookie_len_byte = p++; 02189 02190 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, 02191 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, 02192 ssl->cli_id, ssl->cli_id_len ) ) != 0 ) 02193 { 02194 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); 02195 return( ret ); 02196 } 02197 02198 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); 02199 02200 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); 02201 02202 ssl->out_msglen = p - ssl->out_msg; 02203 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02204 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 02205 02206 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 02207 02208 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02209 { 02210 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02211 return( ret ); 02212 } 02213 02214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); 02215 02216 return( 0 ); 02217 } 02218 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02219 02220 static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) 02221 { 02222 #if defined(MBEDTLS_HAVE_TIME) 02223 mbedtls_time_t t; 02224 #endif 02225 int ret; 02226 size_t olen, ext_len = 0, n; 02227 unsigned char *buf, *p; 02228 02229 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02230 02231 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02232 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02233 ssl->handshake->verify_cookie_len != 0 ) 02234 { 02235 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); 02236 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02237 02238 return( ssl_write_hello_verify_request( ssl ) ); 02239 } 02240 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02241 02242 if( ssl->conf->f_rng == NULL ) 02243 { 02244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02245 return( MBEDTLS_ERR_SSL_NO_RNG ); 02246 } 02247 02248 /* 02249 * 0 . 0 handshake type 02250 * 1 . 3 handshake length 02251 * 4 . 5 protocol version 02252 * 6 . 9 UNIX time() 02253 * 10 . 37 random bytes 02254 */ 02255 buf = ssl->out_msg; 02256 p = buf + 4; 02257 02258 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02259 ssl->conf->transport, p ); 02260 p += 2; 02261 02262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02263 buf[4], buf[5] ) ); 02264 02265 #if defined(MBEDTLS_HAVE_TIME) 02266 t = mbedtls_time( NULL ); 02267 *p++ = (unsigned char)( t >> 24 ); 02268 *p++ = (unsigned char)( t >> 16 ); 02269 *p++ = (unsigned char)( t >> 8 ); 02270 *p++ = (unsigned char)( t ); 02271 02272 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02273 #else 02274 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 02275 return( ret ); 02276 02277 p += 4; 02278 #endif /* MBEDTLS_HAVE_TIME */ 02279 02280 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 02281 return( ret ); 02282 02283 p += 28; 02284 02285 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02286 02287 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02288 02289 /* 02290 * Resume is 0 by default, see ssl_handshake_init(). 02291 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02292 * If not, try looking up session ID in our cache. 02293 */ 02294 if( ssl->handshake->resume == 0 && 02295 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02296 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && 02297 #endif 02298 ssl->session_negotiate->id_len != 0 && 02299 ssl->conf->f_get_cache != NULL && 02300 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) 02301 { 02302 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02303 ssl->handshake->resume = 1; 02304 } 02305 02306 if( ssl->handshake->resume == 0 ) 02307 { 02308 /* 02309 * New session, create a new session id, 02310 * unless we're about to issue a session ticket 02311 */ 02312 ssl->state++; 02313 02314 #if defined(MBEDTLS_HAVE_TIME) 02315 ssl->session_negotiate->start = mbedtls_time( NULL ); 02316 #endif 02317 02318 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02319 if( ssl->handshake->new_session_ticket != 0 ) 02320 { 02321 ssl->session_negotiate->id_len = n = 0; 02322 memset( ssl->session_negotiate->id, 0, 32 ); 02323 } 02324 else 02325 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02326 { 02327 ssl->session_negotiate->id_len = n = 32; 02328 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 02329 n ) ) != 0 ) 02330 return( ret ); 02331 } 02332 } 02333 else 02334 { 02335 /* 02336 * Resuming a session 02337 */ 02338 n = ssl->session_negotiate->id_len; 02339 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 02340 02341 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02342 { 02343 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02344 return( ret ); 02345 } 02346 } 02347 02348 /* 02349 * 38 . 38 session id length 02350 * 39 . 38+n session id 02351 * 39+n . 40+n chosen ciphersuite 02352 * 41+n . 41+n chosen compression alg. 02353 * 42+n . 43+n extensions length 02354 * 44+n . 43+n+m extensions 02355 */ 02356 *p++ = (unsigned char) ssl->session_negotiate->id_len; 02357 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); 02358 p += ssl->session_negotiate->id_len; 02359 02360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02361 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02362 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02363 ssl->handshake->resume ? "a" : "no" ) ); 02364 02365 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02366 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02367 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02368 02369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02370 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02371 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02372 ssl->session_negotiate->compression ) ); 02373 02374 /* Do not write the extensions if the protocol is SSLv3 */ 02375 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02376 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 02377 { 02378 #endif 02379 02380 /* 02381 * First write extensions, then the total length 02382 */ 02383 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02384 ext_len += olen; 02385 02386 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02387 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02388 ext_len += olen; 02389 #endif 02390 02391 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02392 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02393 ext_len += olen; 02394 #endif 02395 02396 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02397 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02398 ext_len += olen; 02399 #endif 02400 02401 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02402 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02403 ext_len += olen; 02404 #endif 02405 02406 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02407 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02408 ext_len += olen; 02409 #endif 02410 02411 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02412 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02413 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02414 ext_len += olen; 02415 #endif 02416 02417 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02418 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 02419 ext_len += olen; 02420 #endif 02421 02422 #if defined(MBEDTLS_SSL_ALPN) 02423 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02424 ext_len += olen; 02425 #endif 02426 02427 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02428 02429 if( ext_len > 0 ) 02430 { 02431 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02432 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02433 p += ext_len; 02434 } 02435 02436 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02437 } 02438 #endif 02439 02440 ssl->out_msglen = p - buf; 02441 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02442 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 02443 02444 ret = mbedtls_ssl_write_record( ssl ); 02445 02446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02447 02448 return( ret ); 02449 } 02450 02451 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02452 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02453 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02454 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02455 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02456 { 02457 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02458 02459 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02460 02461 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02462 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02463 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02464 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02465 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02466 { 02467 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02468 ssl->state++; 02469 return( 0 ); 02470 } 02471 02472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02473 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02474 } 02475 #else 02476 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02477 { 02478 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02479 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02480 size_t dn_size, total_dn_size; /* excluding length bytes */ 02481 size_t ct_len, sa_len; /* including length bytes */ 02482 unsigned char *buf, *p; 02483 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02484 const mbedtls_x509_crt *crt; 02485 int authmode; 02486 02487 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02488 02489 ssl->state++; 02490 02491 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02492 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 02493 authmode = ssl->handshake->sni_authmode; 02494 else 02495 #endif 02496 authmode = ssl->conf->authmode; 02497 02498 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02499 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02500 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02501 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02502 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 02503 authmode == MBEDTLS_SSL_VERIFY_NONE ) 02504 { 02505 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02506 return( 0 ); 02507 } 02508 02509 /* 02510 * 0 . 0 handshake type 02511 * 1 . 3 handshake length 02512 * 4 . 4 cert type count 02513 * 5 .. m-1 cert types 02514 * m .. m+1 sig alg length (TLS 1.2 only) 02515 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02516 * n .. n+1 length of all DNs 02517 * n+2 .. n+3 length of DN 1 02518 * n+4 .. ... Distinguished Name #1 02519 * ... .. ... length of DN 2, etc. 02520 */ 02521 buf = ssl->out_msg; 02522 p = buf + 4; 02523 02524 /* 02525 * Supported certificate types 02526 * 02527 * ClientCertificateType certificate_types<1..2^8-1>; 02528 * enum { (255) } ClientCertificateType; 02529 */ 02530 ct_len = 0; 02531 02532 #if defined(MBEDTLS_RSA_C) 02533 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02534 #endif 02535 #if defined(MBEDTLS_ECDSA_C) 02536 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02537 #endif 02538 02539 p[0] = (unsigned char) ct_len++; 02540 p += ct_len; 02541 02542 sa_len = 0; 02543 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02544 /* 02545 * Add signature_algorithms for verify (TLS 1.2) 02546 * 02547 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02548 * 02549 * struct { 02550 * HashAlgorithm hash; 02551 * SignatureAlgorithm signature; 02552 * } SignatureAndHashAlgorithm; 02553 * 02554 * enum { (255) } HashAlgorithm; 02555 * enum { (255) } SignatureAlgorithm; 02556 */ 02557 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02558 { 02559 /* 02560 * Only use current running hash algorithm that is already required 02561 * for requested ciphersuite. 02562 */ 02563 ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256; 02564 02565 if( ssl->transform_negotiate->ciphersuite_info->mac == 02566 MBEDTLS_MD_SHA384 ) 02567 { 02568 ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384; 02569 } 02570 02571 /* 02572 * Supported signature algorithms 02573 */ 02574 #if defined(MBEDTLS_RSA_C) 02575 p[2 + sa_len++] = ssl->handshake->verify_sig_alg; 02576 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; 02577 #endif 02578 #if defined(MBEDTLS_ECDSA_C) 02579 p[2 + sa_len++] = ssl->handshake->verify_sig_alg; 02580 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; 02581 #endif 02582 02583 p[0] = (unsigned char)( sa_len >> 8 ); 02584 p[1] = (unsigned char)( sa_len ); 02585 sa_len += 2; 02586 p += sa_len; 02587 } 02588 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02589 02590 /* 02591 * DistinguishedName certificate_authorities<0..2^16-1>; 02592 * opaque DistinguishedName<1..2^16-1>; 02593 */ 02594 p += 2; 02595 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02596 if( ssl->handshake->sni_ca_chain != NULL ) 02597 crt = ssl->handshake->sni_ca_chain; 02598 else 02599 #endif 02600 crt = ssl->conf->ca_chain; 02601 02602 total_dn_size = 0; 02603 while( crt != NULL && crt->version != 0 ) 02604 { 02605 dn_size = crt->subject_raw.len; 02606 02607 if( end < p || 02608 (size_t)( end - p ) < dn_size || 02609 (size_t)( end - p ) < 2 + dn_size ) 02610 { 02611 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); 02612 break; 02613 } 02614 02615 *p++ = (unsigned char)( dn_size >> 8 ); 02616 *p++ = (unsigned char)( dn_size ); 02617 memcpy( p, crt->subject_raw.p, dn_size ); 02618 p += dn_size; 02619 02620 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); 02621 02622 total_dn_size += 2 + dn_size; 02623 crt = crt->next; 02624 } 02625 02626 ssl->out_msglen = p - buf; 02627 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02628 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 02629 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02630 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02631 02632 ret = mbedtls_ssl_write_record( ssl ); 02633 02634 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02635 02636 return( ret ); 02637 } 02638 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02639 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02640 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02641 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02642 02643 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02644 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02645 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02646 { 02647 int ret; 02648 02649 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) 02650 { 02651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02652 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02653 } 02654 02655 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, 02656 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), 02657 MBEDTLS_ECDH_OURS ) ) != 0 ) 02658 { 02659 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02660 return( ret ); 02661 } 02662 02663 return( 0 ); 02664 } 02665 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02666 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02667 02668 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) 02669 { 02670 int ret; 02671 size_t n = 0; 02672 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02673 ssl->transform_negotiate->ciphersuite_info; 02674 02675 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02676 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02677 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02678 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02679 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02680 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02681 unsigned char *p = ssl->out_msg + 4; 02682 unsigned char *dig_signed = p; 02683 size_t dig_signed_len = 0, len; 02684 ((void) dig_signed); 02685 ((void) dig_signed_len); 02686 ((void) len); 02687 #endif 02688 02689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02690 02691 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02692 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02693 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02694 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA || 02695 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02696 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02697 { 02698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02699 ssl->state++; 02700 return( 0 ); 02701 } 02702 #endif 02703 02704 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02706 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02708 { 02709 ssl_get_ecdh_params_from_cert( ssl ); 02710 02711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02712 ssl->state++; 02713 return( 0 ); 02714 } 02715 #endif 02716 02717 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02718 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02719 { 02720 size_t jlen; 02721 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02722 02723 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02724 p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng ); 02725 if( ret != 0 ) 02726 { 02727 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02728 return( ret ); 02729 } 02730 02731 p += jlen; 02732 n += jlen; 02733 } 02734 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02735 02736 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02737 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02738 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02739 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02740 { 02741 /* Note: we don't support identity hints, until someone asks 02742 * for them. */ 02743 *(p++) = 0x00; 02744 *(p++) = 0x00; 02745 02746 n += 2; 02747 } 02748 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 02749 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02750 02751 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02752 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02753 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02754 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02755 { 02756 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) 02757 { 02758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); 02759 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02760 } 02761 02762 /* 02763 * Ephemeral DH parameters: 02764 * 02765 * struct { 02766 * opaque dh_p<1..2^16-1>; 02767 * opaque dh_g<1..2^16-1>; 02768 * opaque dh_Ys<1..2^16-1>; 02769 * } ServerDHParams; 02770 */ 02771 if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || 02772 ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) 02773 { 02774 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); 02775 return( ret ); 02776 } 02777 02778 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, 02779 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02780 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02781 { 02782 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); 02783 return( ret ); 02784 } 02785 02786 dig_signed = p; 02787 dig_signed_len = len; 02788 02789 p += len; 02790 n += len; 02791 02792 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02793 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02794 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02795 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02796 } 02797 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02798 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02799 02800 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02801 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02802 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02803 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02804 { 02805 /* 02806 * Ephemeral ECDH parameters: 02807 * 02808 * struct { 02809 * ECParameters curve_params; 02810 * ECPoint public; 02811 * } ServerECDHParams; 02812 */ 02813 const mbedtls_ecp_curve_info **curve = NULL; 02814 const mbedtls_ecp_group_id *gid; 02815 02816 /* Match our preference list against the offered curves */ 02817 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 02818 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02819 if( (*curve)->grp_id == *gid ) 02820 goto curve_matching_done; 02821 02822 curve_matching_done: 02823 if( curve == NULL || *curve == NULL ) 02824 { 02825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 02826 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 02827 } 02828 02829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 02830 02831 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp, 02832 (*curve)->grp_id ) ) != 0 ) 02833 { 02834 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); 02835 return( ret ); 02836 } 02837 02838 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 02839 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, 02840 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02841 { 02842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); 02843 return( ret ); 02844 } 02845 02846 dig_signed = p; 02847 dig_signed_len = len; 02848 02849 p += len; 02850 n += len; 02851 02852 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 02853 } 02854 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 02855 02856 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02857 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02858 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02859 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02860 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02861 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02862 { 02863 size_t signature_len = 0; 02864 unsigned int hashlen = 0; 02865 unsigned char hash[64]; 02866 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02867 02868 /* 02869 * Choose hash algorithm. NONE means MD5 + SHA1 here. 02870 */ 02871 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02872 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02873 { 02874 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg ); 02875 02876 if( md_alg == MBEDTLS_MD_NONE ) 02877 { 02878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02879 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02880 } 02881 } 02882 else 02883 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02884 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02885 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02886 if( ciphersuite_info->key_exchange == 02887 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02888 { 02889 md_alg = MBEDTLS_MD_SHA1; 02890 } 02891 else 02892 #endif 02893 { 02894 md_alg = MBEDTLS_MD_NONE; 02895 } 02896 02897 /* 02898 * Compute the hash to be signed 02899 */ 02900 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02901 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02902 if( md_alg == MBEDTLS_MD_NONE ) 02903 { 02904 mbedtls_md5_context mbedtls_md5; 02905 mbedtls_sha1_context mbedtls_sha1; 02906 02907 mbedtls_md5_init( &mbedtls_md5 ); 02908 mbedtls_sha1_init( &mbedtls_sha1 ); 02909 02910 /* 02911 * digitally-signed struct { 02912 * opaque md5_hash[16]; 02913 * opaque sha_hash[20]; 02914 * }; 02915 * 02916 * md5_hash 02917 * MD5(ClientHello.random + ServerHello.random 02918 * + ServerParams); 02919 * sha_hash 02920 * SHA(ClientHello.random + ServerHello.random 02921 * + ServerParams); 02922 */ 02923 mbedtls_md5_starts( &mbedtls_md5 ); 02924 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02925 mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len ); 02926 mbedtls_md5_finish( &mbedtls_md5, hash ); 02927 02928 mbedtls_sha1_starts( &mbedtls_sha1 ); 02929 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02930 mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len ); 02931 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02932 02933 hashlen = 36; 02934 02935 mbedtls_md5_free( &mbedtls_md5 ); 02936 mbedtls_sha1_free( &mbedtls_sha1 ); 02937 } 02938 else 02939 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02940 MBEDTLS_SSL_PROTO_TLS1_1 */ 02941 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02942 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02943 if( md_alg != MBEDTLS_MD_NONE ) 02944 { 02945 mbedtls_md_context_t ctx; 02946 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 02947 02948 mbedtls_md_init( &ctx ); 02949 02950 /* Info from md_alg will be used instead */ 02951 hashlen = 0; 02952 02953 /* 02954 * digitally-signed struct { 02955 * opaque client_random[32]; 02956 * opaque server_random[32]; 02957 * ServerDHParams params; 02958 * }; 02959 */ 02960 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) 02961 { 02962 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02963 return( ret ); 02964 } 02965 02966 mbedtls_md_starts( &ctx ); 02967 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02968 mbedtls_md_update( &ctx, dig_signed, dig_signed_len ); 02969 mbedtls_md_finish( &ctx, hash ); 02970 mbedtls_md_free( &ctx ); 02971 } 02972 else 02973 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02974 MBEDTLS_SSL_PROTO_TLS1_2 */ 02975 { 02976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02977 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02978 } 02979 02980 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02981 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02982 02983 /* 02984 * Make the signature 02985 */ 02986 if( mbedtls_ssl_own_key( ssl ) == NULL ) 02987 { 02988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 02989 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02990 } 02991 02992 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02993 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02994 { 02995 *(p++) = ssl->handshake->sig_alg; 02996 *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 02997 02998 n += 2; 02999 } 03000 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03001 03002 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, 03003 p + 2 , &signature_len, 03004 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03005 { 03006 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03007 return( ret ); 03008 } 03009 03010 *(p++) = (unsigned char)( signature_len >> 8 ); 03011 *(p++) = (unsigned char)( signature_len ); 03012 n += 2; 03013 03014 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 03015 03016 n += signature_len; 03017 } 03018 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || 03019 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03020 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03021 03022 ssl->out_msglen = 4 + n; 03023 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03024 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 03025 03026 ssl->state++; 03027 03028 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03029 { 03030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03031 return( ret ); 03032 } 03033 03034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 03035 03036 return( 0 ); 03037 } 03038 03039 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) 03040 { 03041 int ret; 03042 03043 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 03044 03045 ssl->out_msglen = 4; 03046 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03047 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 03048 03049 ssl->state++; 03050 03051 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03052 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03053 mbedtls_ssl_send_flight_completed( ssl ); 03054 #endif 03055 03056 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03057 { 03058 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03059 return( ret ); 03060 } 03061 03062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 03063 03064 return( 0 ); 03065 } 03066 03067 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 03068 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03069 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, 03070 const unsigned char *end ) 03071 { 03072 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03073 size_t n; 03074 03075 /* 03076 * Receive G^Y mod P, premaster = (G^Y)^X mod P 03077 */ 03078 if( *p + 2 > end ) 03079 { 03080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03081 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03082 } 03083 03084 n = ( (*p)[0] << 8 ) | (*p)[1]; 03085 *p += 2; 03086 03087 if( *p + n > end ) 03088 { 03089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03090 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03091 } 03092 03093 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 03094 { 03095 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); 03096 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03097 } 03098 03099 *p += n; 03100 03101 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 03102 03103 return( ret ); 03104 } 03105 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 03106 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03107 03108 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03109 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03110 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, 03111 const unsigned char *p, 03112 const unsigned char *end, 03113 size_t pms_offset ) 03114 { 03115 int ret; 03116 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) ); 03117 unsigned char *pms = ssl->handshake->premaster + pms_offset; 03118 unsigned char ver[2]; 03119 unsigned char fake_pms[48], peer_pms[48]; 03120 unsigned char mask; 03121 size_t i, peer_pmslen; 03122 unsigned int diff; 03123 03124 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 03125 { 03126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 03127 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03128 } 03129 03130 /* 03131 * Decrypt the premaster using own private RSA key 03132 */ 03133 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03134 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03135 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 03136 { 03137 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 03138 *p++ != ( ( len ) & 0xFF ) ) 03139 { 03140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03141 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03142 } 03143 } 03144 #endif 03145 03146 if( p + len != end ) 03147 { 03148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03149 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03150 } 03151 03152 mbedtls_ssl_write_version( ssl->handshake->max_major_ver, 03153 ssl->handshake->max_minor_ver, 03154 ssl->conf->transport, ver ); 03155 03156 /* 03157 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 03158 * must not cause the connection to end immediately; instead, send a 03159 * bad_record_mac later in the handshake. 03160 * Also, avoid data-dependant branches here to protect against 03161 * timing-based variants. 03162 */ 03163 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); 03164 if( ret != 0 ) 03165 return( ret ); 03166 03167 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, 03168 peer_pms, &peer_pmslen, 03169 sizeof( peer_pms ), 03170 ssl->conf->f_rng, ssl->conf->p_rng ); 03171 03172 diff = (unsigned int) ret; 03173 diff |= peer_pmslen ^ 48; 03174 diff |= peer_pms[0] ^ ver[0]; 03175 diff |= peer_pms[1] ^ ver[1]; 03176 03177 #if defined(MBEDTLS_SSL_DEBUG_ALL) 03178 if( diff != 0 ) 03179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03180 #endif 03181 03182 if( sizeof( ssl->handshake->premaster ) < pms_offset || 03183 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 03184 { 03185 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03186 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03187 } 03188 ssl->handshake->pmslen = 48; 03189 03190 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 03191 /* MSVC has a warning about unary minus on unsigned, but this is 03192 * well-defined and precisely what we want to do here */ 03193 #if defined(_MSC_VER) 03194 #pragma warning( push ) 03195 #pragma warning( disable : 4146 ) 03196 #endif 03197 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); 03198 #if defined(_MSC_VER) 03199 #pragma warning( pop ) 03200 #endif 03201 03202 for( i = 0; i < ssl->handshake->pmslen; i++ ) 03203 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 03204 03205 return( 0 ); 03206 } 03207 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 03208 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03209 03210 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03211 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, 03212 const unsigned char *end ) 03213 { 03214 int ret = 0; 03215 size_t n; 03216 03217 if( ssl->conf->f_psk == NULL && 03218 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 03219 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 03220 { 03221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 03222 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03223 } 03224 03225 /* 03226 * Receive client pre-shared key identity name 03227 */ 03228 if( *p + 2 > end ) 03229 { 03230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03231 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03232 } 03233 03234 n = ( (*p)[0] << 8 ) | (*p)[1]; 03235 *p += 2; 03236 03237 if( n < 1 || n > 65535 || *p + n > end ) 03238 { 03239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03240 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03241 } 03242 03243 if( ssl->conf->f_psk != NULL ) 03244 { 03245 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) 03246 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03247 } 03248 else 03249 { 03250 /* Identity is not a big secret since clients send it in the clear, 03251 * but treat it carefully anyway, just in case */ 03252 if( n != ssl->conf->psk_identity_len || 03253 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) 03254 { 03255 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03256 } 03257 } 03258 03259 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) 03260 { 03261 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03262 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03263 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03264 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 ) 03265 { 03266 return( ret ); 03267 } 03268 03269 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); 03270 } 03271 03272 *p += n; 03273 03274 return( 0 ); 03275 } 03276 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03277 03278 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) 03279 { 03280 int ret; 03281 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 03282 unsigned char *p, *end; 03283 03284 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03285 03286 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03287 03288 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03289 { 03290 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03291 return( ret ); 03292 } 03293 03294 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03295 end = ssl->in_msg + ssl->in_hslen; 03296 03297 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03298 { 03299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03300 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03301 } 03302 03303 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) 03304 { 03305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03306 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03307 } 03308 03309 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03310 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03311 { 03312 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03313 { 03314 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03315 return( ret ); 03316 } 03317 03318 if( p != end ) 03319 { 03320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03321 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03322 } 03323 03324 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03325 ssl->handshake->premaster, 03326 MBEDTLS_PREMASTER_SIZE, 03327 &ssl->handshake->pmslen, 03328 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03329 { 03330 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03331 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03332 } 03333 03334 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03335 } 03336 else 03337 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03338 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03339 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03340 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03341 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03342 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03343 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03344 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03345 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03346 { 03347 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03348 p, end - p) ) != 0 ) 03349 { 03350 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03351 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03352 } 03353 03354 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03355 03356 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03357 &ssl->handshake->pmslen, 03358 ssl->handshake->premaster, 03359 MBEDTLS_MPI_MAX_SIZE, 03360 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03361 { 03362 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03363 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03364 } 03365 03366 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 03367 } 03368 else 03369 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03370 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03371 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03372 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03373 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03374 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03375 { 03376 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03377 { 03378 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03379 return( ret ); 03380 } 03381 03382 if( p != end ) 03383 { 03384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03385 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03386 } 03387 03388 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03389 ciphersuite_info->key_exchange ) ) != 0 ) 03390 { 03391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03392 return( ret ); 03393 } 03394 } 03395 else 03396 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 03397 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03398 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 03399 { 03400 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03401 { 03402 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03403 return( ret ); 03404 } 03405 03406 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 03407 { 03408 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 03409 return( ret ); 03410 } 03411 03412 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03413 ciphersuite_info->key_exchange ) ) != 0 ) 03414 { 03415 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03416 return( ret ); 03417 } 03418 } 03419 else 03420 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03421 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03422 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 03423 { 03424 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03425 { 03426 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03427 return( ret ); 03428 } 03429 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03430 { 03431 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03432 return( ret ); 03433 } 03434 03435 if( p != end ) 03436 { 03437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03438 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03439 } 03440 03441 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03442 ciphersuite_info->key_exchange ) ) != 0 ) 03443 { 03444 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03445 return( ret ); 03446 } 03447 } 03448 else 03449 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03450 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03451 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03452 { 03453 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03454 { 03455 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03456 return( ret ); 03457 } 03458 03459 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03460 p, end - p ) ) != 0 ) 03461 { 03462 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03463 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03464 } 03465 03466 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03467 03468 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03469 ciphersuite_info->key_exchange ) ) != 0 ) 03470 { 03471 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03472 return( ret ); 03473 } 03474 } 03475 else 03476 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03477 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03478 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03479 { 03480 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) 03481 { 03482 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 03483 return( ret ); 03484 } 03485 } 03486 else 03487 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03488 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03489 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03490 { 03491 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 03492 p, end - p ); 03493 if( ret != 0 ) 03494 { 03495 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 03496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 03497 } 03498 03499 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03500 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03501 ssl->conf->f_rng, ssl->conf->p_rng ); 03502 if( ret != 0 ) 03503 { 03504 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03505 return( ret ); 03506 } 03507 } 03508 else 03509 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 03510 { 03511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03512 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03513 } 03514 03515 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03516 { 03517 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03518 return( ret ); 03519 } 03520 03521 ssl->state++; 03522 03523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 03524 03525 return( 0 ); 03526 } 03527 03528 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03529 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03530 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03531 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03532 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03533 { 03534 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03535 03536 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03537 03538 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03539 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03540 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03543 { 03544 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03545 ssl->state++; 03546 return( 0 ); 03547 } 03548 03549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03550 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03551 } 03552 #else 03553 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03554 { 03555 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03556 size_t i, sig_len; 03557 unsigned char hash[48]; 03558 unsigned char *hash_start = hash; 03559 size_t hashlen; 03560 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03561 mbedtls_pk_type_t pk_alg; 03562 #endif 03563 mbedtls_md_type_t md_alg; 03564 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03565 03566 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03567 03568 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03569 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03570 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03571 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03572 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 03573 ssl->session_negotiate->peer_cert == NULL ) 03574 { 03575 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03576 ssl->state++; 03577 return( 0 ); 03578 } 03579 03580 /* Needs to be done before read_record() to exclude current message */ 03581 ssl->handshake->calc_verify( ssl, hash ); 03582 03583 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03584 { 03585 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03586 return( ret ); 03587 } 03588 03589 ssl->state++; 03590 03591 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 03592 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) 03593 { 03594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03595 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03596 } 03597 03598 i = mbedtls_ssl_hs_hdr_len( ssl ); 03599 03600 /* 03601 * struct { 03602 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 03603 * opaque signature<0..2^16-1>; 03604 * } DigitallySigned; 03605 */ 03606 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03607 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03608 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03609 { 03610 md_alg = MBEDTLS_MD_NONE; 03611 hashlen = 36; 03612 03613 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03614 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03615 MBEDTLS_PK_ECDSA ) ) 03616 { 03617 hash_start += 16; 03618 hashlen -= 16; 03619 md_alg = MBEDTLS_MD_SHA1; 03620 } 03621 } 03622 else 03623 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || 03624 MBEDTLS_SSL_PROTO_TLS1_1 */ 03625 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03626 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03627 { 03628 if( i + 2 > ssl->in_hslen ) 03629 { 03630 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03631 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03632 } 03633 03634 /* 03635 * Hash 03636 */ 03637 if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg ) 03638 { 03639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03640 " for verify message" ) ); 03641 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03642 } 03643 03644 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg ); 03645 03646 /* Info from md_alg will be used instead */ 03647 hashlen = 0; 03648 03649 i++; 03650 03651 /* 03652 * Signature 03653 */ 03654 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) 03655 == MBEDTLS_PK_NONE ) 03656 { 03657 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03658 " for verify message" ) ); 03659 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03660 } 03661 03662 /* 03663 * Check the certificate's key type matches the signature alg 03664 */ 03665 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03666 { 03667 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03668 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03669 } 03670 03671 i++; 03672 } 03673 else 03674 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03675 { 03676 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03677 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03678 } 03679 03680 if( i + 2 > ssl->in_hslen ) 03681 { 03682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03683 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03684 } 03685 03686 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; 03687 i += 2; 03688 03689 if( i + sig_len != ssl->in_hslen ) 03690 { 03691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03692 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03693 } 03694 03695 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 03696 md_alg, hash_start, hashlen, 03697 ssl->in_msg + i, sig_len ) ) != 0 ) 03698 { 03699 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 03700 return( ret ); 03701 } 03702 03703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03704 03705 return( ret ); 03706 } 03707 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03708 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03709 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 03710 03711 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03712 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) 03713 { 03714 int ret; 03715 size_t tlen; 03716 uint32_t lifetime; 03717 03718 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03719 03720 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03721 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 03722 03723 /* 03724 * struct { 03725 * uint32 ticket_lifetime_hint; 03726 * opaque ticket<0..2^16-1>; 03727 * } NewSessionTicket; 03728 * 03729 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03730 * 8 . 9 ticket_len (n) 03731 * 10 . 9+n ticket content 03732 */ 03733 03734 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, 03735 ssl->session_negotiate, 03736 ssl->out_msg + 10, 03737 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, 03738 &tlen, &lifetime ) ) != 0 ) 03739 { 03740 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); 03741 tlen = 0; 03742 } 03743 03744 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03745 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03746 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03747 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03748 03749 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03750 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03751 03752 ssl->out_msglen = 10 + tlen; 03753 03754 /* 03755 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03756 * ChangeCipherSpec share the same state. 03757 */ 03758 ssl->handshake->new_session_ticket = 0; 03759 03760 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03761 { 03762 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03763 return( ret ); 03764 } 03765 03766 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 03767 03768 return( 0 ); 03769 } 03770 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03771 03772 /* 03773 * SSL handshake -- server side -- single step 03774 */ 03775 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) 03776 { 03777 int ret = 0; 03778 03779 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03780 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03781 03782 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 03783 03784 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03785 return( ret ); 03786 03787 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03788 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03789 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03790 { 03791 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03792 return( ret ); 03793 } 03794 #endif 03795 03796 switch( ssl->state ) 03797 { 03798 case MBEDTLS_SSL_HELLO_REQUEST: 03799 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03800 break; 03801 03802 /* 03803 * <== ClientHello 03804 */ 03805 case MBEDTLS_SSL_CLIENT_HELLO: 03806 ret = ssl_parse_client_hello( ssl ); 03807 break; 03808 03809 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03810 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 03811 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03812 #endif 03813 03814 /* 03815 * ==> ServerHello 03816 * Certificate 03817 * ( ServerKeyExchange ) 03818 * ( CertificateRequest ) 03819 * ServerHelloDone 03820 */ 03821 case MBEDTLS_SSL_SERVER_HELLO: 03822 ret = ssl_write_server_hello( ssl ); 03823 break; 03824 03825 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03826 ret = mbedtls_ssl_write_certificate( ssl ); 03827 break; 03828 03829 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03830 ret = ssl_write_server_key_exchange( ssl ); 03831 break; 03832 03833 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03834 ret = ssl_write_certificate_request( ssl ); 03835 break; 03836 03837 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03838 ret = ssl_write_server_hello_done( ssl ); 03839 break; 03840 03841 /* 03842 * <== ( Certificate/Alert ) 03843 * ClientKeyExchange 03844 * ( CertificateVerify ) 03845 * ChangeCipherSpec 03846 * Finished 03847 */ 03848 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03849 ret = mbedtls_ssl_parse_certificate( ssl ); 03850 break; 03851 03852 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03853 ret = ssl_parse_client_key_exchange( ssl ); 03854 break; 03855 03856 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03857 ret = ssl_parse_certificate_verify( ssl ); 03858 break; 03859 03860 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03861 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03862 break; 03863 03864 case MBEDTLS_SSL_CLIENT_FINISHED: 03865 ret = mbedtls_ssl_parse_finished( ssl ); 03866 break; 03867 03868 /* 03869 * ==> ( NewSessionTicket ) 03870 * ChangeCipherSpec 03871 * Finished 03872 */ 03873 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03874 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03875 if( ssl->handshake->new_session_ticket != 0 ) 03876 ret = ssl_write_new_session_ticket( ssl ); 03877 else 03878 #endif 03879 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03880 break; 03881 03882 case MBEDTLS_SSL_SERVER_FINISHED: 03883 ret = mbedtls_ssl_write_finished( ssl ); 03884 break; 03885 03886 case MBEDTLS_SSL_FLUSH_BUFFERS: 03887 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03888 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03889 break; 03890 03891 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03892 mbedtls_ssl_handshake_wrapup( ssl ); 03893 break; 03894 03895 default: 03896 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03897 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03898 } 03899 03900 return( ret ); 03901 } 03902 #endif /* MBEDTLS_SSL_SRV_C */
Generated on Tue Jul 12 2022 12:28:50 by
