Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: MAX44000 PWM_Tone_Library nexpaq_mdk
Fork of LED_Demo by
ssl_tls.c
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The SSL 3.0 specification was drafted by Netscape in 1996, 00023 * and became an IETF standard in 1999. 00024 * 00025 * http://wp.netscape.com/eng/ssl3/ 00026 * http://www.ietf.org/rfc/rfc2246.txt 00027 * http://www.ietf.org/rfc/rfc4346.txt 00028 */ 00029 00030 #if !defined(MBEDTLS_CONFIG_FILE) 00031 #include "mbedtls/config.h" 00032 #else 00033 #include MBEDTLS_CONFIG_FILE 00034 #endif 00035 00036 #if defined(MBEDTLS_SSL_TLS_C) 00037 00038 #if defined(MBEDTLS_PLATFORM_C) 00039 #include "mbedtls/platform.h" 00040 #else 00041 #include <stdlib.h> 00042 #define mbedtls_calloc calloc 00043 #define mbedtls_free free 00044 #define mbedtls_time_t time_t 00045 #endif 00046 00047 #include "mbedtls/debug.h" 00048 #include "mbedtls/ssl.h" 00049 #include "mbedtls/ssl_internal.h" 00050 00051 #include <string.h> 00052 00053 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 00054 defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00055 #include "mbedtls/oid.h" 00056 #endif 00057 00058 /* Implementation that should never be optimized out by the compiler */ 00059 static void mbedtls_zeroize( void *v, size_t n ) { 00060 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00061 } 00062 00063 /* Length of the "epoch" field in the record header */ 00064 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) 00065 { 00066 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00067 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00068 return( 2 ); 00069 #else 00070 ((void) ssl); 00071 #endif 00072 return( 0 ); 00073 } 00074 00075 /* 00076 * Start a timer. 00077 * Passing millisecs = 0 cancels a running timer. 00078 */ 00079 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 00080 { 00081 if( ssl->f_set_timer == NULL ) 00082 return; 00083 00084 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 00085 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 00086 } 00087 00088 /* 00089 * Return -1 is timer is expired, 0 if it isn't. 00090 */ 00091 static int ssl_check_timer( mbedtls_ssl_context *ssl ) 00092 { 00093 if( ssl->f_get_timer == NULL ) 00094 return( 0 ); 00095 00096 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 00097 { 00098 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 00099 return( -1 ); 00100 } 00101 00102 return( 0 ); 00103 } 00104 00105 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00106 /* 00107 * Double the retransmit timeout value, within the allowed range, 00108 * returning -1 if the maximum value has already been reached. 00109 */ 00110 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 00111 { 00112 uint32_t new_timeout; 00113 00114 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 00115 return( -1 ); 00116 00117 new_timeout = 2 * ssl->handshake->retransmit_timeout; 00118 00119 /* Avoid arithmetic overflow and range overflow */ 00120 if( new_timeout < ssl->handshake->retransmit_timeout || 00121 new_timeout > ssl->conf->hs_timeout_max ) 00122 { 00123 new_timeout = ssl->conf->hs_timeout_max; 00124 } 00125 00126 ssl->handshake->retransmit_timeout = new_timeout; 00127 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00128 ssl->handshake->retransmit_timeout ) ); 00129 00130 return( 0 ); 00131 } 00132 00133 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 00134 { 00135 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 00136 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00137 ssl->handshake->retransmit_timeout ) ); 00138 } 00139 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00140 00141 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00142 /* 00143 * Convert max_fragment_length codes to length. 00144 * RFC 6066 says: 00145 * enum{ 00146 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 00147 * } MaxFragmentLength; 00148 * and we add 0 -> extension unused 00149 */ 00150 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] = 00151 { 00152 MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */ 00153 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */ 00154 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */ 00155 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */ 00156 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */ 00157 }; 00158 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00159 00160 #if defined(MBEDTLS_SSL_CLI_C) 00161 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) 00162 { 00163 mbedtls_ssl_session_free( dst ); 00164 memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); 00165 00166 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00167 if( src->peer_cert != NULL ) 00168 { 00169 int ret; 00170 00171 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); 00172 if( dst->peer_cert == NULL ) 00173 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00174 00175 mbedtls_x509_crt_init( dst->peer_cert ); 00176 00177 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, 00178 src->peer_cert->raw.len ) ) != 0 ) 00179 { 00180 mbedtls_free( dst->peer_cert ); 00181 dst->peer_cert = NULL; 00182 return( ret ); 00183 } 00184 } 00185 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00186 00187 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 00188 if( src->ticket != NULL ) 00189 { 00190 dst->ticket = mbedtls_calloc( 1, src->ticket_len ); 00191 if( dst->ticket == NULL ) 00192 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00193 00194 memcpy( dst->ticket, src->ticket, src->ticket_len ); 00195 } 00196 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 00197 00198 return( 0 ); 00199 } 00200 #endif /* MBEDTLS_SSL_CLI_C */ 00201 00202 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00203 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 00204 const unsigned char *key_enc, const unsigned char *key_dec, 00205 size_t keylen, 00206 const unsigned char *iv_enc, const unsigned char *iv_dec, 00207 size_t ivlen, 00208 const unsigned char *mac_enc, const unsigned char *mac_dec, 00209 size_t maclen ) = NULL; 00210 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 00211 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 00212 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 00213 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 00214 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 00215 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00216 00217 /* 00218 * Key material generation 00219 */ 00220 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00221 static int ssl3_prf( const unsigned char *secret, size_t slen, 00222 const char *label, 00223 const unsigned char *random, size_t rlen, 00224 unsigned char *dstbuf, size_t dlen ) 00225 { 00226 size_t i; 00227 mbedtls_md5_context md5; 00228 mbedtls_sha1_context sha1; 00229 unsigned char padding[16]; 00230 unsigned char sha1sum[20]; 00231 ((void)label); 00232 00233 mbedtls_md5_init( &md5 ); 00234 mbedtls_sha1_init( &sha1 ); 00235 00236 /* 00237 * SSLv3: 00238 * block = 00239 * MD5( secret + SHA1( 'A' + secret + random ) ) + 00240 * MD5( secret + SHA1( 'BB' + secret + random ) ) + 00241 * MD5( secret + SHA1( 'CCC' + secret + random ) ) + 00242 * ... 00243 */ 00244 for( i = 0; i < dlen / 16; i++ ) 00245 { 00246 memset( padding, (unsigned char) ('A' + i), 1 + i ); 00247 00248 mbedtls_sha1_starts( &sha1 ); 00249 mbedtls_sha1_update( &sha1, padding, 1 + i ); 00250 mbedtls_sha1_update( &sha1, secret, slen ); 00251 mbedtls_sha1_update( &sha1, random, rlen ); 00252 mbedtls_sha1_finish( &sha1, sha1sum ); 00253 00254 mbedtls_md5_starts( &md5 ); 00255 mbedtls_md5_update( &md5, secret, slen ); 00256 mbedtls_md5_update( &md5, sha1sum, 20 ); 00257 mbedtls_md5_finish( &md5, dstbuf + i * 16 ); 00258 } 00259 00260 mbedtls_md5_free( &md5 ); 00261 mbedtls_sha1_free( &sha1 ); 00262 00263 mbedtls_zeroize( padding, sizeof( padding ) ); 00264 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 00265 00266 return( 0 ); 00267 } 00268 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00269 00270 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00271 static int tls1_prf( const unsigned char *secret, size_t slen, 00272 const char *label, 00273 const unsigned char *random, size_t rlen, 00274 unsigned char *dstbuf, size_t dlen ) 00275 { 00276 size_t nb, hs; 00277 size_t i, j, k; 00278 const unsigned char *S1, *S2; 00279 unsigned char tmp[128]; 00280 unsigned char h_i[20]; 00281 const mbedtls_md_info_t *md_info; 00282 mbedtls_md_context_t md_ctx; 00283 int ret; 00284 00285 mbedtls_md_init( &md_ctx ); 00286 00287 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00288 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00289 00290 hs = ( slen + 1 ) / 2; 00291 S1 = secret; 00292 S2 = secret + slen - hs; 00293 00294 nb = strlen( label ); 00295 memcpy( tmp + 20, label, nb ); 00296 memcpy( tmp + 20 + nb, random, rlen ); 00297 nb += rlen; 00298 00299 /* 00300 * First compute P_md5(secret,label+random)[0..dlen] 00301 */ 00302 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) 00303 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00304 00305 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00306 return( ret ); 00307 00308 mbedtls_md_hmac_starts( &md_ctx, S1, hs ); 00309 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00310 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00311 00312 for( i = 0; i < dlen; i += 16 ) 00313 { 00314 mbedtls_md_hmac_reset ( &md_ctx ); 00315 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); 00316 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00317 00318 mbedtls_md_hmac_reset ( &md_ctx ); 00319 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); 00320 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00321 00322 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00323 00324 for( j = 0; j < k; j++ ) 00325 dstbuf[i + j] = h_i[j]; 00326 } 00327 00328 mbedtls_md_free( &md_ctx ); 00329 00330 /* 00331 * XOR out with P_sha1(secret,label+random)[0..dlen] 00332 */ 00333 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) 00334 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00335 00336 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00337 return( ret ); 00338 00339 mbedtls_md_hmac_starts( &md_ctx, S2, hs ); 00340 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00341 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00342 00343 for( i = 0; i < dlen; i += 20 ) 00344 { 00345 mbedtls_md_hmac_reset ( &md_ctx ); 00346 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); 00347 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00348 00349 mbedtls_md_hmac_reset ( &md_ctx ); 00350 mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); 00351 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00352 00353 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00354 00355 for( j = 0; j < k; j++ ) 00356 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00357 } 00358 00359 mbedtls_md_free( &md_ctx ); 00360 00361 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00362 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00363 00364 return( 0 ); 00365 } 00366 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ 00367 00368 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00369 static int tls_prf_generic( mbedtls_md_type_t md_type, 00370 const unsigned char *secret, size_t slen, 00371 const char *label, 00372 const unsigned char *random, size_t rlen, 00373 unsigned char *dstbuf, size_t dlen ) 00374 { 00375 size_t nb; 00376 size_t i, j, k, md_len; 00377 unsigned char tmp[128]; 00378 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 00379 const mbedtls_md_info_t *md_info; 00380 mbedtls_md_context_t md_ctx; 00381 int ret; 00382 00383 mbedtls_md_init( &md_ctx ); 00384 00385 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL ) 00386 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00387 00388 md_len = mbedtls_md_get_size( md_info ); 00389 00390 if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) 00391 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00392 00393 nb = strlen( label ); 00394 memcpy( tmp + md_len, label, nb ); 00395 memcpy( tmp + md_len + nb, random, rlen ); 00396 nb += rlen; 00397 00398 /* 00399 * Compute P_<hash>(secret, label + random)[0..dlen] 00400 */ 00401 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00402 return( ret ); 00403 00404 mbedtls_md_hmac_starts( &md_ctx, secret, slen ); 00405 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); 00406 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00407 00408 for( i = 0; i < dlen; i += md_len ) 00409 { 00410 mbedtls_md_hmac_reset ( &md_ctx ); 00411 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); 00412 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00413 00414 mbedtls_md_hmac_reset ( &md_ctx ); 00415 mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); 00416 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00417 00418 k = ( i + md_len > dlen ) ? dlen % md_len : md_len; 00419 00420 for( j = 0; j < k; j++ ) 00421 dstbuf[i + j] = h_i[j]; 00422 } 00423 00424 mbedtls_md_free( &md_ctx ); 00425 00426 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00427 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00428 00429 return( 0 ); 00430 } 00431 00432 #if defined(MBEDTLS_SHA256_C) 00433 static int tls_prf_sha256( const unsigned char *secret, size_t slen, 00434 const char *label, 00435 const unsigned char *random, size_t rlen, 00436 unsigned char *dstbuf, size_t dlen ) 00437 { 00438 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, 00439 label, random, rlen, dstbuf, dlen ) ); 00440 } 00441 #endif /* MBEDTLS_SHA256_C */ 00442 00443 #if defined(MBEDTLS_SHA512_C) 00444 static int tls_prf_sha384( const unsigned char *secret, size_t slen, 00445 const char *label, 00446 const unsigned char *random, size_t rlen, 00447 unsigned char *dstbuf, size_t dlen ) 00448 { 00449 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, 00450 label, random, rlen, dstbuf, dlen ) ); 00451 } 00452 #endif /* MBEDTLS_SHA512_C */ 00453 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00454 00455 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); 00456 00457 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00458 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00459 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); 00460 #endif 00461 00462 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00463 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * ); 00464 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int ); 00465 #endif 00466 00467 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00468 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * ); 00469 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); 00470 #endif 00471 00472 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00473 #if defined(MBEDTLS_SHA256_C) 00474 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); 00475 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * ); 00476 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); 00477 #endif 00478 00479 #if defined(MBEDTLS_SHA512_C) 00480 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); 00481 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * ); 00482 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); 00483 #endif 00484 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00485 00486 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) 00487 { 00488 int ret = 0; 00489 unsigned char tmp[64]; 00490 unsigned char keyblk[256]; 00491 unsigned char *key1; 00492 unsigned char *key2; 00493 unsigned char *mac_enc; 00494 unsigned char *mac_dec; 00495 size_t iv_copy_len; 00496 const mbedtls_cipher_info_t *cipher_info; 00497 const mbedtls_md_info_t *md_info; 00498 00499 mbedtls_ssl_session *session = ssl->session_negotiate; 00500 mbedtls_ssl_transform *transform = ssl->transform_negotiate; 00501 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 00502 00503 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00504 00505 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); 00506 if( cipher_info == NULL ) 00507 { 00508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", 00509 transform->ciphersuite_info->cipher ) ); 00510 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00511 } 00512 00513 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); 00514 if( md_info == NULL ) 00515 { 00516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", 00517 transform->ciphersuite_info->mac ) ); 00518 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00519 } 00520 00521 /* 00522 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions 00523 */ 00524 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00525 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00526 { 00527 handshake->tls_prf = ssl3_prf; 00528 handshake->calc_verify = ssl_calc_verify_ssl; 00529 handshake->calc_finished = ssl_calc_finished_ssl; 00530 } 00531 else 00532 #endif 00533 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00534 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 00535 { 00536 handshake->tls_prf = tls1_prf; 00537 handshake->calc_verify = ssl_calc_verify_tls; 00538 handshake->calc_finished = ssl_calc_finished_tls; 00539 } 00540 else 00541 #endif 00542 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00543 #if defined(MBEDTLS_SHA512_C) 00544 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 00545 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 00546 { 00547 handshake->tls_prf = tls_prf_sha384; 00548 handshake->calc_verify = ssl_calc_verify_tls_sha384; 00549 handshake->calc_finished = ssl_calc_finished_tls_sha384; 00550 } 00551 else 00552 #endif 00553 #if defined(MBEDTLS_SHA256_C) 00554 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00555 { 00556 handshake->tls_prf = tls_prf_sha256; 00557 handshake->calc_verify = ssl_calc_verify_tls_sha256; 00558 handshake->calc_finished = ssl_calc_finished_tls_sha256; 00559 } 00560 else 00561 #endif 00562 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00563 { 00564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00565 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00566 } 00567 00568 /* 00569 * SSLv3: 00570 * master = 00571 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00572 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00573 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00574 * 00575 * TLSv1+: 00576 * master = PRF( premaster, "master secret", randbytes )[0..47] 00577 */ 00578 if( handshake->resume == 0 ) 00579 { 00580 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, 00581 handshake->pmslen ); 00582 00583 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00584 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) 00585 { 00586 unsigned char session_hash[48]; 00587 size_t hash_len; 00588 00589 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) ); 00590 00591 ssl->handshake->calc_verify( ssl, session_hash ); 00592 00593 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00594 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00595 { 00596 #if defined(MBEDTLS_SHA512_C) 00597 if( ssl->transform_negotiate->ciphersuite_info->mac == 00598 MBEDTLS_MD_SHA384 ) 00599 { 00600 hash_len = 48; 00601 } 00602 else 00603 #endif 00604 hash_len = 32; 00605 } 00606 else 00607 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00608 hash_len = 36; 00609 00610 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len ); 00611 00612 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00613 "extended master secret", 00614 session_hash, hash_len, 00615 session->master, 48 ); 00616 if( ret != 0 ) 00617 { 00618 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00619 return( ret ); 00620 } 00621 00622 } 00623 else 00624 #endif 00625 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00626 "master secret", 00627 handshake->randbytes, 64, 00628 session->master, 48 ); 00629 if( ret != 0 ) 00630 { 00631 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00632 return( ret ); 00633 } 00634 00635 mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) ); 00636 } 00637 else 00638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00639 00640 /* 00641 * Swap the client and server random values. 00642 */ 00643 memcpy( tmp, handshake->randbytes, 64 ); 00644 memcpy( handshake->randbytes, tmp + 32, 32 ); 00645 memcpy( handshake->randbytes + 32, tmp, 32 ); 00646 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00647 00648 /* 00649 * SSLv3: 00650 * key block = 00651 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00652 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00653 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00654 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00655 * ... 00656 * 00657 * TLSv1: 00658 * key block = PRF( master, "key expansion", randbytes ) 00659 */ 00660 ret = handshake->tls_prf( session->master, 48, "key expansion", 00661 handshake->randbytes, 64, keyblk, 256 ); 00662 if( ret != 0 ) 00663 { 00664 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00665 return( ret ); 00666 } 00667 00668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", 00669 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) ); 00670 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 ); 00671 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); 00672 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00673 00674 mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) ); 00675 00676 /* 00677 * Determine the appropriate key, IV and MAC length. 00678 */ 00679 00680 transform->keylen = cipher_info->key_bitlen / 8; 00681 00682 if( cipher_info->mode == MBEDTLS_MODE_GCM || 00683 cipher_info->mode == MBEDTLS_MODE_CCM ) 00684 { 00685 transform->maclen = 0; 00686 00687 transform->ivlen = 12; 00688 transform->fixed_ivlen = 4; 00689 00690 /* Minimum length is expicit IV + tag */ 00691 transform->minlen = transform->ivlen - transform->fixed_ivlen 00692 + ( transform->ciphersuite_info->flags & 00693 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); 00694 } 00695 else 00696 { 00697 /* Initialize HMAC contexts */ 00698 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || 00699 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) 00700 { 00701 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 00702 return( ret ); 00703 } 00704 00705 /* Get MAC length */ 00706 transform->maclen = mbedtls_md_get_size( md_info ); 00707 00708 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00709 /* 00710 * If HMAC is to be truncated, we shall keep the leftmost bytes, 00711 * (rfc 6066 page 13 or rfc 2104 section 4), 00712 * so we only need to adjust the length here. 00713 */ 00714 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00715 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; 00716 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00717 00718 /* IV length */ 00719 transform->ivlen = cipher_info->iv_size; 00720 00721 /* Minimum length */ 00722 if( cipher_info->mode == MBEDTLS_MODE_STREAM ) 00723 transform->minlen = transform->maclen; 00724 else 00725 { 00726 /* 00727 * GenericBlockCipher: 00728 * 1. if EtM is in use: one block plus MAC 00729 * otherwise: * first multiple of blocklen greater than maclen 00730 * 2. IV except for SSL3 and TLS 1.0 00731 */ 00732 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00733 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 00734 { 00735 transform->minlen = transform->maclen 00736 + cipher_info->block_size; 00737 } 00738 else 00739 #endif 00740 { 00741 transform->minlen = transform->maclen 00742 + cipher_info->block_size 00743 - transform->maclen % cipher_info->block_size; 00744 } 00745 00746 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 00747 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 00748 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) 00749 ; /* No need to adjust minlen */ 00750 else 00751 #endif 00752 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 00753 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || 00754 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00755 { 00756 transform->minlen += transform->ivlen; 00757 } 00758 else 00759 #endif 00760 { 00761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00762 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00763 } 00764 } 00765 } 00766 00767 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00768 transform->keylen, transform->minlen, transform->ivlen, 00769 transform->maclen ) ); 00770 00771 /* 00772 * Finally setup the cipher contexts, IVs and MAC secrets. 00773 */ 00774 #if defined(MBEDTLS_SSL_CLI_C) 00775 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 00776 { 00777 key1 = keyblk + transform->maclen * 2; 00778 key2 = keyblk + transform->maclen * 2 + transform->keylen; 00779 00780 mac_enc = keyblk; 00781 mac_dec = keyblk + transform->maclen; 00782 00783 /* 00784 * This is not used in TLS v1.1. 00785 */ 00786 iv_copy_len = ( transform->fixed_ivlen ) ? 00787 transform->fixed_ivlen : transform->ivlen; 00788 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len ); 00789 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len, 00790 iv_copy_len ); 00791 } 00792 else 00793 #endif /* MBEDTLS_SSL_CLI_C */ 00794 #if defined(MBEDTLS_SSL_SRV_C) 00795 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 00796 { 00797 key1 = keyblk + transform->maclen * 2 + transform->keylen; 00798 key2 = keyblk + transform->maclen * 2; 00799 00800 mac_enc = keyblk + transform->maclen; 00801 mac_dec = keyblk; 00802 00803 /* 00804 * This is not used in TLS v1.1. 00805 */ 00806 iv_copy_len = ( transform->fixed_ivlen ) ? 00807 transform->fixed_ivlen : transform->ivlen; 00808 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len ); 00809 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len, 00810 iv_copy_len ); 00811 } 00812 else 00813 #endif /* MBEDTLS_SSL_SRV_C */ 00814 { 00815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00816 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00817 } 00818 00819 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00820 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00821 { 00822 if( transform->maclen > sizeof transform->mac_enc ) 00823 { 00824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00825 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00826 } 00827 00828 memcpy( transform->mac_enc, mac_enc, transform->maclen ); 00829 memcpy( transform->mac_dec, mac_dec, transform->maclen ); 00830 } 00831 else 00832 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00833 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 00834 defined(MBEDTLS_SSL_PROTO_TLS1_2) 00835 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 00836 { 00837 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); 00838 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); 00839 } 00840 else 00841 #endif 00842 { 00843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00844 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00845 } 00846 00847 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00848 if( mbedtls_ssl_hw_record_init != NULL ) 00849 { 00850 int ret = 0; 00851 00852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) ); 00853 00854 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen, 00855 transform->iv_enc, transform->iv_dec, 00856 iv_copy_len, 00857 mac_enc, mac_dec, 00858 transform->maclen ) ) != 0 ) 00859 { 00860 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); 00861 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 00862 } 00863 } 00864 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00865 00866 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 00867 if( ssl->conf->f_export_keys != NULL ) 00868 { 00869 ssl->conf->f_export_keys( ssl->conf->p_export_keys, 00870 session->master, keyblk, 00871 transform->maclen, transform->keylen, 00872 iv_copy_len ); 00873 } 00874 #endif 00875 00876 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, 00877 cipher_info ) ) != 0 ) 00878 { 00879 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00880 return( ret ); 00881 } 00882 00883 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, 00884 cipher_info ) ) != 0 ) 00885 { 00886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00887 return( ret ); 00888 } 00889 00890 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, 00891 cipher_info->key_bitlen, 00892 MBEDTLS_ENCRYPT ) ) != 0 ) 00893 { 00894 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00895 return( ret ); 00896 } 00897 00898 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, 00899 cipher_info->key_bitlen, 00900 MBEDTLS_DECRYPT ) ) != 0 ) 00901 { 00902 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00903 return( ret ); 00904 } 00905 00906 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00907 if( cipher_info->mode == MBEDTLS_MODE_CBC ) 00908 { 00909 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, 00910 MBEDTLS_PADDING_NONE ) ) != 0 ) 00911 { 00912 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00913 return( ret ); 00914 } 00915 00916 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, 00917 MBEDTLS_PADDING_NONE ) ) != 0 ) 00918 { 00919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00920 return( ret ); 00921 } 00922 } 00923 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00924 00925 mbedtls_zeroize( keyblk, sizeof( keyblk ) ); 00926 00927 #if defined(MBEDTLS_ZLIB_SUPPORT) 00928 // Initialize compression 00929 // 00930 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 00931 { 00932 if( ssl->compress_buf == NULL ) 00933 { 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) ); 00935 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN ); 00936 if( ssl->compress_buf == NULL ) 00937 { 00938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 00939 MBEDTLS_SSL_BUFFER_LEN ) ); 00940 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00941 } 00942 } 00943 00944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) ); 00945 00946 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) ); 00947 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) ); 00948 00949 if( deflateInit( &transform->ctx_deflate, 00950 Z_DEFAULT_COMPRESSION ) != Z_OK || 00951 inflateInit( &transform->ctx_inflate ) != Z_OK ) 00952 { 00953 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); 00954 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 00955 } 00956 } 00957 #endif /* MBEDTLS_ZLIB_SUPPORT */ 00958 00959 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00960 00961 return( 0 ); 00962 } 00963 00964 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00965 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 00966 { 00967 mbedtls_md5_context md5; 00968 mbedtls_sha1_context sha1; 00969 unsigned char pad_1[48]; 00970 unsigned char pad_2[48]; 00971 00972 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) ); 00973 00974 mbedtls_md5_init( &md5 ); 00975 mbedtls_sha1_init( &sha1 ); 00976 00977 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 00978 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 00979 00980 memset( pad_1, 0x36, 48 ); 00981 memset( pad_2, 0x5C, 48 ); 00982 00983 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00984 mbedtls_md5_update( &md5, pad_1, 48 ); 00985 mbedtls_md5_finish( &md5, hash ); 00986 00987 mbedtls_md5_starts( &md5 ); 00988 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00989 mbedtls_md5_update( &md5, pad_2, 48 ); 00990 mbedtls_md5_update( &md5, hash, 16 ); 00991 mbedtls_md5_finish( &md5, hash ); 00992 00993 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00994 mbedtls_sha1_update( &sha1, pad_1, 40 ); 00995 mbedtls_sha1_finish( &sha1, hash + 16 ); 00996 00997 mbedtls_sha1_starts( &sha1 ); 00998 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00999 mbedtls_sha1_update( &sha1, pad_2, 40 ); 01000 mbedtls_sha1_update( &sha1, hash + 16, 20 ); 01001 mbedtls_sha1_finish( &sha1, hash + 16 ); 01002 01003 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01005 01006 mbedtls_md5_free( &md5 ); 01007 mbedtls_sha1_free( &sha1 ); 01008 01009 return; 01010 } 01011 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01012 01013 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 01014 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 01015 { 01016 mbedtls_md5_context md5; 01017 mbedtls_sha1_context sha1; 01018 01019 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); 01020 01021 mbedtls_md5_init( &md5 ); 01022 mbedtls_sha1_init( &sha1 ); 01023 01024 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01025 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01026 01027 mbedtls_md5_finish( &md5, hash ); 01028 mbedtls_sha1_finish( &sha1, hash + 16 ); 01029 01030 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01032 01033 mbedtls_md5_free( &md5 ); 01034 mbedtls_sha1_free( &sha1 ); 01035 01036 return; 01037 } 01038 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 01039 01040 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 01041 #if defined(MBEDTLS_SHA256_C) 01042 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) 01043 { 01044 mbedtls_sha256_context sha256; 01045 01046 mbedtls_sha256_init( &sha256 ); 01047 01048 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); 01049 01050 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 01051 mbedtls_sha256_finish( &sha256, hash ); 01052 01053 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); 01054 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01055 01056 mbedtls_sha256_free( &sha256 ); 01057 01058 return; 01059 } 01060 #endif /* MBEDTLS_SHA256_C */ 01061 01062 #if defined(MBEDTLS_SHA512_C) 01063 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) 01064 { 01065 mbedtls_sha512_context sha512; 01066 01067 mbedtls_sha512_init( &sha512 ); 01068 01069 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); 01070 01071 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 01072 mbedtls_sha512_finish( &sha512, hash ); 01073 01074 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); 01075 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01076 01077 mbedtls_sha512_free( &sha512 ); 01078 01079 return; 01080 } 01081 #endif /* MBEDTLS_SHA512_C */ 01082 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 01083 01084 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01085 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) 01086 { 01087 unsigned char *p = ssl->handshake->premaster; 01088 unsigned char *end = p + sizeof( ssl->handshake->premaster ); 01089 const unsigned char *psk = ssl->conf->psk; 01090 size_t psk_len = ssl->conf->psk_len; 01091 01092 /* If the psk callback was called, use its result */ 01093 if( ssl->handshake->psk != NULL ) 01094 { 01095 psk = ssl->handshake->psk; 01096 psk_len = ssl->handshake->psk_len; 01097 } 01098 01099 /* 01100 * PMS = struct { 01101 * opaque other_secret<0..2^16-1>; 01102 * opaque psk<0..2^16-1>; 01103 * }; 01104 * with "other_secret" depending on the particular key exchange 01105 */ 01106 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 01107 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) 01108 { 01109 if( end - p < 2 ) 01110 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01111 01112 *(p++) = (unsigned char)( psk_len >> 8 ); 01113 *(p++) = (unsigned char)( psk_len ); 01114 01115 if( end < p || (size_t)( end - p ) < psk_len ) 01116 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01117 01118 memset( p, 0, psk_len ); 01119 p += psk_len; 01120 } 01121 else 01122 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 01123 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01124 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 01125 { 01126 /* 01127 * other_secret already set by the ClientKeyExchange message, 01128 * and is 48 bytes long 01129 */ 01130 *p++ = 0; 01131 *p++ = 48; 01132 p += 48; 01133 } 01134 else 01135 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01136 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01137 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 01138 { 01139 int ret; 01140 size_t len; 01141 01142 /* Write length only when we know the actual value */ 01143 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 01144 p + 2, end - ( p + 2 ), &len, 01145 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01146 { 01147 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 01148 return( ret ); 01149 } 01150 *(p++) = (unsigned char)( len >> 8 ); 01151 *(p++) = (unsigned char)( len ); 01152 p += len; 01153 01154 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 01155 } 01156 else 01157 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01158 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01159 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 01160 { 01161 int ret; 01162 size_t zlen; 01163 01164 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, 01165 p + 2, end - ( p + 2 ), 01166 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01167 { 01168 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 01169 return( ret ); 01170 } 01171 01172 *(p++) = (unsigned char)( zlen >> 8 ); 01173 *(p++) = (unsigned char)( zlen ); 01174 p += zlen; 01175 01176 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 01177 } 01178 else 01179 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01180 { 01181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01182 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01183 } 01184 01185 /* opaque psk<0..2^16-1>; */ 01186 if( end - p < 2 ) 01187 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01188 01189 *(p++) = (unsigned char)( psk_len >> 8 ); 01190 *(p++) = (unsigned char)( psk_len ); 01191 01192 if( end < p || (size_t)( end - p ) < psk_len ) 01193 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01194 01195 memcpy( p, psk, psk_len ); 01196 p += psk_len; 01197 01198 ssl->handshake->pmslen = p - ssl->handshake->premaster; 01199 01200 return( 0 ); 01201 } 01202 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01203 01204 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01205 /* 01206 * SSLv3.0 MAC functions 01207 */ 01208 static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret, 01209 unsigned char *buf, size_t len, 01210 unsigned char *ctr, int type ) 01211 { 01212 unsigned char header[11]; 01213 unsigned char padding[48]; 01214 int padlen; 01215 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 01216 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 01217 01218 /* Only MD5 and SHA-1 supported */ 01219 if( md_type == MBEDTLS_MD_MD5 ) 01220 padlen = 48; 01221 else 01222 padlen = 40; 01223 01224 memcpy( header, ctr, 8 ); 01225 header[ 8] = (unsigned char) type; 01226 header[ 9] = (unsigned char)( len >> 8 ); 01227 header[10] = (unsigned char)( len ); 01228 01229 memset( padding, 0x36, padlen ); 01230 mbedtls_md_starts( md_ctx ); 01231 mbedtls_md_update( md_ctx, secret, md_size ); 01232 mbedtls_md_update( md_ctx, padding, padlen ); 01233 mbedtls_md_update( md_ctx, header, 11 ); 01234 mbedtls_md_update( md_ctx, buf, len ); 01235 mbedtls_md_finish( md_ctx, buf + len ); 01236 01237 memset( padding, 0x5C, padlen ); 01238 mbedtls_md_starts( md_ctx ); 01239 mbedtls_md_update( md_ctx, secret, md_size ); 01240 mbedtls_md_update( md_ctx, padding, padlen ); 01241 mbedtls_md_update( md_ctx, buf + len, md_size ); 01242 mbedtls_md_finish( md_ctx, buf + len ); 01243 } 01244 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01245 01246 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 01247 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01248 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) ) 01249 #define SSL_SOME_MODES_USE_MAC 01250 #endif 01251 01252 /* 01253 * Encryption/decryption functions 01254 */ 01255 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) 01256 { 01257 mbedtls_cipher_mode_t mode; 01258 int auth_done = 0; 01259 01260 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 01261 01262 if( ssl->session_out == NULL || ssl->transform_out == NULL ) 01263 { 01264 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01265 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01266 } 01267 01268 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); 01269 01270 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 01271 ssl->out_msg, ssl->out_msglen ); 01272 01273 /* 01274 * Add MAC before if needed 01275 */ 01276 #if defined(SSL_SOME_MODES_USE_MAC) 01277 if( mode == MBEDTLS_MODE_STREAM || 01278 ( mode == MBEDTLS_MODE_CBC 01279 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01280 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 01281 #endif 01282 ) ) 01283 { 01284 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01285 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01286 { 01287 ssl_mac( &ssl->transform_out->md_ctx_enc, 01288 ssl->transform_out->mac_enc, 01289 ssl->out_msg, ssl->out_msglen, 01290 ssl->out_ctr, ssl->out_msgtype ); 01291 } 01292 else 01293 #endif 01294 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01295 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01296 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 01297 { 01298 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); 01299 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); 01300 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); 01301 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01302 ssl->out_msg, ssl->out_msglen ); 01303 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01304 ssl->out_msg + ssl->out_msglen ); 01305 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01306 } 01307 else 01308 #endif 01309 { 01310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01311 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01312 } 01313 01314 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", 01315 ssl->out_msg + ssl->out_msglen, 01316 ssl->transform_out->maclen ); 01317 01318 ssl->out_msglen += ssl->transform_out->maclen; 01319 auth_done++; 01320 } 01321 #endif /* AEAD not the only option */ 01322 01323 /* 01324 * Encrypt 01325 */ 01326 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01327 if( mode == MBEDTLS_MODE_STREAM ) 01328 { 01329 int ret; 01330 size_t olen = 0; 01331 01332 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01333 "including %d bytes of padding", 01334 ssl->out_msglen, 0 ) ); 01335 01336 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01337 ssl->transform_out->iv_enc, 01338 ssl->transform_out->ivlen, 01339 ssl->out_msg, ssl->out_msglen, 01340 ssl->out_msg, &olen ) ) != 0 ) 01341 { 01342 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01343 return( ret ); 01344 } 01345 01346 if( ssl->out_msglen != olen ) 01347 { 01348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01349 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01350 } 01351 } 01352 else 01353 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01354 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01355 if( mode == MBEDTLS_MODE_GCM || 01356 mode == MBEDTLS_MODE_CCM ) 01357 { 01358 int ret; 01359 size_t enc_msglen, olen; 01360 unsigned char *enc_msg; 01361 unsigned char add_data[13]; 01362 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & 01363 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01364 01365 memcpy( add_data, ssl->out_ctr, 8 ); 01366 add_data[8] = ssl->out_msgtype; 01367 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01368 ssl->conf->transport, add_data + 9 ); 01369 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; 01370 add_data[12] = ssl->out_msglen & 0xFF; 01371 01372 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01373 add_data, 13 ); 01374 01375 /* 01376 * Generate IV 01377 */ 01378 #if defined(MBEDTLS_SSL_AEAD_RANDOM_IV) 01379 ret = ssl->conf->f_rng( ssl->conf->p_rng, 01380 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01381 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01382 if( ret != 0 ) 01383 return( ret ); 01384 01385 memcpy( ssl->out_iv, 01386 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01387 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01388 #else 01389 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) 01390 { 01391 /* Reminder if we ever add an AEAD mode with a different size */ 01392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01393 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01394 } 01395 01396 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01397 ssl->out_ctr, 8 ); 01398 memcpy( ssl->out_iv, ssl->out_ctr, 8 ); 01399 #endif 01400 01401 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, 01402 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01403 01404 /* 01405 * Fix pointer positions and message length with added IV 01406 */ 01407 enc_msg = ssl->out_msg; 01408 enc_msglen = ssl->out_msglen; 01409 ssl->out_msglen += ssl->transform_out->ivlen - 01410 ssl->transform_out->fixed_ivlen; 01411 01412 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01413 "including %d bytes of padding", 01414 ssl->out_msglen, 0 ) ); 01415 01416 /* 01417 * Encrypt and authenticate 01418 */ 01419 if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, 01420 ssl->transform_out->iv_enc, 01421 ssl->transform_out->ivlen, 01422 add_data, 13, 01423 enc_msg, enc_msglen, 01424 enc_msg, &olen, 01425 enc_msg + enc_msglen, taglen ) ) != 0 ) 01426 { 01427 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 01428 return( ret ); 01429 } 01430 01431 if( olen != enc_msglen ) 01432 { 01433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01434 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01435 } 01436 01437 ssl->out_msglen += taglen; 01438 auth_done++; 01439 01440 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen ); 01441 } 01442 else 01443 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01444 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01445 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01446 if( mode == MBEDTLS_MODE_CBC ) 01447 { 01448 int ret; 01449 unsigned char *enc_msg; 01450 size_t enc_msglen, padlen, olen = 0, i; 01451 01452 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) % 01453 ssl->transform_out->ivlen; 01454 if( padlen == ssl->transform_out->ivlen ) 01455 padlen = 0; 01456 01457 for( i = 0; i <= padlen; i++ ) 01458 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 01459 01460 ssl->out_msglen += padlen + 1; 01461 01462 enc_msglen = ssl->out_msglen; 01463 enc_msg = ssl->out_msg; 01464 01465 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01466 /* 01467 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 01468 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 01469 */ 01470 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01471 { 01472 /* 01473 * Generate IV 01474 */ 01475 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, 01476 ssl->transform_out->ivlen ); 01477 if( ret != 0 ) 01478 return( ret ); 01479 01480 memcpy( ssl->out_iv, ssl->transform_out->iv_enc, 01481 ssl->transform_out->ivlen ); 01482 01483 /* 01484 * Fix pointer positions and message length with added IV 01485 */ 01486 enc_msg = ssl->out_msg; 01487 enc_msglen = ssl->out_msglen; 01488 ssl->out_msglen += ssl->transform_out->ivlen; 01489 } 01490 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01491 01492 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01493 "including %d bytes of IV and %d bytes of padding", 01494 ssl->out_msglen, ssl->transform_out->ivlen, 01495 padlen + 1 ) ); 01496 01497 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01498 ssl->transform_out->iv_enc, 01499 ssl->transform_out->ivlen, 01500 enc_msg, enc_msglen, 01501 enc_msg, &olen ) ) != 0 ) 01502 { 01503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01504 return( ret ); 01505 } 01506 01507 if( enc_msglen != olen ) 01508 { 01509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01510 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01511 } 01512 01513 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01514 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01515 { 01516 /* 01517 * Save IV in SSL3 and TLS1 01518 */ 01519 memcpy( ssl->transform_out->iv_enc, 01520 ssl->transform_out->cipher_ctx_enc.iv, 01521 ssl->transform_out->ivlen ); 01522 } 01523 #endif 01524 01525 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01526 if( auth_done == 0 ) 01527 { 01528 /* 01529 * MAC(MAC_write_key, seq_num + 01530 * TLSCipherText.type + 01531 * TLSCipherText.version + 01532 * length_of( (IV +) ENC(...) ) + 01533 * IV + // except for TLS 1.0 01534 * ENC(content + padding + padding_length)); 01535 */ 01536 unsigned char pseudo_hdr[13]; 01537 01538 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01539 01540 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 ); 01541 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 ); 01542 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF ); 01543 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF ); 01544 01545 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01546 01547 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 ); 01548 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01549 ssl->out_iv, ssl->out_msglen ); 01550 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01551 ssl->out_iv + ssl->out_msglen ); 01552 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01553 01554 ssl->out_msglen += ssl->transform_out->maclen; 01555 auth_done++; 01556 } 01557 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01558 } 01559 else 01560 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01561 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01562 { 01563 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01564 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01565 } 01566 01567 /* Make extra sure authentication was performed, exactly once */ 01568 if( auth_done != 1 ) 01569 { 01570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01571 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01572 } 01573 01574 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 01575 01576 return( 0 ); 01577 } 01578 01579 #define SSL_MAX_MAC_SIZE 48 01580 01581 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) 01582 { 01583 size_t i; 01584 mbedtls_cipher_mode_t mode; 01585 int auth_done = 0; 01586 #if defined(SSL_SOME_MODES_USE_MAC) 01587 size_t padlen = 0, correct = 1; 01588 #endif 01589 01590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 01591 01592 if( ssl->session_in == NULL || ssl->transform_in == NULL ) 01593 { 01594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01595 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01596 } 01597 01598 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); 01599 01600 if( ssl->in_msglen < ssl->transform_in->minlen ) 01601 { 01602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 01603 ssl->in_msglen, ssl->transform_in->minlen ) ); 01604 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01605 } 01606 01607 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01608 if( mode == MBEDTLS_MODE_STREAM ) 01609 { 01610 int ret; 01611 size_t olen = 0; 01612 01613 padlen = 0; 01614 01615 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01616 ssl->transform_in->iv_dec, 01617 ssl->transform_in->ivlen, 01618 ssl->in_msg, ssl->in_msglen, 01619 ssl->in_msg, &olen ) ) != 0 ) 01620 { 01621 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01622 return( ret ); 01623 } 01624 01625 if( ssl->in_msglen != olen ) 01626 { 01627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01628 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01629 } 01630 } 01631 else 01632 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01633 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01634 if( mode == MBEDTLS_MODE_GCM || 01635 mode == MBEDTLS_MODE_CCM ) 01636 { 01637 int ret; 01638 size_t dec_msglen, olen; 01639 unsigned char *dec_msg; 01640 unsigned char *dec_msg_result; 01641 unsigned char add_data[13]; 01642 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & 01643 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01644 size_t explicit_iv_len = ssl->transform_in->ivlen - 01645 ssl->transform_in->fixed_ivlen; 01646 01647 if( ssl->in_msglen < explicit_iv_len + taglen ) 01648 { 01649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " 01650 "+ taglen (%d)", ssl->in_msglen, 01651 explicit_iv_len, taglen ) ); 01652 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01653 } 01654 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; 01655 01656 dec_msg = ssl->in_msg; 01657 dec_msg_result = ssl->in_msg; 01658 ssl->in_msglen = dec_msglen; 01659 01660 memcpy( add_data, ssl->in_ctr, 8 ); 01661 add_data[8] = ssl->in_msgtype; 01662 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01663 ssl->conf->transport, add_data + 9 ); 01664 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; 01665 add_data[12] = ssl->in_msglen & 0xFF; 01666 01667 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01668 add_data, 13 ); 01669 01670 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, 01671 ssl->in_iv, 01672 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); 01673 01674 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, 01675 ssl->transform_in->ivlen ); 01676 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); 01677 01678 /* 01679 * Decrypt and authenticate 01680 */ 01681 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, 01682 ssl->transform_in->iv_dec, 01683 ssl->transform_in->ivlen, 01684 add_data, 13, 01685 dec_msg, dec_msglen, 01686 dec_msg_result, &olen, 01687 dec_msg + dec_msglen, taglen ) ) != 0 ) 01688 { 01689 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 01690 01691 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 01692 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01693 01694 return( ret ); 01695 } 01696 auth_done++; 01697 01698 if( olen != dec_msglen ) 01699 { 01700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01701 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01702 } 01703 } 01704 else 01705 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01706 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01707 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01708 if( mode == MBEDTLS_MODE_CBC ) 01709 { 01710 /* 01711 * Decrypt and check the padding 01712 */ 01713 int ret; 01714 unsigned char *dec_msg; 01715 unsigned char *dec_msg_result; 01716 size_t dec_msglen; 01717 size_t minlen = 0; 01718 size_t olen = 0; 01719 01720 /* 01721 * Check immediate ciphertext sanity 01722 */ 01723 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01724 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01725 minlen += ssl->transform_in->ivlen; 01726 #endif 01727 01728 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen || 01729 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 ) 01730 { 01731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) " 01732 "+ 1 ) ( + expl IV )", ssl->in_msglen, 01733 ssl->transform_in->ivlen, 01734 ssl->transform_in->maclen ) ); 01735 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01736 } 01737 01738 dec_msglen = ssl->in_msglen; 01739 dec_msg = ssl->in_msg; 01740 dec_msg_result = ssl->in_msg; 01741 01742 /* 01743 * Authenticate before decrypt if enabled 01744 */ 01745 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01746 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 01747 { 01748 unsigned char computed_mac[SSL_MAX_MAC_SIZE]; 01749 unsigned char pseudo_hdr[13]; 01750 01751 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01752 01753 dec_msglen -= ssl->transform_in->maclen; 01754 ssl->in_msglen -= ssl->transform_in->maclen; 01755 01756 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 ); 01757 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 ); 01758 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF ); 01759 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF ); 01760 01761 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01762 01763 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); 01764 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, 01765 ssl->in_iv, ssl->in_msglen ); 01766 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac ); 01767 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01768 01769 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, 01770 ssl->transform_in->maclen ); 01771 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac, 01772 ssl->transform_in->maclen ); 01773 01774 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac, 01775 ssl->transform_in->maclen ) != 0 ) 01776 { 01777 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01778 01779 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01780 } 01781 auth_done++; 01782 } 01783 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01784 01785 /* 01786 * Check length sanity 01787 */ 01788 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 ) 01789 { 01790 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 01791 ssl->in_msglen, ssl->transform_in->ivlen ) ); 01792 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01793 } 01794 01795 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01796 /* 01797 * Initialize for prepended IV for block cipher in TLS v1.1 and up 01798 */ 01799 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01800 { 01801 dec_msglen -= ssl->transform_in->ivlen; 01802 ssl->in_msglen -= ssl->transform_in->ivlen; 01803 01804 for( i = 0; i < ssl->transform_in->ivlen; i++ ) 01805 ssl->transform_in->iv_dec[i] = ssl->in_iv[i]; 01806 } 01807 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01808 01809 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01810 ssl->transform_in->iv_dec, 01811 ssl->transform_in->ivlen, 01812 dec_msg, dec_msglen, 01813 dec_msg_result, &olen ) ) != 0 ) 01814 { 01815 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01816 return( ret ); 01817 } 01818 01819 if( dec_msglen != olen ) 01820 { 01821 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01822 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01823 } 01824 01825 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01826 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01827 { 01828 /* 01829 * Save IV in SSL3 and TLS1 01830 */ 01831 memcpy( ssl->transform_in->iv_dec, 01832 ssl->transform_in->cipher_ctx_dec.iv, 01833 ssl->transform_in->ivlen ); 01834 } 01835 #endif 01836 01837 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 01838 01839 if( ssl->in_msglen < ssl->transform_in->maclen + padlen && 01840 auth_done == 0 ) 01841 { 01842 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 01844 ssl->in_msglen, ssl->transform_in->maclen, padlen ) ); 01845 #endif 01846 padlen = 0; 01847 correct = 0; 01848 } 01849 01850 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01851 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01852 { 01853 if( padlen > ssl->transform_in->ivlen ) 01854 { 01855 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01856 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 01857 "should be no more than %d", 01858 padlen, ssl->transform_in->ivlen ) ); 01859 #endif 01860 correct = 0; 01861 } 01862 } 01863 else 01864 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01865 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01866 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01867 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01868 { 01869 /* 01870 * TLSv1+: always check the padding up to the first failure 01871 * and fake check up to 256 bytes of padding 01872 */ 01873 size_t pad_count = 0, real_count = 1; 01874 size_t padding_idx = ssl->in_msglen - padlen - 1; 01875 01876 /* 01877 * Padding is guaranteed to be incorrect if: 01878 * 1. padlen >= ssl->in_msglen 01879 * 01880 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN + 01881 * ssl->transform_in->maclen 01882 * 01883 * In both cases we reset padding_idx to a safe value (0) to 01884 * prevent out-of-buffer reads. 01885 */ 01886 correct &= ( ssl->in_msglen >= padlen + 1 ); 01887 correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN + 01888 ssl->transform_in->maclen ); 01889 01890 padding_idx *= correct; 01891 01892 for( i = 1; i <= 256; i++ ) 01893 { 01894 real_count &= ( i <= padlen ); 01895 pad_count += real_count * 01896 ( ssl->in_msg[padding_idx + i] == padlen - 1 ); 01897 } 01898 01899 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ 01900 01901 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01902 if( padlen > 0 && correct == 0 ) 01903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 01904 #endif 01905 padlen &= correct * 0x1FF; 01906 } 01907 else 01908 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01909 MBEDTLS_SSL_PROTO_TLS1_2 */ 01910 { 01911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01912 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01913 } 01914 01915 ssl->in_msglen -= padlen; 01916 } 01917 else 01918 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01919 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01920 { 01921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01922 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01923 } 01924 01925 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 01926 ssl->in_msg, ssl->in_msglen ); 01927 01928 /* 01929 * Authenticate if not done yet. 01930 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 01931 */ 01932 #if defined(SSL_SOME_MODES_USE_MAC) 01933 if( auth_done == 0 ) 01934 { 01935 unsigned char tmp[SSL_MAX_MAC_SIZE]; 01936 01937 ssl->in_msglen -= ssl->transform_in->maclen; 01938 01939 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 01940 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 01941 01942 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen ); 01943 01944 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01945 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01946 { 01947 ssl_mac( &ssl->transform_in->md_ctx_dec, 01948 ssl->transform_in->mac_dec, 01949 ssl->in_msg, ssl->in_msglen, 01950 ssl->in_ctr, ssl->in_msgtype ); 01951 } 01952 else 01953 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01954 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01955 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01956 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01957 { 01958 /* 01959 * Process MAC and always update for padlen afterwards to make 01960 * total time independent of padlen 01961 * 01962 * extra_run compensates MAC check for padlen 01963 * 01964 * Known timing attacks: 01965 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 01966 * 01967 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values 01968 * correctly. (We round down instead of up, so -56 is the correct 01969 * value for our calculations instead of -55) 01970 */ 01971 size_t j, extra_run = 0; 01972 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 - 01973 ( 13 + ssl->in_msglen + 8 ) / 64; 01974 01975 extra_run &= correct * 0xFF; 01976 01977 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 ); 01978 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 ); 01979 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); 01980 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, 01981 ssl->in_msglen ); 01982 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, 01983 ssl->in_msg + ssl->in_msglen ); 01984 /* Call mbedtls_md_process at least once due to cache attacks */ 01985 for( j = 0; j < extra_run + 1; j++ ) 01986 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); 01987 01988 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01989 } 01990 else 01991 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01992 MBEDTLS_SSL_PROTO_TLS1_2 */ 01993 { 01994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01995 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01996 } 01997 01998 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen ); 01999 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, 02000 ssl->transform_in->maclen ); 02001 02002 if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen, 02003 ssl->transform_in->maclen ) != 0 ) 02004 { 02005 #if defined(MBEDTLS_SSL_DEBUG_ALL) 02006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 02007 #endif 02008 correct = 0; 02009 } 02010 auth_done++; 02011 02012 /* 02013 * Finally check the correct flag 02014 */ 02015 if( correct == 0 ) 02016 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02017 } 02018 #endif /* SSL_SOME_MODES_USE_MAC */ 02019 02020 /* Make extra sure authentication was performed, exactly once */ 02021 if( auth_done != 1 ) 02022 { 02023 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02024 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02025 } 02026 02027 if( ssl->in_msglen == 0 ) 02028 { 02029 ssl->nb_zero++; 02030 02031 /* 02032 * Three or more empty messages may be a DoS attack 02033 * (excessive CPU consumption). 02034 */ 02035 if( ssl->nb_zero > 3 ) 02036 { 02037 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 02038 "messages, possible DoS attack" ) ); 02039 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02040 } 02041 } 02042 else 02043 ssl->nb_zero = 0; 02044 02045 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02046 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02047 { 02048 ; /* in_ctr read from peer, not maintained internally */ 02049 } 02050 else 02051 #endif 02052 { 02053 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02054 if( ++ssl->in_ctr[i - 1] != 0 ) 02055 break; 02056 02057 /* The loop goes to its end iff the counter is wrapping */ 02058 if( i == ssl_ep_len( ssl ) ) 02059 { 02060 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 02061 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02062 } 02063 } 02064 02065 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 02066 02067 return( 0 ); 02068 } 02069 02070 #undef MAC_NONE 02071 #undef MAC_PLAINTEXT 02072 #undef MAC_CIPHERTEXT 02073 02074 #if defined(MBEDTLS_ZLIB_SUPPORT) 02075 /* 02076 * Compression/decompression functions 02077 */ 02078 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 02079 { 02080 int ret; 02081 unsigned char *msg_post = ssl->out_msg; 02082 size_t len_pre = ssl->out_msglen; 02083 unsigned char *msg_pre = ssl->compress_buf; 02084 02085 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 02086 02087 if( len_pre == 0 ) 02088 return( 0 ); 02089 02090 memcpy( msg_pre, ssl->out_msg, len_pre ); 02091 02092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ", 02093 ssl->out_msglen ) ); 02094 02095 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 02096 ssl->out_msg, ssl->out_msglen ); 02097 02098 ssl->transform_out->ctx_deflate.next_in = msg_pre; 02099 ssl->transform_out->ctx_deflate.avail_in = len_pre; 02100 ssl->transform_out->ctx_deflate.next_out = msg_post; 02101 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN; 02102 02103 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 02104 if( ret != Z_OK ) 02105 { 02106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 02107 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02108 } 02109 02110 ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - 02111 ssl->transform_out->ctx_deflate.avail_out; 02112 02113 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", 02114 ssl->out_msglen ) ); 02115 02116 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 02117 ssl->out_msg, ssl->out_msglen ); 02118 02119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 02120 02121 return( 0 ); 02122 } 02123 02124 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 02125 { 02126 int ret; 02127 unsigned char *msg_post = ssl->in_msg; 02128 size_t len_pre = ssl->in_msglen; 02129 unsigned char *msg_pre = ssl->compress_buf; 02130 02131 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 02132 02133 if( len_pre == 0 ) 02134 return( 0 ); 02135 02136 memcpy( msg_pre, ssl->in_msg, len_pre ); 02137 02138 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ", 02139 ssl->in_msglen ) ); 02140 02141 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 02142 ssl->in_msg, ssl->in_msglen ); 02143 02144 ssl->transform_in->ctx_inflate.next_in = msg_pre; 02145 ssl->transform_in->ctx_inflate.avail_in = len_pre; 02146 ssl->transform_in->ctx_inflate.next_out = msg_post; 02147 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN; 02148 02149 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 02150 if( ret != Z_OK ) 02151 { 02152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 02153 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02154 } 02155 02156 ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN - 02157 ssl->transform_in->ctx_inflate.avail_out; 02158 02159 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", 02160 ssl->in_msglen ) ); 02161 02162 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 02163 ssl->in_msg, ssl->in_msglen ); 02164 02165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 02166 02167 return( 0 ); 02168 } 02169 #endif /* MBEDTLS_ZLIB_SUPPORT */ 02170 02171 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02172 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); 02173 02174 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02175 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) 02176 { 02177 /* If renegotiation is not enforced, retransmit until we would reach max 02178 * timeout if we were using the usual handshake doubling scheme */ 02179 if( ssl->conf->renego_max_records < 0 ) 02180 { 02181 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 02182 unsigned char doublings = 1; 02183 02184 while( ratio != 0 ) 02185 { 02186 ++doublings; 02187 ratio >>= 1; 02188 } 02189 02190 if( ++ssl->renego_records_seen > doublings ) 02191 { 02192 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) ); 02193 return( 0 ); 02194 } 02195 } 02196 02197 return( ssl_write_hello_request( ssl ) ); 02198 } 02199 #endif 02200 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02201 02202 /* 02203 * Fill the input message buffer by appending data to it. 02204 * The amount of data already fetched is in ssl->in_left. 02205 * 02206 * If we return 0, is it guaranteed that (at least) nb_want bytes are 02207 * available (from this read and/or a previous one). Otherwise, an error code 02208 * is returned (possibly EOF or WANT_READ). 02209 * 02210 * With stream transport (TLS) on success ssl->in_left == nb_want, but 02211 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 02212 * since we always read a whole datagram at once. 02213 * 02214 * For DTLS, it is up to the caller to set ssl->next_record_offset when 02215 * they're done reading a record. 02216 */ 02217 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 02218 { 02219 int ret; 02220 size_t len; 02221 02222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 02223 02224 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 02225 { 02226 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02227 "or mbedtls_ssl_set_bio()" ) ); 02228 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02229 } 02230 02231 if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 02232 { 02233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 02234 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02235 } 02236 02237 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02238 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02239 { 02240 uint32_t timeout; 02241 02242 /* Just to be sure */ 02243 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) 02244 { 02245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " 02246 "mbedtls_ssl_set_timer_cb() for DTLS" ) ); 02247 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02248 } 02249 02250 /* 02251 * The point is, we need to always read a full datagram at once, so we 02252 * sometimes read more then requested, and handle the additional data. 02253 * It could be the rest of the current record (while fetching the 02254 * header) and/or some other records in the same datagram. 02255 */ 02256 02257 /* 02258 * Move to the next record in the already read datagram if applicable 02259 */ 02260 if( ssl->next_record_offset != 0 ) 02261 { 02262 if( ssl->in_left < ssl->next_record_offset ) 02263 { 02264 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02265 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02266 } 02267 02268 ssl->in_left -= ssl->next_record_offset; 02269 02270 if( ssl->in_left != 0 ) 02271 { 02272 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", 02273 ssl->next_record_offset ) ); 02274 memmove( ssl->in_hdr, 02275 ssl->in_hdr + ssl->next_record_offset, 02276 ssl->in_left ); 02277 } 02278 02279 ssl->next_record_offset = 0; 02280 } 02281 02282 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02283 ssl->in_left, nb_want ) ); 02284 02285 /* 02286 * Done if we already have enough data. 02287 */ 02288 if( nb_want <= ssl->in_left) 02289 { 02290 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02291 return( 0 ); 02292 } 02293 02294 /* 02295 * A record can't be split accross datagrams. If we need to read but 02296 * are not at the beginning of a new record, the caller did something 02297 * wrong. 02298 */ 02299 if( ssl->in_left != 0 ) 02300 { 02301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02302 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02303 } 02304 02305 /* 02306 * Don't even try to read if time's out already. 02307 * This avoids by-passing the timer when repeatedly receiving messages 02308 * that will end up being dropped. 02309 */ 02310 if( ssl_check_timer( ssl ) != 0 ) 02311 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02312 else 02313 { 02314 len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); 02315 02316 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02317 timeout = ssl->handshake->retransmit_timeout; 02318 else 02319 timeout = ssl->conf->read_timeout; 02320 02321 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); 02322 02323 if( ssl->f_recv_timeout != NULL ) 02324 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 02325 timeout ); 02326 else 02327 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 02328 02329 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02330 02331 if( ret == 0 ) 02332 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02333 } 02334 02335 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 02336 { 02337 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 02338 ssl_set_timer( ssl, 0 ); 02339 02340 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02341 { 02342 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 02343 { 02344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 02345 return( MBEDTLS_ERR_SSL_TIMEOUT ); 02346 } 02347 02348 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 02349 { 02350 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 02351 return( ret ); 02352 } 02353 02354 return( MBEDTLS_ERR_SSL_WANT_READ ); 02355 } 02356 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02357 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 02358 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 02359 { 02360 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 02361 { 02362 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 02363 return( ret ); 02364 } 02365 02366 return( MBEDTLS_ERR_SSL_WANT_READ ); 02367 } 02368 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02369 } 02370 02371 if( ret < 0 ) 02372 return( ret ); 02373 02374 ssl->in_left = ret; 02375 } 02376 else 02377 #endif 02378 { 02379 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02380 ssl->in_left, nb_want ) ); 02381 02382 while( ssl->in_left < nb_want ) 02383 { 02384 len = nb_want - ssl->in_left; 02385 02386 if( ssl_check_timer( ssl ) != 0 ) 02387 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02388 else 02389 { 02390 if( ssl->f_recv_timeout != NULL ) 02391 { 02392 ret = ssl->f_recv_timeout( ssl->p_bio, 02393 ssl->in_hdr + ssl->in_left, len, 02394 ssl->conf->read_timeout ); 02395 } 02396 else 02397 { 02398 ret = ssl->f_recv( ssl->p_bio, 02399 ssl->in_hdr + ssl->in_left, len ); 02400 } 02401 } 02402 02403 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02404 ssl->in_left, nb_want ) ); 02405 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02406 02407 if( ret == 0 ) 02408 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02409 02410 if( ret < 0 ) 02411 return( ret ); 02412 02413 ssl->in_left += ret; 02414 } 02415 } 02416 02417 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02418 02419 return( 0 ); 02420 } 02421 02422 /* 02423 * Flush any data not yet written 02424 */ 02425 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 02426 { 02427 int ret; 02428 unsigned char *buf, i; 02429 02430 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 02431 02432 if( ssl->f_send == NULL ) 02433 { 02434 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02435 "or mbedtls_ssl_set_bio()" ) ); 02436 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02437 } 02438 02439 /* Avoid incrementing counter if data is flushed */ 02440 if( ssl->out_left == 0 ) 02441 { 02442 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02443 return( 0 ); 02444 } 02445 02446 while( ssl->out_left > 0 ) 02447 { 02448 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 02449 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 02450 02451 buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) + 02452 ssl->out_msglen - ssl->out_left; 02453 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 02454 02455 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 02456 02457 if( ret <= 0 ) 02458 return( ret ); 02459 02460 ssl->out_left -= ret; 02461 } 02462 02463 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02464 if( ++ssl->out_ctr[i - 1] != 0 ) 02465 break; 02466 02467 /* The loop goes to its end iff the counter is wrapping */ 02468 if( i == ssl_ep_len( ssl ) ) 02469 { 02470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 02471 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02472 } 02473 02474 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02475 02476 return( 0 ); 02477 } 02478 02479 /* 02480 * Functions to handle the DTLS retransmission state machine 02481 */ 02482 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02483 /* 02484 * Append current handshake message to current outgoing flight 02485 */ 02486 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 02487 { 02488 mbedtls_ssl_flight_item *msg; 02489 02490 /* Allocate space for current message */ 02491 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 02492 { 02493 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", 02494 sizeof( mbedtls_ssl_flight_item ) ) ); 02495 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02496 } 02497 02498 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 02499 { 02500 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) ); 02501 mbedtls_free( msg ); 02502 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02503 } 02504 02505 /* Copy current handshake message with headers */ 02506 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 02507 msg->len = ssl->out_msglen; 02508 msg->type = ssl->out_msgtype; 02509 msg->next = NULL; 02510 02511 /* Append to the current flight */ 02512 if( ssl->handshake->flight == NULL ) 02513 ssl->handshake->flight = msg; 02514 else 02515 { 02516 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 02517 while( cur->next != NULL ) 02518 cur = cur->next; 02519 cur->next = msg; 02520 } 02521 02522 return( 0 ); 02523 } 02524 02525 /* 02526 * Free the current flight of handshake messages 02527 */ 02528 static void ssl_flight_free( mbedtls_ssl_flight_item *flight ) 02529 { 02530 mbedtls_ssl_flight_item *cur = flight; 02531 mbedtls_ssl_flight_item *next; 02532 02533 while( cur != NULL ) 02534 { 02535 next = cur->next; 02536 02537 mbedtls_free( cur->p ); 02538 mbedtls_free( cur ); 02539 02540 cur = next; 02541 } 02542 } 02543 02544 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 02545 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); 02546 #endif 02547 02548 /* 02549 * Swap transform_out and out_ctr with the alternative ones 02550 */ 02551 static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) 02552 { 02553 mbedtls_ssl_transform *tmp_transform; 02554 unsigned char tmp_out_ctr[8]; 02555 02556 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 02557 { 02558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 02559 return; 02560 } 02561 02562 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 02563 02564 /* Swap transforms */ 02565 tmp_transform = ssl->transform_out; 02566 ssl->transform_out = ssl->handshake->alt_transform_out; 02567 ssl->handshake->alt_transform_out = tmp_transform; 02568 02569 /* Swap epoch + sequence_number */ 02570 memcpy( tmp_out_ctr, ssl->out_ctr, 8 ); 02571 memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 ); 02572 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 02573 02574 /* Adjust to the newly activated transform */ 02575 if( ssl->transform_out != NULL && 02576 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 02577 { 02578 ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - 02579 ssl->transform_out->fixed_ivlen; 02580 } 02581 else 02582 ssl->out_msg = ssl->out_iv; 02583 02584 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02585 if( mbedtls_ssl_hw_record_activate != NULL ) 02586 { 02587 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 02588 { 02589 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 02590 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02591 } 02592 } 02593 #endif 02594 } 02595 02596 /* 02597 * Retransmit the current flight of messages. 02598 * 02599 * Need to remember the current message in case flush_output returns 02600 * WANT_WRITE, causing us to exit this function and come back later. 02601 * This function must be called until state is no longer SENDING. 02602 */ 02603 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 02604 { 02605 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 02606 02607 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 02608 { 02609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) ); 02610 02611 ssl->handshake->cur_msg = ssl->handshake->flight; 02612 ssl_swap_epochs( ssl ); 02613 02614 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 02615 } 02616 02617 while( ssl->handshake->cur_msg != NULL ) 02618 { 02619 int ret; 02620 mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg; 02621 02622 /* Swap epochs before sending Finished: we can't do it after 02623 * sending ChangeCipherSpec, in case write returns WANT_READ. 02624 * Must be done before copying, may change out_msg pointer */ 02625 if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 02626 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ) 02627 { 02628 ssl_swap_epochs( ssl ); 02629 } 02630 02631 memcpy( ssl->out_msg, cur->p, cur->len ); 02632 ssl->out_msglen = cur->len; 02633 ssl->out_msgtype = cur->type; 02634 02635 ssl->handshake->cur_msg = cur->next; 02636 02637 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 ); 02638 02639 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02640 { 02641 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02642 return( ret ); 02643 } 02644 } 02645 02646 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 02647 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02648 else 02649 { 02650 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02651 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02652 } 02653 02654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 02655 02656 return( 0 ); 02657 } 02658 02659 /* 02660 * To be called when the last message of an incoming flight is received. 02661 */ 02662 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 02663 { 02664 /* We won't need to resend that one any more */ 02665 ssl_flight_free( ssl->handshake->flight ); 02666 ssl->handshake->flight = NULL; 02667 ssl->handshake->cur_msg = NULL; 02668 02669 /* The next incoming flight will start with this msg_seq */ 02670 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 02671 02672 /* Cancel timer */ 02673 ssl_set_timer( ssl, 0 ); 02674 02675 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02676 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02677 { 02678 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02679 } 02680 else 02681 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 02682 } 02683 02684 /* 02685 * To be called when the last message of an outgoing flight is send. 02686 */ 02687 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 02688 { 02689 ssl_reset_retransmit_timeout( ssl ); 02690 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02691 02692 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02693 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02694 { 02695 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02696 } 02697 else 02698 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02699 } 02700 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02701 02702 /* 02703 * Record layer functions 02704 */ 02705 02706 /* 02707 * Write current record. 02708 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. 02709 */ 02710 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) 02711 { 02712 int ret, done = 0, out_msg_type; 02713 size_t len = ssl->out_msglen; 02714 02715 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 02716 02717 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02718 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02719 ssl->handshake != NULL && 02720 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 02721 { 02722 ; /* Skip special handshake treatment when resending */ 02723 } 02724 else 02725 #endif 02726 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 02727 { 02728 out_msg_type = ssl->out_msg[0]; 02729 02730 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST && 02731 ssl->handshake == NULL ) 02732 { 02733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02734 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02735 } 02736 02737 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 02738 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 02739 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 02740 02741 /* 02742 * DTLS has additional fields in the Handshake layer, 02743 * between the length field and the actual payload: 02744 * uint16 message_seq; 02745 * uint24 fragment_offset; 02746 * uint24 fragment_length; 02747 */ 02748 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02749 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02750 { 02751 /* Make room for the additional DTLS fields */ 02752 memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); 02753 ssl->out_msglen += 8; 02754 len += 8; 02755 02756 /* Write message_seq and update it, except for HelloRequest */ 02757 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02758 { 02759 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 02760 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 02761 ++( ssl->handshake->out_msg_seq ); 02762 } 02763 else 02764 { 02765 ssl->out_msg[4] = 0; 02766 ssl->out_msg[5] = 0; 02767 } 02768 02769 /* We don't fragment, so frag_offset = 0 and frag_len = len */ 02770 memset( ssl->out_msg + 6, 0x00, 3 ); 02771 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 02772 } 02773 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02774 02775 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02776 ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); 02777 } 02778 02779 /* Save handshake and CCS messages for resending */ 02780 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02781 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02782 ssl->handshake != NULL && 02783 ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && 02784 ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || 02785 ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) 02786 { 02787 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 02788 { 02789 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 02790 return( ret ); 02791 } 02792 } 02793 #endif 02794 02795 #if defined(MBEDTLS_ZLIB_SUPPORT) 02796 if( ssl->transform_out != NULL && 02797 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 02798 { 02799 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 02800 { 02801 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 02802 return( ret ); 02803 } 02804 02805 len = ssl->out_msglen; 02806 } 02807 #endif /*MBEDTLS_ZLIB_SUPPORT */ 02808 02809 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02810 if( mbedtls_ssl_hw_record_write != NULL ) 02811 { 02812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 02813 02814 ret = mbedtls_ssl_hw_record_write( ssl ); 02815 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 02816 { 02817 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 02818 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02819 } 02820 02821 if( ret == 0 ) 02822 done = 1; 02823 } 02824 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 02825 if( !done ) 02826 { 02827 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 02828 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02829 ssl->conf->transport, ssl->out_hdr + 1 ); 02830 02831 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02832 ssl->out_len[1] = (unsigned char)( len ); 02833 02834 if( ssl->transform_out != NULL ) 02835 { 02836 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 02837 { 02838 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 02839 return( ret ); 02840 } 02841 02842 len = ssl->out_msglen; 02843 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02844 ssl->out_len[1] = (unsigned char)( len ); 02845 } 02846 02847 ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen; 02848 02849 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 02850 "version = [%d:%d], msglen = %d", 02851 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 02852 ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); 02853 02854 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 02855 ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen ); 02856 } 02857 02858 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 02859 { 02860 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 02861 return( ret ); 02862 } 02863 02864 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 02865 02866 return( 0 ); 02867 } 02868 02869 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02870 /* 02871 * Mark bits in bitmask (used for DTLS HS reassembly) 02872 */ 02873 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 02874 { 02875 unsigned int start_bits, end_bits; 02876 02877 start_bits = 8 - ( offset % 8 ); 02878 if( start_bits != 8 ) 02879 { 02880 size_t first_byte_idx = offset / 8; 02881 02882 /* Special case */ 02883 if( len <= start_bits ) 02884 { 02885 for( ; len != 0; len-- ) 02886 mask[first_byte_idx] |= 1 << ( start_bits - len ); 02887 02888 /* Avoid potential issues with offset or len becoming invalid */ 02889 return; 02890 } 02891 02892 offset += start_bits; /* Now offset % 8 == 0 */ 02893 len -= start_bits; 02894 02895 for( ; start_bits != 0; start_bits-- ) 02896 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 02897 } 02898 02899 end_bits = len % 8; 02900 if( end_bits != 0 ) 02901 { 02902 size_t last_byte_idx = ( offset + len ) / 8; 02903 02904 len -= end_bits; /* Now len % 8 == 0 */ 02905 02906 for( ; end_bits != 0; end_bits-- ) 02907 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 02908 } 02909 02910 memset( mask + offset / 8, 0xFF, len / 8 ); 02911 } 02912 02913 /* 02914 * Check that bitmask is full 02915 */ 02916 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 02917 { 02918 size_t i; 02919 02920 for( i = 0; i < len / 8; i++ ) 02921 if( mask[i] != 0xFF ) 02922 return( -1 ); 02923 02924 for( i = 0; i < len % 8; i++ ) 02925 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 02926 return( -1 ); 02927 02928 return( 0 ); 02929 } 02930 02931 /* 02932 * Reassemble fragmented DTLS handshake messages. 02933 * 02934 * Use a temporary buffer for reassembly, divided in two parts: 02935 * - the first holds the reassembled message (including handshake header), 02936 * - the second holds a bitmask indicating which parts of the message 02937 * (excluding headers) have been received so far. 02938 */ 02939 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) 02940 { 02941 unsigned char *msg, *bitmask; 02942 size_t frag_len, frag_off; 02943 size_t msg_len = ssl->in_hslen - 12; /* Without headers */ 02944 02945 if( ssl->handshake == NULL ) 02946 { 02947 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); 02948 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02949 } 02950 02951 /* 02952 * For first fragment, check size and allocate buffer 02953 */ 02954 if( ssl->handshake->hs_msg == NULL ) 02955 { 02956 size_t alloc_len; 02957 02958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", 02959 msg_len ) ); 02960 02961 if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02962 { 02963 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) ); 02964 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02965 } 02966 02967 /* The bitmask needs one bit per byte of message excluding header */ 02968 alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 ); 02969 02970 ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); 02971 if( ssl->handshake->hs_msg == NULL ) 02972 { 02973 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); 02974 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02975 } 02976 02977 /* Prepare final header: copy msg_type, length and message_seq, 02978 * then add standardised fragment_offset and fragment_length */ 02979 memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 ); 02980 memset( ssl->handshake->hs_msg + 6, 0, 3 ); 02981 memcpy( ssl->handshake->hs_msg + 9, 02982 ssl->handshake->hs_msg + 1, 3 ); 02983 } 02984 else 02985 { 02986 /* Make sure msg_type and length are consistent */ 02987 if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 ) 02988 { 02989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) ); 02990 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 02991 } 02992 } 02993 02994 msg = ssl->handshake->hs_msg + 12; 02995 bitmask = msg + msg_len; 02996 02997 /* 02998 * Check and copy current fragment 02999 */ 03000 frag_off = ( ssl->in_msg[6] << 16 ) | 03001 ( ssl->in_msg[7] << 8 ) | 03002 ssl->in_msg[8]; 03003 frag_len = ( ssl->in_msg[9] << 16 ) | 03004 ( ssl->in_msg[10] << 8 ) | 03005 ssl->in_msg[11]; 03006 03007 if( frag_off + frag_len > msg_len ) 03008 { 03009 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", 03010 frag_off, frag_len, msg_len ) ); 03011 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03012 } 03013 03014 if( frag_len + 12 > ssl->in_msglen ) 03015 { 03016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", 03017 frag_len, ssl->in_msglen ) ); 03018 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03019 } 03020 03021 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", 03022 frag_off, frag_len ) ); 03023 03024 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 03025 ssl_bitmask_set( bitmask, frag_off, frag_len ); 03026 03027 /* 03028 * Do we have the complete message by now? 03029 * If yes, finalize it, else ask to read the next record. 03030 */ 03031 if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) 03032 { 03033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); 03034 return( MBEDTLS_ERR_SSL_WANT_READ ); 03035 } 03036 03037 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); 03038 03039 if( frag_len + 12 < ssl->in_msglen ) 03040 { 03041 /* 03042 * We'got more handshake messages in the same record. 03043 * This case is not handled now because no know implementation does 03044 * that and it's hard to test, so we prefer to fail cleanly for now. 03045 */ 03046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) ); 03047 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03048 } 03049 03050 if( ssl->in_left > ssl->next_record_offset ) 03051 { 03052 /* 03053 * We've got more data in the buffer after the current record, 03054 * that we don't want to overwrite. Move it before writing the 03055 * reassembled message, and adjust in_left and next_record_offset. 03056 */ 03057 unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset; 03058 unsigned char *new_remain = ssl->in_msg + ssl->in_hslen; 03059 size_t remain_len = ssl->in_left - ssl->next_record_offset; 03060 03061 /* First compute and check new lengths */ 03062 ssl->next_record_offset = new_remain - ssl->in_hdr; 03063 ssl->in_left = ssl->next_record_offset + remain_len; 03064 03065 if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - 03066 (size_t)( ssl->in_hdr - ssl->in_buf ) ) 03067 { 03068 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); 03069 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03070 } 03071 03072 memmove( new_remain, cur_remain, remain_len ); 03073 } 03074 03075 memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen ); 03076 03077 mbedtls_free( ssl->handshake->hs_msg ); 03078 ssl->handshake->hs_msg = NULL; 03079 03080 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", 03081 ssl->in_msg, ssl->in_hslen ); 03082 03083 return( 0 ); 03084 } 03085 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03086 03087 static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 03088 { 03089 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 03090 { 03091 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", 03092 ssl->in_msglen ) ); 03093 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03094 } 03095 03096 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( 03097 ( ssl->in_msg[1] << 16 ) | 03098 ( ssl->in_msg[2] << 8 ) | 03099 ssl->in_msg[3] ); 03100 03101 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 03102 " %d, type = %d, hslen = %d", 03103 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 03104 03105 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03106 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03107 { 03108 int ret; 03109 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 03110 03111 /* ssl->handshake is NULL when receiving ClientHello for renego */ 03112 if( ssl->handshake != NULL && 03113 recv_msg_seq != ssl->handshake->in_msg_seq ) 03114 { 03115 /* Retransmit only on last message from previous flight, to avoid 03116 * too many retransmissions. 03117 * Besides, No sane server ever retransmits HelloVerifyRequest */ 03118 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 03119 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 03120 { 03121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 03122 "message_seq = %d, start_of_flight = %d", 03123 recv_msg_seq, 03124 ssl->handshake->in_flight_start_seq ) ); 03125 03126 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03127 { 03128 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03129 return( ret ); 03130 } 03131 } 03132 else 03133 { 03134 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 03135 "message_seq = %d, expected = %d", 03136 recv_msg_seq, 03137 ssl->handshake->in_msg_seq ) ); 03138 } 03139 03140 return( MBEDTLS_ERR_SSL_WANT_READ ); 03141 } 03142 /* Wait until message completion to increment in_msg_seq */ 03143 03144 /* Reassemble if current message is fragmented or reassembly is 03145 * already in progress */ 03146 if( ssl->in_msglen < ssl->in_hslen || 03147 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 03148 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 || 03149 ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) ) 03150 { 03151 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 03152 03153 if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 ) 03154 { 03155 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret ); 03156 return( ret ); 03157 } 03158 } 03159 } 03160 else 03161 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03162 /* With TLS we don't handle fragmentation (for now) */ 03163 if( ssl->in_msglen < ssl->in_hslen ) 03164 { 03165 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 03166 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03167 } 03168 03169 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03170 ssl->handshake != NULL ) 03171 { 03172 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 03173 } 03174 03175 /* Handshake message is complete, increment counter */ 03176 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03177 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03178 ssl->handshake != NULL ) 03179 { 03180 ssl->handshake->in_msg_seq++; 03181 } 03182 #endif 03183 03184 return( 0 ); 03185 } 03186 03187 /* 03188 * DTLS anti-replay: RFC 6347 4.1.2.6 03189 * 03190 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 03191 * Bit n is set iff record number in_window_top - n has been seen. 03192 * 03193 * Usually, in_window_top is the last record number seen and the lsb of 03194 * in_window is set. The only exception is the initial state (record number 0 03195 * not seen yet). 03196 */ 03197 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03198 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 03199 { 03200 ssl->in_window_top = 0; 03201 ssl->in_window = 0; 03202 } 03203 03204 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 03205 { 03206 return( ( (uint64_t) buf[0] << 40 ) | 03207 ( (uint64_t) buf[1] << 32 ) | 03208 ( (uint64_t) buf[2] << 24 ) | 03209 ( (uint64_t) buf[3] << 16 ) | 03210 ( (uint64_t) buf[4] << 8 ) | 03211 ( (uint64_t) buf[5] ) ); 03212 } 03213 03214 /* 03215 * Return 0 if sequence number is acceptable, -1 otherwise 03216 */ 03217 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) 03218 { 03219 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03220 uint64_t bit; 03221 03222 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03223 return( 0 ); 03224 03225 if( rec_seqnum > ssl->in_window_top ) 03226 return( 0 ); 03227 03228 bit = ssl->in_window_top - rec_seqnum; 03229 03230 if( bit >= 64 ) 03231 return( -1 ); 03232 03233 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 03234 return( -1 ); 03235 03236 return( 0 ); 03237 } 03238 03239 /* 03240 * Update replay window on new validated record 03241 */ 03242 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 03243 { 03244 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03245 03246 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03247 return; 03248 03249 if( rec_seqnum > ssl->in_window_top ) 03250 { 03251 /* Update window_top and the contents of the window */ 03252 uint64_t shift = rec_seqnum - ssl->in_window_top; 03253 03254 if( shift >= 64 ) 03255 ssl->in_window = 1; 03256 else 03257 { 03258 ssl->in_window <<= shift; 03259 ssl->in_window |= 1; 03260 } 03261 03262 ssl->in_window_top = rec_seqnum; 03263 } 03264 else 03265 { 03266 /* Mark that number as seen in the current window */ 03267 uint64_t bit = ssl->in_window_top - rec_seqnum; 03268 03269 if( bit < 64 ) /* Always true, but be extra sure */ 03270 ssl->in_window |= (uint64_t) 1 << bit; 03271 } 03272 } 03273 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 03274 03275 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03276 /* Forward declaration */ 03277 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); 03278 03279 /* 03280 * Without any SSL context, check if a datagram looks like a ClientHello with 03281 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 03282 * Both input and output include full DTLS headers. 03283 * 03284 * - if cookie is valid, return 0 03285 * - if ClientHello looks superficially valid but cookie is not, 03286 * fill obuf and set olen, then 03287 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03288 * - otherwise return a specific error code 03289 */ 03290 static int ssl_check_dtls_clihlo_cookie( 03291 mbedtls_ssl_cookie_write_t *f_cookie_write, 03292 mbedtls_ssl_cookie_check_t *f_cookie_check, 03293 void *p_cookie, 03294 const unsigned char *cli_id, size_t cli_id_len, 03295 const unsigned char *in, size_t in_len, 03296 unsigned char *obuf, size_t buf_len, size_t *olen ) 03297 { 03298 size_t sid_len, cookie_len; 03299 unsigned char *p; 03300 03301 if( f_cookie_write == NULL || f_cookie_check == NULL ) 03302 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03303 03304 /* 03305 * Structure of ClientHello with record and handshake headers, 03306 * and expected values. We don't need to check a lot, more checks will be 03307 * done when actually parsing the ClientHello - skipping those checks 03308 * avoids code duplication and does not make cookie forging any easier. 03309 * 03310 * 0-0 ContentType type; copied, must be handshake 03311 * 1-2 ProtocolVersion version; copied 03312 * 3-4 uint16 epoch; copied, must be 0 03313 * 5-10 uint48 sequence_number; copied 03314 * 11-12 uint16 length; (ignored) 03315 * 03316 * 13-13 HandshakeType msg_type; (ignored) 03317 * 14-16 uint24 length; (ignored) 03318 * 17-18 uint16 message_seq; copied 03319 * 19-21 uint24 fragment_offset; copied, must be 0 03320 * 22-24 uint24 fragment_length; (ignored) 03321 * 03322 * 25-26 ProtocolVersion client_version; (ignored) 03323 * 27-58 Random random; (ignored) 03324 * 59-xx SessionID session_id; 1 byte len + sid_len content 03325 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 03326 * ... 03327 * 03328 * Minimum length is 61 bytes. 03329 */ 03330 if( in_len < 61 || 03331 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 03332 in[3] != 0 || in[4] != 0 || 03333 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 03334 { 03335 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03336 } 03337 03338 sid_len = in[59]; 03339 if( sid_len > in_len - 61 ) 03340 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03341 03342 cookie_len = in[60 + sid_len]; 03343 if( cookie_len > in_len - 60 ) 03344 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03345 03346 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 03347 cli_id, cli_id_len ) == 0 ) 03348 { 03349 /* Valid cookie */ 03350 return( 0 ); 03351 } 03352 03353 /* 03354 * If we get here, we've got an invalid cookie, let's prepare HVR. 03355 * 03356 * 0-0 ContentType type; copied 03357 * 1-2 ProtocolVersion version; copied 03358 * 3-4 uint16 epoch; copied 03359 * 5-10 uint48 sequence_number; copied 03360 * 11-12 uint16 length; olen - 13 03361 * 03362 * 13-13 HandshakeType msg_type; hello_verify_request 03363 * 14-16 uint24 length; olen - 25 03364 * 17-18 uint16 message_seq; copied 03365 * 19-21 uint24 fragment_offset; copied 03366 * 22-24 uint24 fragment_length; olen - 25 03367 * 03368 * 25-26 ProtocolVersion server_version; 0xfe 0xff 03369 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 03370 * 03371 * Minimum length is 28. 03372 */ 03373 if( buf_len < 28 ) 03374 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03375 03376 /* Copy most fields and adapt others */ 03377 memcpy( obuf, in, 25 ); 03378 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 03379 obuf[25] = 0xfe; 03380 obuf[26] = 0xff; 03381 03382 /* Generate and write actual cookie */ 03383 p = obuf + 28; 03384 if( f_cookie_write( p_cookie, 03385 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 03386 { 03387 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03388 } 03389 03390 *olen = p - obuf; 03391 03392 /* Go back and fill length fields */ 03393 obuf[27] = (unsigned char)( *olen - 28 ); 03394 03395 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 03396 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 03397 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 03398 03399 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 03400 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 03401 03402 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03403 } 03404 03405 /* 03406 * Handle possible client reconnect with the same UDP quadruplet 03407 * (RFC 6347 Section 4.2.8). 03408 * 03409 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 03410 * that looks like a ClientHello. 03411 * 03412 * - if the input looks like a ClientHello without cookies, 03413 * send back HelloVerifyRequest, then 03414 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03415 * - if the input looks like a ClientHello with a valid cookie, 03416 * reset the session of the current context, and 03417 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 03418 * - if anything goes wrong, return a specific error code 03419 * 03420 * mbedtls_ssl_read_record() will ignore the record if anything else than 03421 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function 03422 * cannot not return 0. 03423 */ 03424 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 03425 { 03426 int ret; 03427 size_t len; 03428 03429 ret = ssl_check_dtls_clihlo_cookie( 03430 ssl->conf->f_cookie_write, 03431 ssl->conf->f_cookie_check, 03432 ssl->conf->p_cookie, 03433 ssl->cli_id, ssl->cli_id_len, 03434 ssl->in_buf, ssl->in_left, 03435 ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); 03436 03437 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 03438 03439 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 03440 { 03441 /* Dont check write errors as we can't do anything here. 03442 * If the error is permanent we'll catch it later, 03443 * if it's not, then hopefully it'll work next time. */ 03444 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 03445 03446 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03447 } 03448 03449 if( ret == 0 ) 03450 { 03451 /* Got a valid cookie, partially reset context */ 03452 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) 03453 { 03454 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 03455 return( ret ); 03456 } 03457 03458 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 03459 } 03460 03461 return( ret ); 03462 } 03463 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03464 03465 /* 03466 * ContentType type; 03467 * ProtocolVersion version; 03468 * uint16 epoch; // DTLS only 03469 * uint48 sequence_number; // DTLS only 03470 * uint16 length; 03471 * 03472 * Return 0 if header looks sane (and, for DTLS, the record is expected) 03473 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, 03474 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. 03475 * 03476 * With DTLS, mbedtls_ssl_read_record() will: 03477 * 1. proceed with the record if this function returns 0 03478 * 2. drop only the current record if this function returns UNEXPECTED_RECORD 03479 * 3. return CLIENT_RECONNECT if this function return that value 03480 * 4. drop the whole datagram if this function returns anything else. 03481 * Point 2 is needed when the peer is resending, and we have already received 03482 * the first record from a datagram but are still waiting for the others. 03483 */ 03484 static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) 03485 { 03486 int ret; 03487 int major_ver, minor_ver; 03488 03489 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) ); 03490 03491 ssl->in_msgtype = ssl->in_hdr[0]; 03492 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 03493 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); 03494 03495 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 03496 "version = [%d:%d], msglen = %d", 03497 ssl->in_msgtype, 03498 major_ver, minor_ver, ssl->in_msglen ) ); 03499 03500 /* Check record type */ 03501 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 03502 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && 03503 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03504 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 03505 { 03506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 03507 03508 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03509 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03510 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 ) 03511 { 03512 return( ret ); 03513 } 03514 03515 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03516 } 03517 03518 /* Check version */ 03519 if( major_ver != ssl->major_ver ) 03520 { 03521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 03522 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03523 } 03524 03525 if( minor_ver > ssl->conf->max_minor_ver ) 03526 { 03527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 03528 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03529 } 03530 03531 /* Check length against the size of our buffer */ 03532 if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN 03533 - (size_t)( ssl->in_msg - ssl->in_buf ) ) 03534 { 03535 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03536 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03537 } 03538 03539 /* Check length against bounds of the current transform and version */ 03540 if( ssl->transform_in == NULL ) 03541 { 03542 if( ssl->in_msglen < 1 || 03543 ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03544 { 03545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03546 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03547 } 03548 } 03549 else 03550 { 03551 if( ssl->in_msglen < ssl->transform_in->minlen ) 03552 { 03553 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03554 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03555 } 03556 03557 #if defined(MBEDTLS_SSL_PROTO_SSL3) 03558 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03559 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) 03560 { 03561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03562 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03563 } 03564 #endif 03565 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03566 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03567 /* 03568 * TLS encrypted messages can have up to 256 bytes of padding 03569 */ 03570 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && 03571 ssl->in_msglen > ssl->transform_in->minlen + 03572 MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) 03573 { 03574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03575 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03576 } 03577 #endif 03578 } 03579 03580 /* 03581 * DTLS-related tests done last, because most of them may result in 03582 * silently dropping the record (but not the whole datagram), and we only 03583 * want to consider that after ensuring that the "basic" fields (type, 03584 * version, length) are sane. 03585 */ 03586 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03587 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03588 { 03589 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 03590 03591 /* Drop unexpected ChangeCipherSpec messages */ 03592 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03593 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 03594 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 03595 { 03596 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); 03597 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03598 } 03599 03600 /* Drop unexpected ApplicationData records, 03601 * except at the beginning of renegotiations */ 03602 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 03603 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 03604 #if defined(MBEDTLS_SSL_RENEGOTIATION) 03605 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 03606 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 03607 #endif 03608 ) 03609 { 03610 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 03611 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03612 } 03613 03614 /* Check epoch (and sequence number) with DTLS */ 03615 if( rec_epoch != ssl->in_epoch ) 03616 { 03617 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 03618 "expected %d, received %d", 03619 ssl->in_epoch, rec_epoch ) ); 03620 03621 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03622 /* 03623 * Check for an epoch 0 ClientHello. We can't use in_msg here to 03624 * access the first byte of record content (handshake type), as we 03625 * have an active transform (possibly iv_len != 0), so use the 03626 * fact that the record header len is 13 instead. 03627 */ 03628 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03629 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03630 rec_epoch == 0 && 03631 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03632 ssl->in_left > 13 && 03633 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 03634 { 03635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 03636 "from the same port" ) ); 03637 return( ssl_handle_possible_reconnect( ssl ) ); 03638 } 03639 else 03640 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03641 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03642 } 03643 03644 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03645 /* Replay detection only works for the current epoch */ 03646 if( rec_epoch == ssl->in_epoch && 03647 mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 03648 { 03649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 03650 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03651 } 03652 #endif 03653 } 03654 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03655 03656 return( 0 ); 03657 } 03658 03659 /* 03660 * If applicable, decrypt (and decompress) record content 03661 */ 03662 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) 03663 { 03664 int ret, done = 0; 03665 03666 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 03667 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ); 03668 03669 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 03670 if( mbedtls_ssl_hw_record_read != NULL ) 03671 { 03672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 03673 03674 ret = mbedtls_ssl_hw_record_read( ssl ); 03675 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 03676 { 03677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 03678 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03679 } 03680 03681 if( ret == 0 ) 03682 done = 1; 03683 } 03684 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 03685 if( !done && ssl->transform_in != NULL ) 03686 { 03687 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 03688 { 03689 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 03690 return( ret ); 03691 } 03692 03693 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 03694 ssl->in_msg, ssl->in_msglen ); 03695 03696 if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03697 { 03698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03699 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03700 } 03701 } 03702 03703 #if defined(MBEDTLS_ZLIB_SUPPORT) 03704 if( ssl->transform_in != NULL && 03705 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 03706 { 03707 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 03708 { 03709 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 03710 return( ret ); 03711 } 03712 } 03713 #endif /* MBEDTLS_ZLIB_SUPPORT */ 03714 03715 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03716 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03717 { 03718 mbedtls_ssl_dtls_replay_update( ssl ); 03719 } 03720 #endif 03721 03722 return( 0 ); 03723 } 03724 03725 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); 03726 03727 /* 03728 * Read a record. 03729 * 03730 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 03731 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 03732 * 03733 */ 03734 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) 03735 { 03736 int ret; 03737 03738 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 03739 03740 if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen ) 03741 { 03742 /* 03743 * Get next Handshake message in the current record 03744 */ 03745 ssl->in_msglen -= ssl->in_hslen; 03746 03747 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 03748 ssl->in_msglen ); 03749 03750 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 03751 ssl->in_msg, ssl->in_msglen ); 03752 03753 if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) 03754 return( ret ); 03755 03756 return( 0 ); 03757 } 03758 03759 ssl->in_hslen = 0; 03760 03761 /* 03762 * Read the record header and parse it 03763 */ 03764 read_record_header: 03765 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 ) 03766 { 03767 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03768 return( ret ); 03769 } 03770 03771 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) 03772 { 03773 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03774 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03775 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) 03776 { 03777 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) 03778 { 03779 /* Skip unexpected record (but not whole datagram) */ 03780 ssl->next_record_offset = ssl->in_msglen 03781 + mbedtls_ssl_hdr_len( ssl ); 03782 03783 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " 03784 "(header)" ) ); 03785 } 03786 else 03787 { 03788 /* Skip invalid record and the rest of the datagram */ 03789 ssl->next_record_offset = 0; 03790 ssl->in_left = 0; 03791 03792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " 03793 "(header)" ) ); 03794 } 03795 03796 /* Get next record */ 03797 goto read_record_header; 03798 } 03799 #endif 03800 return( ret ); 03801 } 03802 03803 /* 03804 * Read and optionally decrypt the message contents 03805 */ 03806 if( ( ret = mbedtls_ssl_fetch_input( ssl, 03807 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) 03808 { 03809 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03810 return( ret ); 03811 } 03812 03813 /* Done reading this record, get ready for the next one */ 03814 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03815 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03816 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); 03817 else 03818 #endif 03819 ssl->in_left = 0; 03820 03821 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) 03822 { 03823 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03824 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03825 { 03826 /* Silently discard invalid records */ 03827 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || 03828 ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03829 { 03830 /* Except when waiting for Finished as a bad mac here 03831 * probably means something went wrong in the handshake 03832 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 03833 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 03834 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 03835 { 03836 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03837 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03838 { 03839 mbedtls_ssl_send_alert_message( ssl, 03840 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03841 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03842 } 03843 #endif 03844 return( ret ); 03845 } 03846 03847 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 03848 if( ssl->conf->badmac_limit != 0 && 03849 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 03850 { 03851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 03852 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 03853 } 03854 #endif 03855 03856 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 03857 goto read_record_header; 03858 } 03859 03860 return( ret ); 03861 } 03862 else 03863 #endif 03864 { 03865 /* Error out (and send alert) on invalid records */ 03866 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03867 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03868 { 03869 mbedtls_ssl_send_alert_message( ssl, 03870 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03871 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03872 } 03873 #endif 03874 return( ret ); 03875 } 03876 } 03877 03878 /* 03879 * When we sent the last flight of the handshake, we MUST respond to a 03880 * retransmit of the peer's previous flight with a retransmit. (In 03881 * practice, only the Finished message will make it, other messages 03882 * including CCS use the old transform so they're dropped as invalid.) 03883 * 03884 * If the record we received is not a handshake message, however, it 03885 * means the peer received our last flight so we can clean up 03886 * handshake info. 03887 * 03888 * This check needs to be done before prepare_handshake() due to an edge 03889 * case: if the client immediately requests renegotiation, this 03890 * finishes the current handshake first, avoiding the new ClientHello 03891 * being mistaken for an ancient message in the current handshake. 03892 */ 03893 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03894 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03895 ssl->handshake != NULL && 03896 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 03897 { 03898 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03899 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 03900 { 03901 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) ); 03902 03903 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03904 { 03905 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03906 return( ret ); 03907 } 03908 03909 return( MBEDTLS_ERR_SSL_WANT_READ ); 03910 } 03911 else 03912 { 03913 ssl_handshake_wrapup_free_hs_transform( ssl ); 03914 } 03915 } 03916 #endif 03917 03918 /* 03919 * Handle particular types of records 03920 */ 03921 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 03922 { 03923 if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) 03924 return( ret ); 03925 } 03926 03927 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 03928 { 03929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 03930 ssl->in_msg[0], ssl->in_msg[1] ) ); 03931 03932 /* 03933 * Ignore non-fatal alerts, except close_notify and no_renegotiation 03934 */ 03935 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 03936 { 03937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 03938 ssl->in_msg[1] ) ); 03939 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 03940 } 03941 03942 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03943 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 03944 { 03945 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 03946 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 03947 } 03948 03949 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 03950 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03951 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 03952 { 03953 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 03954 /* Will be handled when trying to parse ServerHello */ 03955 return( 0 ); 03956 } 03957 #endif 03958 03959 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 03960 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03961 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03962 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03963 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 03964 { 03965 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 03966 /* Will be handled in mbedtls_ssl_parse_certificate() */ 03967 return( 0 ); 03968 } 03969 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 03970 03971 /* Silently ignore: fetch new message */ 03972 goto read_record_header; 03973 } 03974 03975 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 03976 03977 return( 0 ); 03978 } 03979 03980 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 03981 { 03982 int ret; 03983 03984 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03985 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03986 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) 03987 { 03988 return( ret ); 03989 } 03990 03991 return( 0 ); 03992 } 03993 03994 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 03995 unsigned char level, 03996 unsigned char message ) 03997 { 03998 int ret; 03999 04000 if( ssl == NULL || ssl->conf == NULL ) 04001 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04002 04003 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 04004 04005 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04006 ssl->out_msglen = 2; 04007 ssl->out_msg[0] = level; 04008 ssl->out_msg[1] = message; 04009 04010 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04011 { 04012 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04013 return( ret ); 04014 } 04015 04016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 04017 04018 return( 0 ); 04019 } 04020 04021 /* 04022 * Handshake functions 04023 */ 04024 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 04025 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ 04026 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 04027 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 04028 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ 04029 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 04030 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 04031 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04032 { 04033 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04034 04035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04036 04037 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04038 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04039 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04040 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04041 { 04042 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04043 ssl->state++; 04044 return( 0 ); 04045 } 04046 04047 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04048 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04049 } 04050 04051 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04052 { 04053 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04054 04055 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04056 04057 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04058 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04059 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04060 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04061 { 04062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04063 ssl->state++; 04064 return( 0 ); 04065 } 04066 04067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04068 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04069 } 04070 #else 04071 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04072 { 04073 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04074 size_t i, n; 04075 const mbedtls_x509_crt *crt; 04076 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04077 04078 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04079 04080 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04081 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04082 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04083 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04084 { 04085 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04086 ssl->state++; 04087 return( 0 ); 04088 } 04089 04090 #if defined(MBEDTLS_SSL_CLI_C) 04091 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 04092 { 04093 if( ssl->client_auth == 0 ) 04094 { 04095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04096 ssl->state++; 04097 return( 0 ); 04098 } 04099 04100 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04101 /* 04102 * If using SSLv3 and got no cert, send an Alert message 04103 * (otherwise an empty Certificate message will be sent). 04104 */ 04105 if( mbedtls_ssl_own_cert( ssl ) == NULL && 04106 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04107 { 04108 ssl->out_msglen = 2; 04109 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04110 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 04111 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT; 04112 04113 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 04114 goto write_msg; 04115 } 04116 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04117 } 04118 #endif /* MBEDTLS_SSL_CLI_C */ 04119 #if defined(MBEDTLS_SSL_SRV_C) 04120 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 04121 { 04122 if( mbedtls_ssl_own_cert( ssl ) == NULL ) 04123 { 04124 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 04125 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); 04126 } 04127 } 04128 #endif 04129 04130 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); 04131 04132 /* 04133 * 0 . 0 handshake type 04134 * 1 . 3 handshake length 04135 * 4 . 6 length of all certs 04136 * 7 . 9 length of cert. 1 04137 * 10 . n-1 peer certificate 04138 * n . n+2 length of cert. 2 04139 * n+3 . ... upper level cert, etc. 04140 */ 04141 i = 7; 04142 crt = mbedtls_ssl_own_cert( ssl ); 04143 04144 while( crt != NULL ) 04145 { 04146 n = crt->raw.len; 04147 if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) 04148 { 04149 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 04150 i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 04151 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); 04152 } 04153 04154 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 04155 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 04156 ssl->out_msg[i + 2] = (unsigned char)( n ); 04157 04158 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 04159 i += n; crt = crt->next; 04160 } 04161 04162 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 04163 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 04164 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 04165 04166 ssl->out_msglen = i; 04167 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04168 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 04169 04170 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 04171 write_msg: 04172 #endif 04173 04174 ssl->state++; 04175 04176 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04177 { 04178 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04179 return( ret ); 04180 } 04181 04182 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 04183 04184 return( ret ); 04185 } 04186 04187 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04188 { 04189 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04190 size_t i, n; 04191 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04192 int authmode = ssl->conf->authmode; 04193 04194 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04195 04196 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04198 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04199 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04200 { 04201 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04202 ssl->state++; 04203 return( 0 ); 04204 } 04205 04206 #if defined(MBEDTLS_SSL_SRV_C) 04207 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04208 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04209 { 04210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04211 ssl->state++; 04212 return( 0 ); 04213 } 04214 04215 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04216 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 04217 authmode = ssl->handshake->sni_authmode; 04218 #endif 04219 04220 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04221 authmode == MBEDTLS_SSL_VERIFY_NONE ) 04222 { 04223 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 04224 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04225 ssl->state++; 04226 return( 0 ); 04227 } 04228 #endif 04229 04230 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04231 { 04232 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04233 return( ret ); 04234 } 04235 04236 ssl->state++; 04237 04238 #if defined(MBEDTLS_SSL_SRV_C) 04239 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04240 /* 04241 * Check if the client sent an empty certificate 04242 */ 04243 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04244 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04245 { 04246 if( ssl->in_msglen == 2 && 04247 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && 04248 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04249 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04250 { 04251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 04252 04253 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04254 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04255 return( 0 ); 04256 else 04257 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04258 } 04259 } 04260 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04261 04262 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 04263 defined(MBEDTLS_SSL_PROTO_TLS1_2) 04264 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04265 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 04266 { 04267 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && 04268 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04269 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 04270 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) 04271 { 04272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 04273 04274 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04275 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04276 return( 0 ); 04277 else 04278 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04279 } 04280 } 04281 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 04282 MBEDTLS_SSL_PROTO_TLS1_2 */ 04283 #endif /* MBEDTLS_SSL_SRV_C */ 04284 04285 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 04286 { 04287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04288 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04289 } 04290 04291 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || 04292 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) 04293 { 04294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04295 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04296 } 04297 04298 i = mbedtls_ssl_hs_hdr_len( ssl ); 04299 04300 /* 04301 * Same message structure as in mbedtls_ssl_write_certificate() 04302 */ 04303 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2]; 04304 04305 if( ssl->in_msg[i] != 0 || 04306 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) ) 04307 { 04308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04309 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04310 } 04311 04312 /* In case we tried to reuse a session but it failed */ 04313 if( ssl->session_negotiate->peer_cert != NULL ) 04314 { 04315 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); 04316 mbedtls_free( ssl->session_negotiate->peer_cert ); 04317 } 04318 04319 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, 04320 sizeof( mbedtls_x509_crt ) ) ) == NULL ) 04321 { 04322 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 04323 sizeof( mbedtls_x509_crt ) ) ); 04324 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 04325 } 04326 04327 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); 04328 04329 i += 3; 04330 04331 while( i < ssl->in_hslen ) 04332 { 04333 if( ssl->in_msg[i] != 0 ) 04334 { 04335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04336 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04337 } 04338 04339 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 04340 | (unsigned int) ssl->in_msg[i + 2]; 04341 i += 3; 04342 04343 if( n < 128 || i + n > ssl->in_hslen ) 04344 { 04345 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04346 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04347 } 04348 04349 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, 04350 ssl->in_msg + i, n ); 04351 if( ret != 0 ) 04352 { 04353 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); 04354 return( ret ); 04355 } 04356 04357 i += n; 04358 } 04359 04360 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); 04361 04362 /* 04363 * On client, make sure the server cert doesn't change during renego to 04364 * avoid "triple handshake" attack: https://secure-resumption.com/ 04365 */ 04366 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 04367 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 04368 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04369 { 04370 if( ssl->session->peer_cert == NULL ) 04371 { 04372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); 04373 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04374 } 04375 04376 if( ssl->session->peer_cert->raw.len != 04377 ssl->session_negotiate->peer_cert->raw.len || 04378 memcmp( ssl->session->peer_cert->raw.p, 04379 ssl->session_negotiate->peer_cert->raw.p, 04380 ssl->session->peer_cert->raw.len ) != 0 ) 04381 { 04382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) ); 04383 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04384 } 04385 } 04386 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 04387 04388 if( authmode != MBEDTLS_SSL_VERIFY_NONE ) 04389 { 04390 mbedtls_x509_crt *ca_chain; 04391 mbedtls_x509_crl *ca_crl; 04392 04393 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04394 if( ssl->handshake->sni_ca_chain != NULL ) 04395 { 04396 ca_chain = ssl->handshake->sni_ca_chain; 04397 ca_crl = ssl->handshake->sni_ca_crl; 04398 } 04399 else 04400 #endif 04401 { 04402 ca_chain = ssl->conf->ca_chain; 04403 ca_crl = ssl->conf->ca_crl; 04404 } 04405 04406 if( ca_chain == NULL ) 04407 { 04408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 04409 return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED ); 04410 } 04411 04412 /* 04413 * Main check: verify certificate 04414 */ 04415 ret = mbedtls_x509_crt_verify_with_profile( 04416 ssl->session_negotiate->peer_cert, 04417 ca_chain, ca_crl, 04418 ssl->conf->cert_profile, 04419 ssl->hostname, 04420 &ssl->session_negotiate->verify_result, 04421 ssl->conf->f_vrfy, ssl->conf->p_vrfy ); 04422 04423 if( ret != 0 ) 04424 { 04425 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 04426 } 04427 04428 /* 04429 * Secondary checks: always done, but change 'ret' only if it was 0 04430 */ 04431 04432 #if defined(MBEDTLS_ECP_C) 04433 { 04434 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; 04435 04436 /* If certificate uses an EC key, make sure the curve is OK */ 04437 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && 04438 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id ) != 0 ) 04439 { 04440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); 04441 if( ret == 0 ) 04442 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04443 } 04444 } 04445 #endif /* MBEDTLS_ECP_C */ 04446 04447 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, 04448 ciphersuite_info, 04449 ! ssl->conf->endpoint, 04450 &ssl->session_negotiate->verify_result ) != 0 ) 04451 { 04452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); 04453 if( ret == 0 ) 04454 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04455 } 04456 04457 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04458 ret = 0; 04459 } 04460 04461 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 04462 04463 return( ret ); 04464 } 04465 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 04466 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 04467 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 04468 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 04469 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 04470 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 04471 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 04472 04473 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 04474 { 04475 int ret; 04476 04477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 04478 04479 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 04480 ssl->out_msglen = 1; 04481 ssl->out_msg[0] = 1; 04482 04483 ssl->state++; 04484 04485 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04486 { 04487 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04488 return( ret ); 04489 } 04490 04491 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 04492 04493 return( 0 ); 04494 } 04495 04496 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 04497 { 04498 int ret; 04499 04500 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 04501 04502 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04503 { 04504 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04505 return( ret ); 04506 } 04507 04508 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 04509 { 04510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04511 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04512 } 04513 04514 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 04515 { 04516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04517 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 04518 } 04519 04520 /* 04521 * Switch to our negotiated transform and session parameters for inbound 04522 * data. 04523 */ 04524 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 04525 ssl->transform_in = ssl->transform_negotiate; 04526 ssl->session_in = ssl->session_negotiate; 04527 04528 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04529 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04530 { 04531 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 04532 ssl_dtls_replay_reset( ssl ); 04533 #endif 04534 04535 /* Increment epoch */ 04536 if( ++ssl->in_epoch == 0 ) 04537 { 04538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 04539 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 04540 } 04541 } 04542 else 04543 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04544 memset( ssl->in_ctr, 0, 8 ); 04545 04546 /* 04547 * Set the in_msg pointer to the correct location based on IV length 04548 */ 04549 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04550 { 04551 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen - 04552 ssl->transform_negotiate->fixed_ivlen; 04553 } 04554 else 04555 ssl->in_msg = ssl->in_iv; 04556 04557 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 04558 if( mbedtls_ssl_hw_record_activate != NULL ) 04559 { 04560 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 04561 { 04562 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 04563 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 04564 } 04565 } 04566 #endif 04567 04568 ssl->state++; 04569 04570 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 04571 04572 return( 0 ); 04573 } 04574 04575 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 04576 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) 04577 { 04578 ((void) ciphersuite_info); 04579 04580 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04581 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04582 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 04583 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; 04584 else 04585 #endif 04586 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04587 #if defined(MBEDTLS_SHA512_C) 04588 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 04589 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 04590 else 04591 #endif 04592 #if defined(MBEDTLS_SHA256_C) 04593 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) 04594 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 04595 else 04596 #endif 04597 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04598 { 04599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04600 return; 04601 } 04602 } 04603 04604 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) 04605 { 04606 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04607 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04608 mbedtls_md5_starts( &ssl->handshake->fin_md5 ); 04609 mbedtls_sha1_starts( &ssl->handshake->fin_sha1 ); 04610 #endif 04611 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04612 #if defined(MBEDTLS_SHA256_C) 04613 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); 04614 #endif 04615 #if defined(MBEDTLS_SHA512_C) 04616 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); 04617 #endif 04618 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04619 } 04620 04621 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, 04622 const unsigned char *buf, size_t len ) 04623 { 04624 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04625 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04626 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04627 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04628 #endif 04629 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04630 #if defined(MBEDTLS_SHA256_C) 04631 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04632 #endif 04633 #if defined(MBEDTLS_SHA512_C) 04634 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04635 #endif 04636 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04637 } 04638 04639 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04640 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04641 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, 04642 const unsigned char *buf, size_t len ) 04643 { 04644 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04645 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04646 } 04647 #endif 04648 04649 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04650 #if defined(MBEDTLS_SHA256_C) 04651 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, 04652 const unsigned char *buf, size_t len ) 04653 { 04654 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04655 } 04656 #endif 04657 04658 #if defined(MBEDTLS_SHA512_C) 04659 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, 04660 const unsigned char *buf, size_t len ) 04661 { 04662 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04663 } 04664 #endif 04665 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04666 04667 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04668 static void ssl_calc_finished_ssl( 04669 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04670 { 04671 const char *sender; 04672 mbedtls_md5_context md5; 04673 mbedtls_sha1_context sha1; 04674 04675 unsigned char padbuf[48]; 04676 unsigned char md5sum[16]; 04677 unsigned char sha1sum[20]; 04678 04679 mbedtls_ssl_session *session = ssl->session_negotiate; 04680 if( !session ) 04681 session = ssl->session; 04682 04683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) ); 04684 04685 mbedtls_md5_init( &md5 ); 04686 mbedtls_sha1_init( &sha1 ); 04687 04688 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04689 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04690 04691 /* 04692 * SSLv3: 04693 * hash = 04694 * MD5( master + pad2 + 04695 * MD5( handshake + sender + master + pad1 ) ) 04696 * + SHA1( master + pad2 + 04697 * SHA1( handshake + sender + master + pad1 ) ) 04698 */ 04699 04700 #if !defined(MBEDTLS_MD5_ALT) 04701 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04702 md5.state , sizeof( md5.state ) ); 04703 #endif 04704 04705 #if !defined(MBEDTLS_SHA1_ALT) 04706 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04707 sha1.state , sizeof( sha1.state ) ); 04708 #endif 04709 04710 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT" 04711 : "SRVR"; 04712 04713 memset( padbuf, 0x36, 48 ); 04714 04715 mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 ); 04716 mbedtls_md5_update( &md5, session->master, 48 ); 04717 mbedtls_md5_update( &md5, padbuf, 48 ); 04718 mbedtls_md5_finish( &md5, md5sum ); 04719 04720 mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 ); 04721 mbedtls_sha1_update( &sha1, session->master, 48 ); 04722 mbedtls_sha1_update( &sha1, padbuf, 40 ); 04723 mbedtls_sha1_finish( &sha1, sha1sum ); 04724 04725 memset( padbuf, 0x5C, 48 ); 04726 04727 mbedtls_md5_starts( &md5 ); 04728 mbedtls_md5_update( &md5, session->master, 48 ); 04729 mbedtls_md5_update( &md5, padbuf, 48 ); 04730 mbedtls_md5_update( &md5, md5sum, 16 ); 04731 mbedtls_md5_finish( &md5, buf ); 04732 04733 mbedtls_sha1_starts( &sha1 ); 04734 mbedtls_sha1_update( &sha1, session->master, 48 ); 04735 mbedtls_sha1_update( &sha1, padbuf , 40 ); 04736 mbedtls_sha1_update( &sha1, sha1sum, 20 ); 04737 mbedtls_sha1_finish( &sha1, buf + 16 ); 04738 04739 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); 04740 04741 mbedtls_md5_free( &md5 ); 04742 mbedtls_sha1_free( &sha1 ); 04743 04744 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04745 mbedtls_zeroize( md5sum, sizeof( md5sum ) ); 04746 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 04747 04748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04749 } 04750 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04751 04752 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 04753 static void ssl_calc_finished_tls( 04754 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04755 { 04756 int len = 12; 04757 const char *sender; 04758 mbedtls_md5_context md5; 04759 mbedtls_sha1_context sha1; 04760 unsigned char padbuf[36]; 04761 04762 mbedtls_ssl_session *session = ssl->session_negotiate; 04763 if( !session ) 04764 session = ssl->session; 04765 04766 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); 04767 04768 mbedtls_md5_init( &md5 ); 04769 mbedtls_sha1_init( &sha1 ); 04770 04771 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04772 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04773 04774 /* 04775 * TLSv1: 04776 * hash = PRF( master, finished_label, 04777 * MD5( handshake ) + SHA1( handshake ) )[0..11] 04778 */ 04779 04780 #if !defined(MBEDTLS_MD5_ALT) 04781 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04782 md5.state , sizeof( md5.state ) ); 04783 #endif 04784 04785 #if !defined(MBEDTLS_SHA1_ALT) 04786 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04787 sha1.state , sizeof( sha1.state ) ); 04788 #endif 04789 04790 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04791 ? "client finished" 04792 : "server finished"; 04793 04794 mbedtls_md5_finish( &md5, padbuf ); 04795 mbedtls_sha1_finish( &sha1, padbuf + 16 ); 04796 04797 ssl->handshake->tls_prf( session->master, 48, sender, 04798 padbuf, 36, buf, len ); 04799 04800 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04801 04802 mbedtls_md5_free( &md5 ); 04803 mbedtls_sha1_free( &sha1 ); 04804 04805 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04806 04807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04808 } 04809 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 04810 04811 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04812 #if defined(MBEDTLS_SHA256_C) 04813 static void ssl_calc_finished_tls_sha256( 04814 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04815 { 04816 int len = 12; 04817 const char *sender; 04818 mbedtls_sha256_context sha256; 04819 unsigned char padbuf[32]; 04820 04821 mbedtls_ssl_session *session = ssl->session_negotiate; 04822 if( !session ) 04823 session = ssl->session; 04824 04825 mbedtls_sha256_init( &sha256 ); 04826 04827 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); 04828 04829 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 04830 04831 /* 04832 * TLSv1.2: 04833 * hash = PRF( master, finished_label, 04834 * Hash( handshake ) )[0.11] 04835 */ 04836 04837 #if !defined(MBEDTLS_SHA256_ALT) 04838 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) 04839 sha256.state , sizeof( sha256.state ) ); 04840 #endif 04841 04842 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04843 ? "client finished" 04844 : "server finished"; 04845 04846 mbedtls_sha256_finish( &sha256, padbuf ); 04847 04848 ssl->handshake->tls_prf( session->master, 48, sender, 04849 padbuf, 32, buf, len ); 04850 04851 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04852 04853 mbedtls_sha256_free( &sha256 ); 04854 04855 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04856 04857 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04858 } 04859 #endif /* MBEDTLS_SHA256_C */ 04860 04861 #if defined(MBEDTLS_SHA512_C) 04862 static void ssl_calc_finished_tls_sha384( 04863 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04864 { 04865 int len = 12; 04866 const char *sender; 04867 mbedtls_sha512_context sha512; 04868 unsigned char padbuf[48]; 04869 04870 mbedtls_ssl_session *session = ssl->session_negotiate; 04871 if( !session ) 04872 session = ssl->session; 04873 04874 mbedtls_sha512_init( &sha512 ); 04875 04876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); 04877 04878 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 04879 04880 /* 04881 * TLSv1.2: 04882 * hash = PRF( master, finished_label, 04883 * Hash( handshake ) )[0.11] 04884 */ 04885 04886 #if !defined(MBEDTLS_SHA512_ALT) 04887 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) 04888 sha512.state , sizeof( sha512.state ) ); 04889 #endif 04890 04891 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04892 ? "client finished" 04893 : "server finished"; 04894 04895 mbedtls_sha512_finish( &sha512, padbuf ); 04896 04897 ssl->handshake->tls_prf( session->master, 48, sender, 04898 padbuf, 48, buf, len ); 04899 04900 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04901 04902 mbedtls_sha512_free( &sha512 ); 04903 04904 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04905 04906 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04907 } 04908 #endif /* MBEDTLS_SHA512_C */ 04909 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04910 04911 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) 04912 { 04913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) ); 04914 04915 /* 04916 * Free our handshake params 04917 */ 04918 mbedtls_ssl_handshake_free( ssl->handshake ); 04919 mbedtls_free( ssl->handshake ); 04920 ssl->handshake = NULL; 04921 04922 /* 04923 * Free the previous transform and swith in the current one 04924 */ 04925 if( ssl->transform ) 04926 { 04927 mbedtls_ssl_transform_free( ssl->transform ); 04928 mbedtls_free( ssl->transform ); 04929 } 04930 ssl->transform = ssl->transform_negotiate; 04931 ssl->transform_negotiate = NULL; 04932 04933 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) ); 04934 } 04935 04936 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) 04937 { 04938 int resume = ssl->handshake->resume; 04939 04940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); 04941 04942 #if defined(MBEDTLS_SSL_RENEGOTIATION) 04943 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04944 { 04945 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 04946 ssl->renego_records_seen = 0; 04947 } 04948 #endif 04949 04950 /* 04951 * Free the previous session and switch in the current one 04952 */ 04953 if( ssl->session ) 04954 { 04955 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 04956 /* RFC 7366 3.1: keep the EtM state */ 04957 ssl->session_negotiate->encrypt_then_mac = 04958 ssl->session->encrypt_then_mac; 04959 #endif 04960 04961 mbedtls_ssl_session_free( ssl->session ); 04962 mbedtls_free( ssl->session ); 04963 } 04964 ssl->session = ssl->session_negotiate; 04965 ssl->session_negotiate = NULL; 04966 04967 /* 04968 * Add cache entry 04969 */ 04970 if( ssl->conf->f_set_cache != NULL && 04971 ssl->session->id_len != 0 && 04972 resume == 0 ) 04973 { 04974 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) 04975 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); 04976 } 04977 04978 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04979 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04980 ssl->handshake->flight != NULL ) 04981 { 04982 /* Cancel handshake timer */ 04983 ssl_set_timer( ssl, 0 ); 04984 04985 /* Keep last flight around in case we need to resend it: 04986 * we need the handshake and transform structures for that */ 04987 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); 04988 } 04989 else 04990 #endif 04991 ssl_handshake_wrapup_free_hs_transform( ssl ); 04992 04993 ssl->state++; 04994 04995 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); 04996 } 04997 04998 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) 04999 { 05000 int ret, hash_len; 05001 05002 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 05003 05004 /* 05005 * Set the out_msg pointer to the correct location based on IV length 05006 */ 05007 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 05008 { 05009 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen - 05010 ssl->transform_negotiate->fixed_ivlen; 05011 } 05012 else 05013 ssl->out_msg = ssl->out_iv; 05014 05015 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); 05016 05017 /* 05018 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 05019 * may define some other value. Currently (early 2016), no defined 05020 * ciphersuite does this (and this is unlikely to change as activity has 05021 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 05022 */ 05023 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; 05024 05025 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05026 ssl->verify_data_len = hash_len; 05027 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); 05028 #endif 05029 05030 ssl->out_msglen = 4 + hash_len; 05031 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 05032 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 05033 05034 /* 05035 * In case of session resuming, invert the client and server 05036 * ChangeCipherSpec messages order. 05037 */ 05038 if( ssl->handshake->resume != 0 ) 05039 { 05040 #if defined(MBEDTLS_SSL_CLI_C) 05041 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05042 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05043 #endif 05044 #if defined(MBEDTLS_SSL_SRV_C) 05045 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05046 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05047 #endif 05048 } 05049 else 05050 ssl->state++; 05051 05052 /* 05053 * Switch to our negotiated transform and session parameters for outbound 05054 * data. 05055 */ 05056 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); 05057 05058 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05059 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05060 { 05061 unsigned char i; 05062 05063 /* Remember current epoch settings for resending */ 05064 ssl->handshake->alt_transform_out = ssl->transform_out; 05065 memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); 05066 05067 /* Set sequence_number to zero */ 05068 memset( ssl->out_ctr + 2, 0, 6 ); 05069 05070 /* Increment epoch */ 05071 for( i = 2; i > 0; i-- ) 05072 if( ++ssl->out_ctr[i - 1] != 0 ) 05073 break; 05074 05075 /* The loop goes to its end iff the counter is wrapping */ 05076 if( i == 0 ) 05077 { 05078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 05079 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 05080 } 05081 } 05082 else 05083 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 05084 memset( ssl->out_ctr, 0, 8 ); 05085 05086 ssl->transform_out = ssl->transform_negotiate; 05087 ssl->session_out = ssl->session_negotiate; 05088 05089 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05090 if( mbedtls_ssl_hw_record_activate != NULL ) 05091 { 05092 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 05093 { 05094 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 05095 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05096 } 05097 } 05098 #endif 05099 05100 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05101 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05102 mbedtls_ssl_send_flight_completed( ssl ); 05103 #endif 05104 05105 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 05106 { 05107 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 05108 return( ret ); 05109 } 05110 05111 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 05112 05113 return( 0 ); 05114 } 05115 05116 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05117 #define SSL_MAX_HASH_LEN 36 05118 #else 05119 #define SSL_MAX_HASH_LEN 12 05120 #endif 05121 05122 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) 05123 { 05124 int ret; 05125 unsigned int hash_len; 05126 unsigned char buf[SSL_MAX_HASH_LEN]; 05127 05128 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 05129 05130 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); 05131 05132 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 05133 { 05134 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 05135 return( ret ); 05136 } 05137 05138 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 05139 { 05140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05141 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 05142 } 05143 05144 /* There is currently no ciphersuite using another length with TLS 1.2 */ 05145 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05146 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 05147 hash_len = 36; 05148 else 05149 #endif 05150 hash_len = 12; 05151 05152 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || 05153 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) 05154 { 05155 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05156 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05157 } 05158 05159 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), 05160 buf, hash_len ) != 0 ) 05161 { 05162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05163 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05164 } 05165 05166 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05167 ssl->verify_data_len = hash_len; 05168 memcpy( ssl->peer_verify_data, buf, hash_len ); 05169 #endif 05170 05171 if( ssl->handshake->resume != 0 ) 05172 { 05173 #if defined(MBEDTLS_SSL_CLI_C) 05174 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05175 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05176 #endif 05177 #if defined(MBEDTLS_SSL_SRV_C) 05178 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05179 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05180 #endif 05181 } 05182 else 05183 ssl->state++; 05184 05185 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05186 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05187 mbedtls_ssl_recv_flight_completed( ssl ); 05188 #endif 05189 05190 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 05191 05192 return( 0 ); 05193 } 05194 05195 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) 05196 { 05197 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); 05198 05199 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 05200 defined(MBEDTLS_SSL_PROTO_TLS1_1) 05201 mbedtls_md5_init( &handshake->fin_md5 ); 05202 mbedtls_sha1_init( &handshake->fin_sha1 ); 05203 mbedtls_md5_starts( &handshake->fin_md5 ); 05204 mbedtls_sha1_starts( &handshake->fin_sha1 ); 05205 #endif 05206 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05207 #if defined(MBEDTLS_SHA256_C) 05208 mbedtls_sha256_init( &handshake->fin_sha256 ); 05209 mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); 05210 #endif 05211 #if defined(MBEDTLS_SHA512_C) 05212 mbedtls_sha512_init( &handshake->fin_sha512 ); 05213 mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); 05214 #endif 05215 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05216 05217 handshake->update_checksum = ssl_update_checksum_start; 05218 handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1; 05219 05220 #if defined(MBEDTLS_DHM_C) 05221 mbedtls_dhm_init( &handshake->dhm_ctx ); 05222 #endif 05223 #if defined(MBEDTLS_ECDH_C) 05224 mbedtls_ecdh_init( &handshake->ecdh_ctx ); 05225 #endif 05226 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05227 mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); 05228 #if defined(MBEDTLS_SSL_CLI_C) 05229 handshake->ecjpake_cache = NULL; 05230 handshake->ecjpake_cache_len = 0; 05231 #endif 05232 #endif 05233 05234 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05235 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 05236 #endif 05237 } 05238 05239 static void ssl_transform_init( mbedtls_ssl_transform *transform ) 05240 { 05241 memset( transform, 0, sizeof(mbedtls_ssl_transform) ); 05242 05243 mbedtls_cipher_init( &transform->cipher_ctx_enc ); 05244 mbedtls_cipher_init( &transform->cipher_ctx_dec ); 05245 05246 mbedtls_md_init( &transform->md_ctx_enc ); 05247 mbedtls_md_init( &transform->md_ctx_dec ); 05248 } 05249 05250 void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) 05251 { 05252 memset( session, 0, sizeof(mbedtls_ssl_session) ); 05253 } 05254 05255 static int ssl_handshake_init( mbedtls_ssl_context *ssl ) 05256 { 05257 /* Clear old handshake information if present */ 05258 if( ssl->transform_negotiate ) 05259 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 05260 if( ssl->session_negotiate ) 05261 mbedtls_ssl_session_free( ssl->session_negotiate ); 05262 if( ssl->handshake ) 05263 mbedtls_ssl_handshake_free( ssl->handshake ); 05264 05265 /* 05266 * Either the pointers are now NULL or cleared properly and can be freed. 05267 * Now allocate missing structures. 05268 */ 05269 if( ssl->transform_negotiate == NULL ) 05270 { 05271 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); 05272 } 05273 05274 if( ssl->session_negotiate == NULL ) 05275 { 05276 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) ); 05277 } 05278 05279 if( ssl->handshake == NULL ) 05280 { 05281 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) ); 05282 } 05283 05284 /* All pointers should exist and can be directly freed without issue */ 05285 if( ssl->handshake == NULL || 05286 ssl->transform_negotiate == NULL || 05287 ssl->session_negotiate == NULL ) 05288 { 05289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); 05290 05291 mbedtls_free( ssl->handshake ); 05292 mbedtls_free( ssl->transform_negotiate ); 05293 mbedtls_free( ssl->session_negotiate ); 05294 05295 ssl->handshake = NULL; 05296 ssl->transform_negotiate = NULL; 05297 ssl->session_negotiate = NULL; 05298 05299 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05300 } 05301 05302 /* Initialize structures */ 05303 mbedtls_ssl_session_init( ssl->session_negotiate ); 05304 ssl_transform_init( ssl->transform_negotiate ); 05305 ssl_handshake_params_init( ssl->handshake ); 05306 05307 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05308 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05309 { 05310 ssl->handshake->alt_transform_out = ssl->transform_out; 05311 05312 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05313 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 05314 else 05315 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 05316 05317 ssl_set_timer( ssl, 0 ); 05318 } 05319 #endif 05320 05321 return( 0 ); 05322 } 05323 05324 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05325 /* Dummy cookie callbacks for defaults */ 05326 static int ssl_cookie_write_dummy( void *ctx, 05327 unsigned char **p, unsigned char *end, 05328 const unsigned char *cli_id, size_t cli_id_len ) 05329 { 05330 ((void) ctx); 05331 ((void) p); 05332 ((void) end); 05333 ((void) cli_id); 05334 ((void) cli_id_len); 05335 05336 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05337 } 05338 05339 static int ssl_cookie_check_dummy( void *ctx, 05340 const unsigned char *cookie, size_t cookie_len, 05341 const unsigned char *cli_id, size_t cli_id_len ) 05342 { 05343 ((void) ctx); 05344 ((void) cookie); 05345 ((void) cookie_len); 05346 ((void) cli_id); 05347 ((void) cli_id_len); 05348 05349 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05350 } 05351 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 05352 05353 /* 05354 * Initialize an SSL context 05355 */ 05356 void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) 05357 { 05358 memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); 05359 } 05360 05361 /* 05362 * Setup an SSL context 05363 */ 05364 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, 05365 const mbedtls_ssl_config *conf ) 05366 { 05367 int ret; 05368 const size_t len = MBEDTLS_SSL_BUFFER_LEN; 05369 05370 ssl->conf = conf; 05371 05372 /* 05373 * Prepare base structures 05374 */ 05375 if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || 05376 ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) 05377 { 05378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); 05379 mbedtls_free( ssl->in_buf ); 05380 ssl->in_buf = NULL; 05381 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05382 } 05383 05384 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05385 if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05386 { 05387 ssl->out_hdr = ssl->out_buf; 05388 ssl->out_ctr = ssl->out_buf + 3; 05389 ssl->out_len = ssl->out_buf + 11; 05390 ssl->out_iv = ssl->out_buf + 13; 05391 ssl->out_msg = ssl->out_buf + 13; 05392 05393 ssl->in_hdr = ssl->in_buf; 05394 ssl->in_ctr = ssl->in_buf + 3; 05395 ssl->in_len = ssl->in_buf + 11; 05396 ssl->in_iv = ssl->in_buf + 13; 05397 ssl->in_msg = ssl->in_buf + 13; 05398 } 05399 else 05400 #endif 05401 { 05402 ssl->out_ctr = ssl->out_buf; 05403 ssl->out_hdr = ssl->out_buf + 8; 05404 ssl->out_len = ssl->out_buf + 11; 05405 ssl->out_iv = ssl->out_buf + 13; 05406 ssl->out_msg = ssl->out_buf + 13; 05407 05408 ssl->in_ctr = ssl->in_buf; 05409 ssl->in_hdr = ssl->in_buf + 8; 05410 ssl->in_len = ssl->in_buf + 11; 05411 ssl->in_iv = ssl->in_buf + 13; 05412 ssl->in_msg = ssl->in_buf + 13; 05413 } 05414 05415 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05416 return( ret ); 05417 05418 return( 0 ); 05419 } 05420 05421 /* 05422 * Reset an initialized and used SSL context for re-use while retaining 05423 * all application-set variables, function pointers and data. 05424 * 05425 * If partial is non-zero, keep data in the input buffer and client ID. 05426 * (Use when a DTLS client reconnects from the same port.) 05427 */ 05428 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) 05429 { 05430 int ret; 05431 05432 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 05433 05434 /* Cancel any possibly running timer */ 05435 ssl_set_timer( ssl, 0 ); 05436 05437 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05438 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 05439 ssl->renego_records_seen = 0; 05440 05441 ssl->verify_data_len = 0; 05442 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05443 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05444 #endif 05445 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 05446 05447 ssl->in_offt = NULL; 05448 05449 ssl->in_msg = ssl->in_buf + 13; 05450 ssl->in_msgtype = 0; 05451 ssl->in_msglen = 0; 05452 if( partial == 0 ) 05453 ssl->in_left = 0; 05454 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05455 ssl->next_record_offset = 0; 05456 ssl->in_epoch = 0; 05457 #endif 05458 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05459 ssl_dtls_replay_reset( ssl ); 05460 #endif 05461 05462 ssl->in_hslen = 0; 05463 ssl->nb_zero = 0; 05464 ssl->record_read = 0; 05465 05466 ssl->out_msg = ssl->out_buf + 13; 05467 ssl->out_msgtype = 0; 05468 ssl->out_msglen = 0; 05469 ssl->out_left = 0; 05470 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 05471 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) 05472 ssl->split_done = 0; 05473 #endif 05474 05475 ssl->transform_in = NULL; 05476 ssl->transform_out = NULL; 05477 05478 memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05479 if( partial == 0 ) 05480 memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05481 05482 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05483 if( mbedtls_ssl_hw_record_reset != NULL ) 05484 { 05485 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) ); 05486 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 ) 05487 { 05488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret ); 05489 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05490 } 05491 } 05492 #endif 05493 05494 if( ssl->transform ) 05495 { 05496 mbedtls_ssl_transform_free( ssl->transform ); 05497 mbedtls_free( ssl->transform ); 05498 ssl->transform = NULL; 05499 } 05500 05501 if( ssl->session ) 05502 { 05503 mbedtls_ssl_session_free( ssl->session ); 05504 mbedtls_free( ssl->session ); 05505 ssl->session = NULL; 05506 } 05507 05508 #if defined(MBEDTLS_SSL_ALPN) 05509 ssl->alpn_chosen = NULL; 05510 #endif 05511 05512 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05513 if( partial == 0 ) 05514 { 05515 mbedtls_free( ssl->cli_id ); 05516 ssl->cli_id = NULL; 05517 ssl->cli_id_len = 0; 05518 } 05519 #endif 05520 05521 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05522 return( ret ); 05523 05524 return( 0 ); 05525 } 05526 05527 /* 05528 * Reset an initialized and used SSL context for re-use while retaining 05529 * all application-set variables, function pointers and data. 05530 */ 05531 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) 05532 { 05533 return( ssl_session_reset_int( ssl, 0 ) ); 05534 } 05535 05536 /* 05537 * SSL set accessors 05538 */ 05539 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) 05540 { 05541 conf->endpoint = endpoint; 05542 } 05543 05544 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) 05545 { 05546 conf->transport = transport; 05547 } 05548 05549 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05550 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) 05551 { 05552 conf->anti_replay = mode; 05553 } 05554 #endif 05555 05556 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 05557 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) 05558 { 05559 conf->badmac_limit = limit; 05560 } 05561 #endif 05562 05563 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05564 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) 05565 { 05566 conf->hs_timeout_min = min; 05567 conf->hs_timeout_max = max; 05568 } 05569 #endif 05570 05571 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) 05572 { 05573 conf->authmode = authmode; 05574 } 05575 05576 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05577 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, 05578 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 05579 void *p_vrfy ) 05580 { 05581 conf->f_vrfy = f_vrfy; 05582 conf->p_vrfy = p_vrfy; 05583 } 05584 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05585 05586 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, 05587 int (*f_rng)(void *, unsigned char *, size_t), 05588 void *p_rng ) 05589 { 05590 conf->f_rng = f_rng; 05591 conf->p_rng = p_rng; 05592 } 05593 05594 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, 05595 void (*f_dbg)(void *, int, const char *, int, const char *), 05596 void *p_dbg ) 05597 { 05598 conf->f_dbg = f_dbg; 05599 conf->p_dbg = p_dbg; 05600 } 05601 05602 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, 05603 void *p_bio, 05604 mbedtls_ssl_send_t *f_send, 05605 mbedtls_ssl_recv_t *f_recv, 05606 mbedtls_ssl_recv_timeout_t *f_recv_timeout ) 05607 { 05608 ssl->p_bio = p_bio; 05609 ssl->f_send = f_send; 05610 ssl->f_recv = f_recv; 05611 ssl->f_recv_timeout = f_recv_timeout; 05612 } 05613 05614 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) 05615 { 05616 conf->read_timeout = timeout; 05617 } 05618 05619 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, 05620 void *p_timer, 05621 mbedtls_ssl_set_timer_t *f_set_timer, 05622 mbedtls_ssl_get_timer_t *f_get_timer ) 05623 { 05624 ssl->p_timer = p_timer; 05625 ssl->f_set_timer = f_set_timer; 05626 ssl->f_get_timer = f_get_timer; 05627 05628 /* Make sure we start with no timer running */ 05629 ssl_set_timer( ssl, 0 ); 05630 } 05631 05632 #if defined(MBEDTLS_SSL_SRV_C) 05633 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, 05634 void *p_cache, 05635 int (*f_get_cache)(void *, mbedtls_ssl_session *), 05636 int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) 05637 { 05638 conf->p_cache = p_cache; 05639 conf->f_get_cache = f_get_cache; 05640 conf->f_set_cache = f_set_cache; 05641 } 05642 #endif /* MBEDTLS_SSL_SRV_C */ 05643 05644 #if defined(MBEDTLS_SSL_CLI_C) 05645 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) 05646 { 05647 int ret; 05648 05649 if( ssl == NULL || 05650 session == NULL || 05651 ssl->session_negotiate == NULL || 05652 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 05653 { 05654 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05655 } 05656 05657 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) 05658 return( ret ); 05659 05660 ssl->handshake->resume = 1; 05661 05662 return( 0 ); 05663 } 05664 #endif /* MBEDTLS_SSL_CLI_C */ 05665 05666 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, 05667 const int *ciphersuites ) 05668 { 05669 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; 05670 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; 05671 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; 05672 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; 05673 } 05674 05675 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, 05676 const int *ciphersuites, 05677 int major, int minor ) 05678 { 05679 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) 05680 return; 05681 05682 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) 05683 return; 05684 05685 conf->ciphersuite_list [minor] = ciphersuites; 05686 } 05687 05688 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05689 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, 05690 const mbedtls_x509_crt_profile *profile ) 05691 { 05692 conf->cert_profile = profile; 05693 } 05694 05695 /* Append a new keycert entry to a (possibly empty) list */ 05696 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, 05697 mbedtls_x509_crt *cert, 05698 mbedtls_pk_context *key ) 05699 { 05700 mbedtls_ssl_key_cert *new; 05701 05702 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) ); 05703 if( new == NULL ) 05704 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05705 05706 new->cert = cert; 05707 new->key = key; 05708 new->next = NULL; 05709 05710 /* Update head is the list was null, else add to the end */ 05711 if( *head == NULL ) 05712 { 05713 *head = new; 05714 } 05715 else 05716 { 05717 mbedtls_ssl_key_cert *cur = *head; 05718 while( cur->next != NULL ) 05719 cur = cur->next; 05720 cur->next = new; 05721 } 05722 05723 return( 0 ); 05724 } 05725 05726 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, 05727 mbedtls_x509_crt *own_cert, 05728 mbedtls_pk_context *pk_key ) 05729 { 05730 return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) ); 05731 } 05732 05733 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, 05734 mbedtls_x509_crt *ca_chain, 05735 mbedtls_x509_crl *ca_crl ) 05736 { 05737 conf->ca_chain = ca_chain; 05738 conf->ca_crl = ca_crl; 05739 } 05740 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05741 05742 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05743 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, 05744 mbedtls_x509_crt *own_cert, 05745 mbedtls_pk_context *pk_key ) 05746 { 05747 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, 05748 own_cert, pk_key ) ); 05749 } 05750 05751 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, 05752 mbedtls_x509_crt *ca_chain, 05753 mbedtls_x509_crl *ca_crl ) 05754 { 05755 ssl->handshake->sni_ca_chain = ca_chain; 05756 ssl->handshake->sni_ca_crl = ca_crl; 05757 } 05758 05759 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, 05760 int authmode ) 05761 { 05762 ssl->handshake->sni_authmode = authmode; 05763 } 05764 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 05765 05766 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05767 /* 05768 * Set EC J-PAKE password for current handshake 05769 */ 05770 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, 05771 const unsigned char *pw, 05772 size_t pw_len ) 05773 { 05774 mbedtls_ecjpake_role role; 05775 05776 if( ssl->handshake == NULL || ssl->conf == NULL ) 05777 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05778 05779 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05780 role = MBEDTLS_ECJPAKE_SERVER; 05781 else 05782 role = MBEDTLS_ECJPAKE_CLIENT; 05783 05784 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, 05785 role, 05786 MBEDTLS_MD_SHA256, 05787 MBEDTLS_ECP_DP_SECP256R1 , 05788 pw, pw_len ) ); 05789 } 05790 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 05791 05792 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 05793 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, 05794 const unsigned char *psk, size_t psk_len, 05795 const unsigned char *psk_identity, size_t psk_identity_len ) 05796 { 05797 if( psk == NULL || psk_identity == NULL ) 05798 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05799 05800 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 05801 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05802 05803 /* Identity len will be encoded on two bytes */ 05804 if( ( psk_identity_len >> 16 ) != 0 || 05805 psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 05806 { 05807 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05808 } 05809 05810 if( conf->psk != NULL || conf->psk_identity != NULL ) 05811 { 05812 mbedtls_free( conf->psk ); 05813 mbedtls_free( conf->psk_identity ); 05814 conf->psk = NULL; 05815 conf->psk_identity = NULL; 05816 } 05817 05818 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || 05819 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL ) 05820 { 05821 mbedtls_free( conf->psk ); 05822 mbedtls_free( conf->psk_identity ); 05823 conf->psk = NULL; 05824 conf->psk_identity = NULL; 05825 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05826 } 05827 05828 conf->psk_len = psk_len; 05829 conf->psk_identity_len = psk_identity_len; 05830 05831 memcpy( conf->psk , psk, conf->psk_len ); 05832 memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len ); 05833 05834 return( 0 ); 05835 } 05836 05837 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, 05838 const unsigned char *psk, size_t psk_len ) 05839 { 05840 if( psk == NULL || ssl->handshake == NULL ) 05841 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05842 05843 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 05844 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05845 05846 if( ssl->handshake->psk != NULL ) 05847 mbedtls_free( ssl->handshake->psk ); 05848 05849 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) 05850 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05851 05852 ssl->handshake->psk_len = psk_len; 05853 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); 05854 05855 return( 0 ); 05856 } 05857 05858 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, 05859 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 05860 size_t), 05861 void *p_psk ) 05862 { 05863 conf->f_psk = f_psk; 05864 conf->p_psk = p_psk; 05865 } 05866 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 05867 05868 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 05869 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) 05870 { 05871 int ret; 05872 05873 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 || 05874 ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 ) 05875 { 05876 mbedtls_mpi_free( &conf->dhm_P ); 05877 mbedtls_mpi_free( &conf->dhm_G ); 05878 return( ret ); 05879 } 05880 05881 return( 0 ); 05882 } 05883 05884 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) 05885 { 05886 int ret; 05887 05888 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P ) ) != 0 || 05889 ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G ) ) != 0 ) 05890 { 05891 mbedtls_mpi_free( &conf->dhm_P ); 05892 mbedtls_mpi_free( &conf->dhm_G ); 05893 return( ret ); 05894 } 05895 05896 return( 0 ); 05897 } 05898 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 05899 05900 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 05901 /* 05902 * Set the minimum length for Diffie-Hellman parameters 05903 */ 05904 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, 05905 unsigned int bitlen ) 05906 { 05907 conf->dhm_min_bitlen = bitlen; 05908 } 05909 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 05910 05911 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 05912 /* 05913 * Set allowed/preferred hashes for handshake signatures 05914 */ 05915 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, 05916 const int *hashes ) 05917 { 05918 conf->sig_hashes = hashes; 05919 } 05920 #endif 05921 05922 #if defined(MBEDTLS_ECP_C) 05923 /* 05924 * Set the allowed elliptic curves 05925 */ 05926 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, 05927 const mbedtls_ecp_group_id *curve_list ) 05928 { 05929 conf->curve_list = curve_list; 05930 } 05931 #endif 05932 05933 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05934 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) 05935 { 05936 size_t hostname_len; 05937 05938 if( hostname == NULL ) 05939 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05940 05941 hostname_len = strlen( hostname ); 05942 05943 if( hostname_len + 1 == 0 ) 05944 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05945 05946 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) 05947 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05948 05949 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); 05950 05951 if( ssl->hostname == NULL ) 05952 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05953 05954 memcpy( ssl->hostname, hostname, hostname_len ); 05955 05956 ssl->hostname[hostname_len] = '\0'; 05957 05958 return( 0 ); 05959 } 05960 #endif 05961 05962 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05963 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, 05964 int (*f_sni)(void *, mbedtls_ssl_context *, 05965 const unsigned char *, size_t), 05966 void *p_sni ) 05967 { 05968 conf->f_sni = f_sni; 05969 conf->p_sni = p_sni; 05970 } 05971 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 05972 05973 #if defined(MBEDTLS_SSL_ALPN) 05974 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) 05975 { 05976 size_t cur_len, tot_len; 05977 const char **p; 05978 05979 /* 05980 * "Empty strings MUST NOT be included and byte strings MUST NOT be 05981 * truncated". Check lengths now rather than later. 05982 */ 05983 tot_len = 0; 05984 for( p = protos; *p != NULL; p++ ) 05985 { 05986 cur_len = strlen( *p ); 05987 tot_len += cur_len; 05988 05989 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 ) 05990 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05991 } 05992 05993 conf->alpn_list = protos; 05994 05995 return( 0 ); 05996 } 05997 05998 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) 05999 { 06000 return( ssl->alpn_chosen ); 06001 } 06002 #endif /* MBEDTLS_SSL_ALPN */ 06003 06004 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) 06005 { 06006 conf->max_major_ver = major; 06007 conf->max_minor_ver = minor; 06008 } 06009 06010 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) 06011 { 06012 conf->min_major_ver = major; 06013 conf->min_minor_ver = minor; 06014 } 06015 06016 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) 06017 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) 06018 { 06019 conf->fallback = fallback; 06020 } 06021 #endif 06022 06023 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 06024 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) 06025 { 06026 conf->encrypt_then_mac = etm; 06027 } 06028 #endif 06029 06030 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 06031 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) 06032 { 06033 conf->extended_ms = ems; 06034 } 06035 #endif 06036 06037 #if defined(MBEDTLS_ARC4_C) 06038 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) 06039 { 06040 conf->arc4_disabled = arc4; 06041 } 06042 #endif 06043 06044 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06045 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) 06046 { 06047 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 06048 mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06049 { 06050 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06051 } 06052 06053 conf->mfl_code = mfl_code; 06054 06055 return( 0 ); 06056 } 06057 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06058 06059 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 06060 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) 06061 { 06062 conf->trunc_hmac = truncate; 06063 } 06064 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 06065 06066 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06067 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) 06068 { 06069 conf->cbc_record_splitting = split; 06070 } 06071 #endif 06072 06073 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) 06074 { 06075 conf->allow_legacy_renegotiation = allow_legacy; 06076 } 06077 06078 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06079 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) 06080 { 06081 conf->disable_renegotiation = renegotiation; 06082 } 06083 06084 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) 06085 { 06086 conf->renego_max_records = max_records; 06087 } 06088 06089 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, 06090 const unsigned char period[8] ) 06091 { 06092 memcpy( conf->renego_period , period, 8 ); 06093 } 06094 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06095 06096 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 06097 #if defined(MBEDTLS_SSL_CLI_C) 06098 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) 06099 { 06100 conf->session_tickets = use_tickets; 06101 } 06102 #endif 06103 06104 #if defined(MBEDTLS_SSL_SRV_C) 06105 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, 06106 mbedtls_ssl_ticket_write_t *f_ticket_write, 06107 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 06108 void *p_ticket ) 06109 { 06110 conf->f_ticket_write = f_ticket_write; 06111 conf->f_ticket_parse = f_ticket_parse; 06112 conf->p_ticket = p_ticket; 06113 } 06114 #endif 06115 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 06116 06117 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 06118 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, 06119 mbedtls_ssl_export_keys_t *f_export_keys, 06120 void *p_export_keys ) 06121 { 06122 conf->f_export_keys = f_export_keys; 06123 conf->p_export_keys = p_export_keys; 06124 } 06125 #endif 06126 06127 /* 06128 * SSL get accessors 06129 */ 06130 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 06131 { 06132 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 06133 } 06134 06135 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) 06136 { 06137 if( ssl->session != NULL ) 06138 return( ssl->session->verify_result ); 06139 06140 if( ssl->session_negotiate != NULL ) 06141 return( ssl->session_negotiate->verify_result ); 06142 06143 return( 0xFFFFFFFF ); 06144 } 06145 06146 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) 06147 { 06148 if( ssl == NULL || ssl->session == NULL ) 06149 return( NULL ); 06150 06151 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 06152 } 06153 06154 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) 06155 { 06156 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06157 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06158 { 06159 switch( ssl->minor_ver ) 06160 { 06161 case MBEDTLS_SSL_MINOR_VERSION_2: 06162 return( "DTLSv1.0" ); 06163 06164 case MBEDTLS_SSL_MINOR_VERSION_3: 06165 return( "DTLSv1.2" ); 06166 06167 default: 06168 return( "unknown (DTLS)" ); 06169 } 06170 } 06171 #endif 06172 06173 switch( ssl->minor_ver ) 06174 { 06175 case MBEDTLS_SSL_MINOR_VERSION_0: 06176 return( "SSLv3.0" ); 06177 06178 case MBEDTLS_SSL_MINOR_VERSION_1: 06179 return( "TLSv1.0" ); 06180 06181 case MBEDTLS_SSL_MINOR_VERSION_2: 06182 return( "TLSv1.1" ); 06183 06184 case MBEDTLS_SSL_MINOR_VERSION_3: 06185 return( "TLSv1.2" ); 06186 06187 default: 06188 return( "unknown" ); 06189 } 06190 } 06191 06192 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 06193 { 06194 size_t transform_expansion; 06195 const mbedtls_ssl_transform *transform = ssl->transform_out; 06196 06197 #if defined(MBEDTLS_ZLIB_SUPPORT) 06198 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 06199 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 06200 #endif 06201 06202 if( transform == NULL ) 06203 return( (int) mbedtls_ssl_hdr_len( ssl ) ); 06204 06205 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 06206 { 06207 case MBEDTLS_MODE_GCM: 06208 case MBEDTLS_MODE_CCM: 06209 case MBEDTLS_MODE_STREAM: 06210 transform_expansion = transform->minlen; 06211 break; 06212 06213 case MBEDTLS_MODE_CBC: 06214 transform_expansion = transform->maclen 06215 + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); 06216 break; 06217 06218 default: 06219 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06220 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06221 } 06222 06223 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); 06224 } 06225 06226 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06227 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) 06228 { 06229 size_t max_len; 06230 06231 /* 06232 * Assume mfl_code is correct since it was checked when set 06233 */ 06234 max_len = mfl_code_to_length[ssl->conf->mfl_code]; 06235 06236 /* 06237 * Check if a smaller max length was negotiated 06238 */ 06239 if( ssl->session_out != NULL && 06240 mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) 06241 { 06242 max_len = mfl_code_to_length[ssl->session_out->mfl_code]; 06243 } 06244 06245 return max_len; 06246 } 06247 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06248 06249 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06250 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) 06251 { 06252 if( ssl == NULL || ssl->session == NULL ) 06253 return( NULL ); 06254 06255 return( ssl->session->peer_cert ); 06256 } 06257 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06258 06259 #if defined(MBEDTLS_SSL_CLI_C) 06260 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) 06261 { 06262 if( ssl == NULL || 06263 dst == NULL || 06264 ssl->session == NULL || 06265 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 06266 { 06267 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06268 } 06269 06270 return( ssl_session_copy( dst, ssl->session ) ); 06271 } 06272 #endif /* MBEDTLS_SSL_CLI_C */ 06273 06274 /* 06275 * Perform a single step of the SSL handshake 06276 */ 06277 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) 06278 { 06279 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06280 06281 if( ssl == NULL || ssl->conf == NULL ) 06282 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06283 06284 #if defined(MBEDTLS_SSL_CLI_C) 06285 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06286 ret = mbedtls_ssl_handshake_client_step( ssl ); 06287 #endif 06288 #if defined(MBEDTLS_SSL_SRV_C) 06289 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06290 ret = mbedtls_ssl_handshake_server_step( ssl ); 06291 #endif 06292 06293 return( ret ); 06294 } 06295 06296 /* 06297 * Perform the SSL handshake 06298 */ 06299 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) 06300 { 06301 int ret = 0; 06302 06303 if( ssl == NULL || ssl->conf == NULL ) 06304 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06305 06306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 06307 06308 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06309 { 06310 ret = mbedtls_ssl_handshake_step( ssl ); 06311 06312 if( ret != 0 ) 06313 break; 06314 } 06315 06316 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 06317 06318 return( ret ); 06319 } 06320 06321 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06322 #if defined(MBEDTLS_SSL_SRV_C) 06323 /* 06324 * Write HelloRequest to request renegotiation on server 06325 */ 06326 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ) 06327 { 06328 int ret; 06329 06330 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); 06331 06332 ssl->out_msglen = 4; 06333 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 06334 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 06335 06336 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06337 { 06338 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06339 return( ret ); 06340 } 06341 06342 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); 06343 06344 return( 0 ); 06345 } 06346 #endif /* MBEDTLS_SSL_SRV_C */ 06347 06348 /* 06349 * Actually renegotiate current connection, triggered by either: 06350 * - any side: calling mbedtls_ssl_renegotiate(), 06351 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 06352 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 06353 * the initial handshake is completed. 06354 * If the handshake doesn't complete due to waiting for I/O, it will continue 06355 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 06356 */ 06357 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) 06358 { 06359 int ret; 06360 06361 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); 06362 06363 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 06364 return( ret ); 06365 06366 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 06367 * the ServerHello will have message_seq = 1" */ 06368 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06369 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06370 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06371 { 06372 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06373 ssl->handshake->out_msg_seq = 1; 06374 else 06375 ssl->handshake->in_msg_seq = 1; 06376 } 06377 #endif 06378 06379 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 06380 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 06381 06382 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06383 { 06384 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06385 return( ret ); 06386 } 06387 06388 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) ); 06389 06390 return( 0 ); 06391 } 06392 06393 /* 06394 * Renegotiate current connection on client, 06395 * or request renegotiation on server 06396 */ 06397 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) 06398 { 06399 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06400 06401 if( ssl == NULL || ssl->conf == NULL ) 06402 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06403 06404 #if defined(MBEDTLS_SSL_SRV_C) 06405 /* On server, just send the request */ 06406 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06407 { 06408 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06409 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06410 06411 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06412 06413 /* Did we already try/start sending HelloRequest? */ 06414 if( ssl->out_left != 0 ) 06415 return( mbedtls_ssl_flush_output( ssl ) ); 06416 06417 return( ssl_write_hello_request( ssl ) ); 06418 } 06419 #endif /* MBEDTLS_SSL_SRV_C */ 06420 06421 #if defined(MBEDTLS_SSL_CLI_C) 06422 /* 06423 * On client, either start the renegotiation process or, 06424 * if already in progress, continue the handshake 06425 */ 06426 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 06427 { 06428 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06429 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06430 06431 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) 06432 { 06433 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06434 return( ret ); 06435 } 06436 } 06437 else 06438 { 06439 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06440 { 06441 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06442 return( ret ); 06443 } 06444 } 06445 #endif /* MBEDTLS_SSL_CLI_C */ 06446 06447 return( ret ); 06448 } 06449 06450 /* 06451 * Check record counters and renegotiate if they're above the limit. 06452 */ 06453 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 06454 { 06455 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 06456 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 06457 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 06458 { 06459 return( 0 ); 06460 } 06461 06462 if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 && 06463 memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 ) 06464 { 06465 return( 0 ); 06466 } 06467 06468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 06469 return( mbedtls_ssl_renegotiate( ssl ) ); 06470 } 06471 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06472 06473 /* 06474 * Receive application data decrypted from the SSL layer 06475 */ 06476 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 06477 { 06478 int ret, record_read = 0; 06479 size_t n; 06480 06481 if( ssl == NULL || ssl->conf == NULL ) 06482 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06483 06484 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 06485 06486 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06487 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06488 { 06489 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06490 return( ret ); 06491 06492 if( ssl->handshake != NULL && 06493 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 06494 { 06495 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 06496 return( ret ); 06497 } 06498 } 06499 #endif 06500 06501 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06502 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 06503 { 06504 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06505 return( ret ); 06506 } 06507 #endif 06508 06509 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06510 { 06511 ret = mbedtls_ssl_handshake( ssl ); 06512 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ) 06513 { 06514 record_read = 1; 06515 } 06516 else if( ret != 0 ) 06517 { 06518 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06519 return( ret ); 06520 } 06521 } 06522 06523 if( ssl->in_offt == NULL ) 06524 { 06525 /* Start timer if not already running */ 06526 if( ssl->f_get_timer != NULL && 06527 ssl->f_get_timer( ssl->p_timer ) == -1 ) 06528 { 06529 ssl_set_timer( ssl, ssl->conf->read_timeout ); 06530 } 06531 06532 if( ! record_read ) 06533 { 06534 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06535 { 06536 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06537 return( 0 ); 06538 06539 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06540 return( ret ); 06541 } 06542 } 06543 06544 if( ssl->in_msglen == 0 && 06545 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06546 { 06547 /* 06548 * OpenSSL sends empty messages to randomize the IV 06549 */ 06550 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06551 { 06552 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06553 return( 0 ); 06554 06555 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06556 return( ret ); 06557 } 06558 } 06559 06560 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06561 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 06562 { 06563 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 06564 06565 #if defined(MBEDTLS_SSL_CLI_C) 06566 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 06567 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 06568 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 06569 { 06570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 06571 06572 /* With DTLS, drop the packet (probably from last handshake) */ 06573 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06574 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06575 return( MBEDTLS_ERR_SSL_WANT_READ ); 06576 #endif 06577 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06578 } 06579 06580 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06581 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 06582 { 06583 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 06584 06585 /* With DTLS, drop the packet (probably from last handshake) */ 06586 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06587 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06588 return( MBEDTLS_ERR_SSL_WANT_READ ); 06589 #endif 06590 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06591 } 06592 #endif 06593 06594 if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 06595 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 06596 ssl->conf->allow_legacy_renegotiation == 06597 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) 06598 { 06599 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 06600 06601 #if defined(MBEDTLS_SSL_PROTO_SSL3) 06602 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 06603 { 06604 /* 06605 * SSLv3 does not have a "no_renegotiation" alert 06606 */ 06607 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 06608 return( ret ); 06609 } 06610 else 06611 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 06612 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 06613 defined(MBEDTLS_SSL_PROTO_TLS1_2) 06614 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 06615 { 06616 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06617 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06618 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 06619 { 06620 return( ret ); 06621 } 06622 } 06623 else 06624 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 06625 MBEDTLS_SSL_PROTO_TLS1_2 */ 06626 { 06627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06628 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06629 } 06630 } 06631 else 06632 { 06633 /* DTLS clients need to know renego is server-initiated */ 06634 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06635 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06636 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06637 { 06638 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06639 } 06640 #endif 06641 ret = ssl_start_renegotiation( ssl ); 06642 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ) 06643 { 06644 record_read = 1; 06645 } 06646 else if( ret != 0 ) 06647 { 06648 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06649 return( ret ); 06650 } 06651 } 06652 06653 /* If a non-handshake record was read during renego, fallthrough, 06654 * else tell the user they should call mbedtls_ssl_read() again */ 06655 if( ! record_read ) 06656 return( MBEDTLS_ERR_SSL_WANT_READ ); 06657 } 06658 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06659 { 06660 06661 if( ssl->conf->renego_max_records >= 0 ) 06662 { 06663 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 06664 { 06665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 06666 "but not honored by client" ) ); 06667 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06668 } 06669 } 06670 } 06671 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06672 06673 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 06674 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 06675 { 06676 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 06677 return( MBEDTLS_ERR_SSL_WANT_READ ); 06678 } 06679 06680 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06681 { 06682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 06683 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06684 } 06685 06686 ssl->in_offt = ssl->in_msg; 06687 06688 /* We're going to return something now, cancel timer, 06689 * except if handshake (renegotiation) is in progress */ 06690 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 06691 ssl_set_timer( ssl, 0 ); 06692 06693 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06694 /* If we requested renego but received AppData, resend HelloRequest. 06695 * Do it now, after setting in_offt, to avoid taking this branch 06696 * again if ssl_write_hello_request() returns WANT_WRITE */ 06697 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 06698 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06699 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06700 { 06701 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 06702 { 06703 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 06704 return( ret ); 06705 } 06706 } 06707 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 06708 #endif 06709 } 06710 06711 n = ( len < ssl->in_msglen ) 06712 ? len : ssl->in_msglen; 06713 06714 memcpy( buf, ssl->in_offt, n ); 06715 ssl->in_msglen -= n; 06716 06717 if( ssl->in_msglen == 0 ) 06718 /* all bytes consumed */ 06719 ssl->in_offt = NULL; 06720 else 06721 /* more data available */ 06722 ssl->in_offt += n; 06723 06724 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 06725 06726 return( (int) n ); 06727 } 06728 06729 /* 06730 * Send application data to be encrypted by the SSL layer, 06731 * taking care of max fragment length and buffer size 06732 */ 06733 static int ssl_write_real( mbedtls_ssl_context *ssl, 06734 const unsigned char *buf, size_t len ) 06735 { 06736 int ret; 06737 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06738 size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); 06739 06740 if( len > max_len ) 06741 { 06742 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06743 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06744 { 06745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 06746 "maximum fragment length: %d > %d", 06747 len, max_len ) ); 06748 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06749 } 06750 else 06751 #endif 06752 len = max_len; 06753 } 06754 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06755 06756 if( ssl->out_left != 0 ) 06757 { 06758 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06759 { 06760 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 06761 return( ret ); 06762 } 06763 } 06764 else 06765 { 06766 ssl->out_msglen = len; 06767 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 06768 memcpy( ssl->out_msg, buf, len ); 06769 06770 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06771 { 06772 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06773 return( ret ); 06774 } 06775 } 06776 06777 return( (int) len ); 06778 } 06779 06780 /* 06781 * Write application data, doing 1/n-1 splitting if necessary. 06782 * 06783 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 06784 * then the caller will call us again with the same arguments, so 06785 * remember wether we already did the split or not. 06786 */ 06787 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06788 static int ssl_write_split( mbedtls_ssl_context *ssl, 06789 const unsigned char *buf, size_t len ) 06790 { 06791 int ret; 06792 06793 if( ssl->conf->cbc_record_splitting == 06794 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 06795 len <= 1 || 06796 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 06797 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 06798 != MBEDTLS_MODE_CBC ) 06799 { 06800 return( ssl_write_real( ssl, buf, len ) ); 06801 } 06802 06803 if( ssl->split_done == 0 ) 06804 { 06805 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 06806 return( ret ); 06807 ssl->split_done = 1; 06808 } 06809 06810 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 06811 return( ret ); 06812 ssl->split_done = 0; 06813 06814 return( ret + 1 ); 06815 } 06816 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 06817 06818 /* 06819 * Write application data (public-facing wrapper) 06820 */ 06821 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 06822 { 06823 int ret; 06824 06825 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 06826 06827 if( ssl == NULL || ssl->conf == NULL ) 06828 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06829 06830 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06831 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 06832 { 06833 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06834 return( ret ); 06835 } 06836 #endif 06837 06838 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06839 { 06840 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06841 { 06842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06843 return( ret ); 06844 } 06845 } 06846 06847 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06848 ret = ssl_write_split( ssl, buf, len ); 06849 #else 06850 ret = ssl_write_real( ssl, buf, len ); 06851 #endif 06852 06853 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 06854 06855 return( ret ); 06856 } 06857 06858 /* 06859 * Notify the peer that the connection is being closed 06860 */ 06861 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 06862 { 06863 int ret; 06864 06865 if( ssl == NULL || ssl->conf == NULL ) 06866 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06867 06868 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 06869 06870 if( ssl->out_left != 0 ) 06871 return( mbedtls_ssl_flush_output( ssl ) ); 06872 06873 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 06874 { 06875 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06876 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06877 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 06878 { 06879 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 06880 return( ret ); 06881 } 06882 } 06883 06884 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 06885 06886 return( 0 ); 06887 } 06888 06889 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 06890 { 06891 if( transform == NULL ) 06892 return; 06893 06894 #if defined(MBEDTLS_ZLIB_SUPPORT) 06895 deflateEnd( &transform->ctx_deflate ); 06896 inflateEnd( &transform->ctx_inflate ); 06897 #endif 06898 06899 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 06900 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 06901 06902 mbedtls_md_free( &transform->md_ctx_enc ); 06903 mbedtls_md_free( &transform->md_ctx_dec ); 06904 06905 mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 06906 } 06907 06908 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06909 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert ) 06910 { 06911 mbedtls_ssl_key_cert *cur = key_cert, *next; 06912 06913 while( cur != NULL ) 06914 { 06915 next = cur->next; 06916 mbedtls_free( cur ); 06917 cur = next; 06918 } 06919 } 06920 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06921 06922 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) 06923 { 06924 if( handshake == NULL ) 06925 return; 06926 06927 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 06928 defined(MBEDTLS_SSL_PROTO_TLS1_1) 06929 mbedtls_md5_free( &handshake->fin_md5 ); 06930 mbedtls_sha1_free( &handshake->fin_sha1 ); 06931 #endif 06932 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 06933 #if defined(MBEDTLS_SHA256_C) 06934 mbedtls_sha256_free( &handshake->fin_sha256 ); 06935 #endif 06936 #if defined(MBEDTLS_SHA512_C) 06937 mbedtls_sha512_free( &handshake->fin_sha512 ); 06938 #endif 06939 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 06940 06941 #if defined(MBEDTLS_DHM_C) 06942 mbedtls_dhm_free( &handshake->dhm_ctx ); 06943 #endif 06944 #if defined(MBEDTLS_ECDH_C) 06945 mbedtls_ecdh_free( &handshake->ecdh_ctx ); 06946 #endif 06947 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06948 mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); 06949 #if defined(MBEDTLS_SSL_CLI_C) 06950 mbedtls_free( handshake->ecjpake_cache ); 06951 handshake->ecjpake_cache = NULL; 06952 handshake->ecjpake_cache_len = 0; 06953 #endif 06954 #endif 06955 06956 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 06957 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06958 /* explicit void pointer cast for buggy MS compiler */ 06959 mbedtls_free( (void *) handshake->curves ); 06960 #endif 06961 06962 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 06963 if( handshake->psk != NULL ) 06964 { 06965 mbedtls_zeroize( handshake->psk, handshake->psk_len ); 06966 mbedtls_free( handshake->psk ); 06967 } 06968 #endif 06969 06970 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 06971 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06972 /* 06973 * Free only the linked list wrapper, not the keys themselves 06974 * since the belong to the SNI callback 06975 */ 06976 if( handshake->sni_key_cert != NULL ) 06977 { 06978 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next; 06979 06980 while( cur != NULL ) 06981 { 06982 next = cur->next; 06983 mbedtls_free( cur ); 06984 cur = next; 06985 } 06986 } 06987 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06988 06989 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06990 mbedtls_free( handshake->verify_cookie ); 06991 mbedtls_free( handshake->hs_msg ); 06992 ssl_flight_free( handshake->flight ); 06993 #endif 06994 06995 mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) ); 06996 } 06997 06998 void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) 06999 { 07000 if( session == NULL ) 07001 return; 07002 07003 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07004 if( session->peer_cert != NULL ) 07005 { 07006 mbedtls_x509_crt_free( session->peer_cert ); 07007 mbedtls_free( session->peer_cert ); 07008 } 07009 #endif 07010 07011 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 07012 mbedtls_free( session->ticket ); 07013 #endif 07014 07015 mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) ); 07016 } 07017 07018 /* 07019 * Free an SSL context 07020 */ 07021 void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) 07022 { 07023 if( ssl == NULL ) 07024 return; 07025 07026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) ); 07027 07028 if( ssl->out_buf != NULL ) 07029 { 07030 mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN ); 07031 mbedtls_free( ssl->out_buf ); 07032 } 07033 07034 if( ssl->in_buf != NULL ) 07035 { 07036 mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN ); 07037 mbedtls_free( ssl->in_buf ); 07038 } 07039 07040 #if defined(MBEDTLS_ZLIB_SUPPORT) 07041 if( ssl->compress_buf != NULL ) 07042 { 07043 mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN ); 07044 mbedtls_free( ssl->compress_buf ); 07045 } 07046 #endif 07047 07048 if( ssl->transform ) 07049 { 07050 mbedtls_ssl_transform_free( ssl->transform ); 07051 mbedtls_free( ssl->transform ); 07052 } 07053 07054 if( ssl->handshake ) 07055 { 07056 mbedtls_ssl_handshake_free( ssl->handshake ); 07057 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 07058 mbedtls_ssl_session_free( ssl->session_negotiate ); 07059 07060 mbedtls_free( ssl->handshake ); 07061 mbedtls_free( ssl->transform_negotiate ); 07062 mbedtls_free( ssl->session_negotiate ); 07063 } 07064 07065 if( ssl->session ) 07066 { 07067 mbedtls_ssl_session_free( ssl->session ); 07068 mbedtls_free( ssl->session ); 07069 } 07070 07071 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07072 if( ssl->hostname != NULL ) 07073 { 07074 mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 07075 mbedtls_free( ssl->hostname ); 07076 } 07077 #endif 07078 07079 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 07080 if( mbedtls_ssl_hw_record_finish != NULL ) 07081 { 07082 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) ); 07083 mbedtls_ssl_hw_record_finish( ssl ); 07084 } 07085 #endif 07086 07087 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07088 mbedtls_free( ssl->cli_id ); 07089 #endif 07090 07091 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); 07092 07093 /* Actually clear after last debug message */ 07094 mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); 07095 } 07096 07097 /* 07098 * Initialze mbedtls_ssl_config 07099 */ 07100 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) 07101 { 07102 memset( conf, 0, sizeof( mbedtls_ssl_config ) ); 07103 } 07104 07105 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07106 static int ssl_preset_default_hashes[] = { 07107 #if defined(MBEDTLS_SHA512_C) 07108 MBEDTLS_MD_SHA512, 07109 MBEDTLS_MD_SHA384, 07110 #endif 07111 #if defined(MBEDTLS_SHA256_C) 07112 MBEDTLS_MD_SHA256, 07113 MBEDTLS_MD_SHA224, 07114 #endif 07115 #if defined(MBEDTLS_SHA1_C) 07116 MBEDTLS_MD_SHA1, 07117 #endif 07118 MBEDTLS_MD_NONE 07119 }; 07120 #endif 07121 07122 static int ssl_preset_suiteb_ciphersuites[] = { 07123 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 07124 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 07125 0 07126 }; 07127 07128 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07129 static int ssl_preset_suiteb_hashes[] = { 07130 MBEDTLS_MD_SHA256, 07131 MBEDTLS_MD_SHA384, 07132 MBEDTLS_MD_NONE 07133 }; 07134 #endif 07135 07136 #if defined(MBEDTLS_ECP_C) 07137 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { 07138 MBEDTLS_ECP_DP_SECP256R1 , 07139 MBEDTLS_ECP_DP_SECP384R1 , 07140 MBEDTLS_ECP_DP_NONE 07141 }; 07142 #endif 07143 07144 /* 07145 * Load default in mbedtls_ssl_config 07146 */ 07147 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, 07148 int endpoint, int transport, int preset ) 07149 { 07150 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07151 int ret; 07152 #endif 07153 07154 /* Use the functions here so that they are covered in tests, 07155 * but otherwise access member directly for efficiency */ 07156 mbedtls_ssl_conf_endpoint( conf, endpoint ); 07157 mbedtls_ssl_conf_transport( conf, transport ); 07158 07159 /* 07160 * Things that are common to all presets 07161 */ 07162 #if defined(MBEDTLS_SSL_CLI_C) 07163 if( endpoint == MBEDTLS_SSL_IS_CLIENT ) 07164 { 07165 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 07166 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 07167 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 07168 #endif 07169 } 07170 #endif 07171 07172 #if defined(MBEDTLS_ARC4_C) 07173 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; 07174 #endif 07175 07176 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 07177 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 07178 #endif 07179 07180 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 07181 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 07182 #endif 07183 07184 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07185 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; 07186 #endif 07187 07188 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07189 conf->f_cookie_write = ssl_cookie_write_dummy; 07190 conf->f_cookie_check = ssl_cookie_check_dummy; 07191 #endif 07192 07193 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 07194 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 07195 #endif 07196 07197 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07198 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 07199 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 07200 #endif 07201 07202 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07203 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 07204 memset( conf->renego_period , 0xFF, 7 ); 07205 conf->renego_period [7] = 0x00; 07206 #endif 07207 07208 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07209 if( endpoint == MBEDTLS_SSL_IS_SERVER ) 07210 { 07211 if( ( ret = mbedtls_ssl_conf_dh_param( conf, 07212 MBEDTLS_DHM_RFC5114_MODP_2048_P, 07213 MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) 07214 { 07215 return( ret ); 07216 } 07217 } 07218 #endif 07219 07220 /* 07221 * Preset-specific defaults 07222 */ 07223 switch( preset ) 07224 { 07225 /* 07226 * NSA Suite B 07227 */ 07228 case MBEDTLS_SSL_PRESET_SUITEB: 07229 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07230 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */ 07231 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07232 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07233 07234 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07235 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07236 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07237 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07238 ssl_preset_suiteb_ciphersuites; 07239 07240 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07241 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 07242 #endif 07243 07244 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07245 conf->sig_hashes = ssl_preset_suiteb_hashes; 07246 #endif 07247 07248 #if defined(MBEDTLS_ECP_C) 07249 conf->curve_list = ssl_preset_suiteb_curves; 07250 #endif 07251 break; 07252 07253 /* 07254 * Default 07255 */ 07256 default: 07257 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07258 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ 07259 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07260 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07261 07262 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07263 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07264 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; 07265 #endif 07266 07267 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07268 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07269 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07270 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07271 mbedtls_ssl_list_ciphersuites(); 07272 07273 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07274 conf->cert_profile = &mbedtls_x509_crt_profile_default; 07275 #endif 07276 07277 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07278 conf->sig_hashes = ssl_preset_default_hashes; 07279 #endif 07280 07281 #if defined(MBEDTLS_ECP_C) 07282 conf->curve_list = mbedtls_ecp_grp_id_list(); 07283 #endif 07284 07285 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 07286 conf->dhm_min_bitlen = 1024; 07287 #endif 07288 } 07289 07290 return( 0 ); 07291 } 07292 07293 /* 07294 * Free mbedtls_ssl_config 07295 */ 07296 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) 07297 { 07298 #if defined(MBEDTLS_DHM_C) 07299 mbedtls_mpi_free( &conf->dhm_P ); 07300 mbedtls_mpi_free( &conf->dhm_G ); 07301 #endif 07302 07303 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07304 if( conf->psk != NULL ) 07305 { 07306 mbedtls_zeroize( conf->psk , conf->psk_len ); 07307 mbedtls_zeroize( conf->psk_identity , conf->psk_identity_len ); 07308 mbedtls_free( conf->psk ); 07309 mbedtls_free( conf->psk_identity ); 07310 conf->psk_len = 0; 07311 conf->psk_identity_len = 0; 07312 } 07313 #endif 07314 07315 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07316 ssl_key_cert_free( conf->key_cert ); 07317 #endif 07318 07319 mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); 07320 } 07321 07322 #if defined(MBEDTLS_PK_C) && \ 07323 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) 07324 /* 07325 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 07326 */ 07327 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ) 07328 { 07329 #if defined(MBEDTLS_RSA_C) 07330 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) ) 07331 return( MBEDTLS_SSL_SIG_RSA ); 07332 #endif 07333 #if defined(MBEDTLS_ECDSA_C) 07334 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) ) 07335 return( MBEDTLS_SSL_SIG_ECDSA ); 07336 #endif 07337 return( MBEDTLS_SSL_SIG_ANON ); 07338 } 07339 07340 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) 07341 { 07342 switch( sig ) 07343 { 07344 #if defined(MBEDTLS_RSA_C) 07345 case MBEDTLS_SSL_SIG_RSA: 07346 return( MBEDTLS_PK_RSA ); 07347 #endif 07348 #if defined(MBEDTLS_ECDSA_C) 07349 case MBEDTLS_SSL_SIG_ECDSA: 07350 return( MBEDTLS_PK_ECDSA ); 07351 #endif 07352 default: 07353 return( MBEDTLS_PK_NONE ); 07354 } 07355 } 07356 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ 07357 07358 /* 07359 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 07360 */ 07361 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) 07362 { 07363 switch( hash ) 07364 { 07365 #if defined(MBEDTLS_MD5_C) 07366 case MBEDTLS_SSL_HASH_MD5: 07367 return( MBEDTLS_MD_MD5 ); 07368 #endif 07369 #if defined(MBEDTLS_SHA1_C) 07370 case MBEDTLS_SSL_HASH_SHA1: 07371 return( MBEDTLS_MD_SHA1 ); 07372 #endif 07373 #if defined(MBEDTLS_SHA256_C) 07374 case MBEDTLS_SSL_HASH_SHA224: 07375 return( MBEDTLS_MD_SHA224 ); 07376 case MBEDTLS_SSL_HASH_SHA256: 07377 return( MBEDTLS_MD_SHA256 ); 07378 #endif 07379 #if defined(MBEDTLS_SHA512_C) 07380 case MBEDTLS_SSL_HASH_SHA384: 07381 return( MBEDTLS_MD_SHA384 ); 07382 case MBEDTLS_SSL_HASH_SHA512: 07383 return( MBEDTLS_MD_SHA512 ); 07384 #endif 07385 default: 07386 return( MBEDTLS_MD_NONE ); 07387 } 07388 } 07389 07390 /* 07391 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 07392 */ 07393 unsigned char mbedtls_ssl_hash_from_md_alg( int md ) 07394 { 07395 switch( md ) 07396 { 07397 #if defined(MBEDTLS_MD5_C) 07398 case MBEDTLS_MD_MD5: 07399 return( MBEDTLS_SSL_HASH_MD5 ); 07400 #endif 07401 #if defined(MBEDTLS_SHA1_C) 07402 case MBEDTLS_MD_SHA1: 07403 return( MBEDTLS_SSL_HASH_SHA1 ); 07404 #endif 07405 #if defined(MBEDTLS_SHA256_C) 07406 case MBEDTLS_MD_SHA224: 07407 return( MBEDTLS_SSL_HASH_SHA224 ); 07408 case MBEDTLS_MD_SHA256: 07409 return( MBEDTLS_SSL_HASH_SHA256 ); 07410 #endif 07411 #if defined(MBEDTLS_SHA512_C) 07412 case MBEDTLS_MD_SHA384: 07413 return( MBEDTLS_SSL_HASH_SHA384 ); 07414 case MBEDTLS_MD_SHA512: 07415 return( MBEDTLS_SSL_HASH_SHA512 ); 07416 #endif 07417 default: 07418 return( MBEDTLS_SSL_HASH_NONE ); 07419 } 07420 } 07421 07422 #if defined(MBEDTLS_ECP_C) 07423 /* 07424 * Check if a curve proposed by the peer is in our list. 07425 * Return 0 if we're willing to use it, -1 otherwise. 07426 */ 07427 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) 07428 { 07429 const mbedtls_ecp_group_id *gid; 07430 07431 if( ssl->conf->curve_list == NULL ) 07432 return( -1 ); 07433 07434 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 07435 if( *gid == grp_id ) 07436 return( 0 ); 07437 07438 return( -1 ); 07439 } 07440 #endif /* MBEDTLS_ECP_C */ 07441 07442 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07443 /* 07444 * Check if a hash proposed by the peer is in our list. 07445 * Return 0 if we're willing to use it, -1 otherwise. 07446 */ 07447 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 07448 mbedtls_md_type_t md ) 07449 { 07450 const int *cur; 07451 07452 if( ssl->conf->sig_hashes == NULL ) 07453 return( -1 ); 07454 07455 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 07456 if( *cur == (int) md ) 07457 return( 0 ); 07458 07459 return( -1 ); 07460 } 07461 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07462 07463 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07464 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 07465 const mbedtls_ssl_ciphersuite_t *ciphersuite, 07466 int cert_endpoint, 07467 uint32_t *flags ) 07468 { 07469 int ret = 0; 07470 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07471 int usage = 0; 07472 #endif 07473 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07474 const char *ext_oid; 07475 size_t ext_len; 07476 #endif 07477 07478 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ 07479 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07480 ((void) cert); 07481 ((void) cert_endpoint); 07482 ((void) flags); 07483 #endif 07484 07485 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07486 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07487 { 07488 /* Server part of the key exchange */ 07489 switch( ciphersuite->key_exchange ) 07490 { 07491 case MBEDTLS_KEY_EXCHANGE_RSA: 07492 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 07493 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 07494 break; 07495 07496 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 07497 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 07498 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 07499 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07500 break; 07501 07502 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 07503 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 07504 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 07505 break; 07506 07507 /* Don't use default: we want warnings when adding new values */ 07508 case MBEDTLS_KEY_EXCHANGE_NONE: 07509 case MBEDTLS_KEY_EXCHANGE_PSK: 07510 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 07511 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 07512 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 07513 usage = 0; 07514 } 07515 } 07516 else 07517 { 07518 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 07519 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07520 } 07521 07522 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 ) 07523 { 07524 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 07525 ret = -1; 07526 } 07527 #else 07528 ((void) ciphersuite); 07529 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ 07530 07531 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07532 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07533 { 07534 ext_oid = MBEDTLS_OID_SERVER_AUTH; 07535 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); 07536 } 07537 else 07538 { 07539 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 07540 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); 07541 } 07542 07543 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) 07544 { 07545 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 07546 ret = -1; 07547 } 07548 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 07549 07550 return( ret ); 07551 } 07552 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07553 07554 /* 07555 * Convert version numbers to/from wire format 07556 * and, for DTLS, to/from TLS equivalent. 07557 * 07558 * For TLS this is the identity. 07559 * For DTLS, use one complement (v -> 255 - v, and then map as follows: 07560 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 07561 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 07562 */ 07563 void mbedtls_ssl_write_version( int major, int minor, int transport, 07564 unsigned char ver[2] ) 07565 { 07566 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07567 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07568 { 07569 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 07570 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07571 07572 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 07573 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 07574 } 07575 else 07576 #else 07577 ((void) transport); 07578 #endif 07579 { 07580 ver[0] = (unsigned char) major; 07581 ver[1] = (unsigned char) minor; 07582 } 07583 } 07584 07585 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 07586 const unsigned char ver[2] ) 07587 { 07588 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07589 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07590 { 07591 *major = 255 - ver[0] + 2; 07592 *minor = 255 - ver[1] + 1; 07593 07594 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 07595 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07596 } 07597 else 07598 #else 07599 ((void) transport); 07600 #endif 07601 { 07602 *major = ver[0]; 07603 *minor = ver[1]; 07604 } 07605 } 07606 07607 #endif /* MBEDTLS_SSL_TLS_C */
Generated on Tue Jul 12 2022 12:28:51 by
