Gleb Klochkov
/
Climatcontroll_Main
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 00084 * 00085 * In order to provide any of the server names, clients MAY include an 00086 * extension of type "server_name" in the (extended) client hello. The 00087 * "extension_data" field of this extension SHALL contain 00088 * "ServerNameList" where: 00089 * 00090 * struct { 00091 * NameType name_type; 00092 * select (name_type) { 00093 * case host_name: HostName; 00094 * } name; 00095 * } ServerName; 00096 * 00097 * enum { 00098 * host_name(0), (255) 00099 * } NameType; 00100 * 00101 * opaque HostName<1..2^16-1>; 00102 * 00103 * struct { 00104 * ServerName server_name_list<1..2^16-1> 00105 * } ServerNameList; 00106 * 00107 */ 00108 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00110 00111 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00112 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00113 00114 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00115 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00116 00117 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00118 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00119 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00120 00121 memcpy( p, ssl->hostname, hostname_len ); 00122 00123 *olen = hostname_len + 9; 00124 } 00125 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00126 00127 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00128 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00129 unsigned char *buf, 00130 size_t *olen ) 00131 { 00132 unsigned char *p = buf; 00133 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00134 00135 *olen = 0; 00136 00137 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 00138 * initial ClientHello, in which case also adding the renegotiation 00139 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 00140 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00141 return; 00142 00143 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00144 00145 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00146 { 00147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00148 return; 00149 } 00150 00151 /* 00152 * Secure renegotiation 00153 */ 00154 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00155 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00156 00157 *p++ = 0x00; 00158 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00159 *p++ = ssl->verify_data_len & 0xFF; 00160 00161 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00162 00163 *olen = 5 + ssl->verify_data_len; 00164 } 00165 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00166 00167 /* 00168 * Only if we handle at least one key exchange that needs signatures. 00169 */ 00170 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00171 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00172 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00173 unsigned char *buf, 00174 size_t *olen ) 00175 { 00176 unsigned char *p = buf; 00177 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00178 size_t sig_alg_len = 0; 00179 const int *md; 00180 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00181 unsigned char *sig_alg_list = buf + 6; 00182 #endif 00183 00184 *olen = 0; 00185 00186 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00187 return; 00188 00189 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00190 00191 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00192 { 00193 #if defined(MBEDTLS_ECDSA_C) 00194 sig_alg_len += 2; 00195 #endif 00196 #if defined(MBEDTLS_RSA_C) 00197 sig_alg_len += 2; 00198 #endif 00199 } 00200 00201 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00202 { 00203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00204 return; 00205 } 00206 00207 /* 00208 * Prepare signature_algorithms extension (TLS 1.2) 00209 */ 00210 sig_alg_len = 0; 00211 00212 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00213 { 00214 #if defined(MBEDTLS_ECDSA_C) 00215 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00216 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00217 #endif 00218 #if defined(MBEDTLS_RSA_C) 00219 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00220 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00221 #endif 00222 } 00223 00224 /* 00225 * enum { 00226 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00227 * sha512(6), (255) 00228 * } HashAlgorithm; 00229 * 00230 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00231 * SignatureAlgorithm; 00232 * 00233 * struct { 00234 * HashAlgorithm hash; 00235 * SignatureAlgorithm signature; 00236 * } SignatureAndHashAlgorithm; 00237 * 00238 * SignatureAndHashAlgorithm 00239 * supported_signature_algorithms<2..2^16-2>; 00240 */ 00241 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00242 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00243 00244 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00245 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00246 00247 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00248 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00249 00250 *olen = 6 + sig_alg_len; 00251 } 00252 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00253 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00254 00255 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00256 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00257 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00258 unsigned char *buf, 00259 size_t *olen ) 00260 { 00261 unsigned char *p = buf; 00262 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00263 unsigned char *elliptic_curve_list = p + 6; 00264 size_t elliptic_curve_len = 0; 00265 const mbedtls_ecp_curve_info *info; 00266 #if defined(MBEDTLS_ECP_C) 00267 const mbedtls_ecp_group_id *grp_id; 00268 #else 00269 ((void) ssl); 00270 #endif 00271 00272 *olen = 0; 00273 00274 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00275 00276 #if defined(MBEDTLS_ECP_C) 00277 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00278 #else 00279 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00280 #endif 00281 { 00282 #if defined(MBEDTLS_ECP_C) 00283 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00284 #endif 00285 if( info == NULL ) 00286 { 00287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00288 return; 00289 } 00290 00291 elliptic_curve_len += 2; 00292 } 00293 00294 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00295 { 00296 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00297 return; 00298 } 00299 00300 elliptic_curve_len = 0; 00301 00302 #if defined(MBEDTLS_ECP_C) 00303 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00304 #else 00305 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00306 #endif 00307 { 00308 #if defined(MBEDTLS_ECP_C) 00309 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00310 #endif 00311 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00312 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00313 } 00314 00315 if( elliptic_curve_len == 0 ) 00316 return; 00317 00318 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00319 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00320 00321 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00322 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00323 00324 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00325 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00326 00327 *olen = 6 + elliptic_curve_len; 00328 } 00329 00330 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00331 unsigned char *buf, 00332 size_t *olen ) 00333 { 00334 unsigned char *p = buf; 00335 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00336 00337 *olen = 0; 00338 00339 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00340 00341 if( end < p || (size_t)( end - p ) < 6 ) 00342 { 00343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00344 return; 00345 } 00346 00347 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00348 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00349 00350 *p++ = 0x00; 00351 *p++ = 2; 00352 00353 *p++ = 1; 00354 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00355 00356 *olen = 6; 00357 } 00358 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00359 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00360 00361 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00362 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00363 unsigned char *buf, 00364 size_t *olen ) 00365 { 00366 int ret; 00367 unsigned char *p = buf; 00368 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00369 size_t kkpp_len; 00370 00371 *olen = 0; 00372 00373 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00374 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00375 return; 00376 00377 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00378 00379 if( end - p < 4 ) 00380 { 00381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00382 return; 00383 } 00384 00385 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00386 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00387 00388 /* 00389 * We may need to send ClientHello multiple times for Hello verification. 00390 * We don't want to compute fresh values every time (both for performance 00391 * and consistency reasons), so cache the extension content. 00392 */ 00393 if( ssl->handshake->ecjpake_cache == NULL || 00394 ssl->handshake->ecjpake_cache_len == 0 ) 00395 { 00396 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00397 00398 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00399 p + 2, end - p - 2, &kkpp_len, 00400 ssl->conf->f_rng, ssl->conf->p_rng ); 00401 if( ret != 0 ) 00402 { 00403 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00404 return; 00405 } 00406 00407 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00408 if( ssl->handshake->ecjpake_cache == NULL ) 00409 { 00410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00411 return; 00412 } 00413 00414 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00415 ssl->handshake->ecjpake_cache_len = kkpp_len; 00416 } 00417 else 00418 { 00419 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00420 00421 kkpp_len = ssl->handshake->ecjpake_cache_len; 00422 00423 if( (size_t)( end - p - 2 ) < kkpp_len ) 00424 { 00425 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00426 return; 00427 } 00428 00429 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00430 } 00431 00432 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00433 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00434 00435 *olen = kkpp_len + 4; 00436 } 00437 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00438 00439 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00440 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00441 unsigned char *buf, 00442 size_t *olen ) 00443 { 00444 unsigned char *p = buf; 00445 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00446 00447 *olen = 0; 00448 00449 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00450 return; 00451 } 00452 00453 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00454 00455 if( end < p || (size_t)( end - p ) < 5 ) 00456 { 00457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00458 return; 00459 } 00460 00461 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00462 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00463 00464 *p++ = 0x00; 00465 *p++ = 1; 00466 00467 *p++ = ssl->conf->mfl_code; 00468 00469 *olen = 5; 00470 } 00471 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00472 00473 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00474 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00475 unsigned char *buf, size_t *olen ) 00476 { 00477 unsigned char *p = buf; 00478 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00479 00480 *olen = 0; 00481 00482 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00483 { 00484 return; 00485 } 00486 00487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00488 00489 if( end < p || (size_t)( end - p ) < 4 ) 00490 { 00491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00492 return; 00493 } 00494 00495 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00496 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00497 00498 *p++ = 0x00; 00499 *p++ = 0x00; 00500 00501 *olen = 4; 00502 } 00503 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00504 00505 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00506 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00507 unsigned char *buf, size_t *olen ) 00508 { 00509 unsigned char *p = buf; 00510 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00511 00512 *olen = 0; 00513 00514 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00515 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00516 { 00517 return; 00518 } 00519 00520 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00521 "extension" ) ); 00522 00523 if( end < p || (size_t)( end - p ) < 4 ) 00524 { 00525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00526 return; 00527 } 00528 00529 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00530 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00531 00532 *p++ = 0x00; 00533 *p++ = 0x00; 00534 00535 *olen = 4; 00536 } 00537 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00538 00539 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00540 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00541 unsigned char *buf, size_t *olen ) 00542 { 00543 unsigned char *p = buf; 00544 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00545 00546 *olen = 0; 00547 00548 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00549 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00550 { 00551 return; 00552 } 00553 00554 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00555 "extension" ) ); 00556 00557 if( end < p || (size_t)( end - p ) < 4 ) 00558 { 00559 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00560 return; 00561 } 00562 00563 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00564 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00565 00566 *p++ = 0x00; 00567 *p++ = 0x00; 00568 00569 *olen = 4; 00570 } 00571 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00572 00573 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00574 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00575 unsigned char *buf, size_t *olen ) 00576 { 00577 unsigned char *p = buf; 00578 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00579 size_t tlen = ssl->session_negotiate->ticket_len; 00580 00581 *olen = 0; 00582 00583 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00584 { 00585 return; 00586 } 00587 00588 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00589 00590 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00591 { 00592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00593 return; 00594 } 00595 00596 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00597 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00598 00599 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00600 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00601 00602 *olen = 4; 00603 00604 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00605 { 00606 return; 00607 } 00608 00609 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00610 00611 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00612 00613 *olen += tlen; 00614 } 00615 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00616 00617 #if defined(MBEDTLS_SSL_ALPN) 00618 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00619 unsigned char *buf, size_t *olen ) 00620 { 00621 unsigned char *p = buf; 00622 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00623 size_t alpnlen = 0; 00624 const char **cur; 00625 00626 *olen = 0; 00627 00628 if( ssl->conf->alpn_list == NULL ) 00629 { 00630 return; 00631 } 00632 00633 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00634 00635 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00636 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00637 00638 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00639 { 00640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00641 return; 00642 } 00643 00644 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00645 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00646 00647 /* 00648 * opaque ProtocolName<1..2^8-1>; 00649 * 00650 * struct { 00651 * ProtocolName protocol_name_list<2..2^16-1> 00652 * } ProtocolNameList; 00653 */ 00654 00655 /* Skip writing extension and list length for now */ 00656 p += 4; 00657 00658 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00659 { 00660 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00661 memcpy( p + 1, *cur, *p ); 00662 p += 1 + *p; 00663 } 00664 00665 *olen = p - buf; 00666 00667 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00668 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00669 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00670 00671 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00672 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00673 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00674 } 00675 #endif /* MBEDTLS_SSL_ALPN */ 00676 00677 /* 00678 * Generate random bytes for ClientHello 00679 */ 00680 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00681 { 00682 int ret; 00683 unsigned char *p = ssl->handshake->randbytes; 00684 #if defined(MBEDTLS_HAVE_TIME) 00685 mbedtls_time_t t; 00686 #endif 00687 00688 /* 00689 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00690 */ 00691 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00692 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00693 ssl->handshake->verify_cookie != NULL ) 00694 { 00695 return( 0 ); 00696 } 00697 #endif 00698 00699 #if defined(MBEDTLS_HAVE_TIME) 00700 t = mbedtls_time( NULL ); 00701 *p++ = (unsigned char)( t >> 24 ); 00702 *p++ = (unsigned char)( t >> 16 ); 00703 *p++ = (unsigned char)( t >> 8 ); 00704 *p++ = (unsigned char)( t ); 00705 00706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00707 #else 00708 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00709 return( ret ); 00710 00711 p += 4; 00712 #endif /* MBEDTLS_HAVE_TIME */ 00713 00714 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00715 return( ret ); 00716 00717 return( 0 ); 00718 } 00719 00720 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00721 { 00722 int ret; 00723 size_t i, n, olen, ext_len = 0; 00724 unsigned char *buf; 00725 unsigned char *p, *q; 00726 unsigned char offer_compress; 00727 const int *ciphersuites; 00728 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00729 00730 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00731 00732 if( ssl->conf->f_rng == NULL ) 00733 { 00734 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00735 return( MBEDTLS_ERR_SSL_NO_RNG ); 00736 } 00737 00738 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00739 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00740 #endif 00741 { 00742 ssl->major_ver = ssl->conf->min_major_ver; 00743 ssl->minor_ver = ssl->conf->min_minor_ver; 00744 } 00745 00746 if( ssl->conf->max_major_ver == 0 ) 00747 { 00748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00749 "consider using mbedtls_ssl_config_defaults()" ) ); 00750 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00751 } 00752 00753 /* 00754 * 0 . 0 handshake type 00755 * 1 . 3 handshake length 00756 * 4 . 5 highest version supported 00757 * 6 . 9 current UNIX time 00758 * 10 . 37 random bytes 00759 */ 00760 buf = ssl->out_msg; 00761 p = buf + 4; 00762 00763 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00764 ssl->conf->transport, p ); 00765 p += 2; 00766 00767 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00768 buf[4], buf[5] ) ); 00769 00770 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00771 { 00772 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00773 return( ret ); 00774 } 00775 00776 memcpy( p, ssl->handshake->randbytes, 32 ); 00777 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00778 p += 32; 00779 00780 /* 00781 * 38 . 38 session id length 00782 * 39 . 39+n session id 00783 * 39+n . 39+n DTLS only: cookie length (1 byte) 00784 * 40+n . .. DTSL only: cookie 00785 * .. . .. ciphersuitelist length (2 bytes) 00786 * .. . .. ciphersuitelist 00787 * .. . .. compression methods length (1 byte) 00788 * .. . .. compression methods 00789 * .. . .. extensions length (2 bytes) 00790 * .. . .. extensions 00791 */ 00792 n = ssl->session_negotiate->id_len; 00793 00794 if( n < 16 || n > 32 || 00795 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00796 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00797 #endif 00798 ssl->handshake->resume == 0 ) 00799 { 00800 n = 0; 00801 } 00802 00803 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00804 /* 00805 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00806 * generate and include a Session ID in the TLS ClientHello." 00807 */ 00808 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00809 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00810 #endif 00811 { 00812 if( ssl->session_negotiate->ticket != NULL && 00813 ssl->session_negotiate->ticket_len != 0 ) 00814 { 00815 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00816 00817 if( ret != 0 ) 00818 return( ret ); 00819 00820 ssl->session_negotiate->id_len = n = 32; 00821 } 00822 } 00823 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00824 00825 *p++ = (unsigned char) n; 00826 00827 for( i = 0; i < n; i++ ) 00828 *p++ = ssl->session_negotiate->id[i]; 00829 00830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00831 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00832 00833 /* 00834 * DTLS cookie 00835 */ 00836 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00837 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00838 { 00839 if( ssl->handshake->verify_cookie == NULL ) 00840 { 00841 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00842 *p++ = 0; 00843 } 00844 else 00845 { 00846 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00847 ssl->handshake->verify_cookie, 00848 ssl->handshake->verify_cookie_len ); 00849 00850 *p++ = ssl->handshake->verify_cookie_len; 00851 memcpy( p, ssl->handshake->verify_cookie, 00852 ssl->handshake->verify_cookie_len ); 00853 p += ssl->handshake->verify_cookie_len; 00854 } 00855 } 00856 #endif 00857 00858 /* 00859 * Ciphersuite list 00860 */ 00861 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00862 00863 /* Skip writing ciphersuite length for now */ 00864 n = 0; 00865 q = p; 00866 p += 2; 00867 00868 for( i = 0; ciphersuites[i] != 0; i++ ) 00869 { 00870 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00871 00872 if( ciphersuite_info == NULL ) 00873 continue; 00874 00875 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00876 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00877 continue; 00878 00879 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00880 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00881 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00882 continue; 00883 #endif 00884 00885 #if defined(MBEDTLS_ARC4_C) 00886 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00887 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00888 continue; 00889 #endif 00890 00891 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00892 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00893 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00894 continue; 00895 #endif 00896 00897 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00898 ciphersuites[i] ) ); 00899 00900 n++; 00901 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00902 *p++ = (unsigned char)( ciphersuites[i] ); 00903 } 00904 00905 /* 00906 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00907 */ 00908 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00909 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00910 #endif 00911 { 00912 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00913 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00914 n++; 00915 } 00916 00917 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00918 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00919 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00920 { 00921 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00922 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00923 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00924 n++; 00925 } 00926 #endif 00927 00928 *q++ = (unsigned char)( n >> 7 ); 00929 *q++ = (unsigned char)( n << 1 ); 00930 00931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00932 00933 #if defined(MBEDTLS_ZLIB_SUPPORT) 00934 offer_compress = 1; 00935 #else 00936 offer_compress = 0; 00937 #endif 00938 00939 /* 00940 * We don't support compression with DTLS right now: is many records come 00941 * in the same datagram, uncompressing one could overwrite the next one. 00942 * We don't want to add complexity for handling that case unless there is 00943 * an actual need for it. 00944 */ 00945 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00946 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00947 offer_compress = 0; 00948 #endif 00949 00950 if( offer_compress ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00954 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00955 00956 *p++ = 2; 00957 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00958 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00959 } 00960 else 00961 { 00962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00963 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00964 MBEDTLS_SSL_COMPRESS_NULL ) ); 00965 00966 *p++ = 1; 00967 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00968 } 00969 00970 // First write extensions, then the total length 00971 // 00972 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00973 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00974 ext_len += olen; 00975 #endif 00976 00977 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 00978 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 00979 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00980 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00985 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00986 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00987 ext_len += olen; 00988 #endif 00989 00990 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00991 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00992 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00993 ext_len += olen; 00994 00995 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01000 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01005 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01010 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01015 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01016 ext_len += olen; 01017 #endif 01018 01019 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01020 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01021 ext_len += olen; 01022 #endif 01023 01024 #if defined(MBEDTLS_SSL_ALPN) 01025 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01026 ext_len += olen; 01027 #endif 01028 01029 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01030 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01031 ext_len += olen; 01032 #endif 01033 01034 /* olen unused if all extensions are disabled */ 01035 ((void) olen); 01036 01037 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01038 ext_len ) ); 01039 01040 if( ext_len > 0 ) 01041 { 01042 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01043 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01044 p += ext_len; 01045 } 01046 01047 ssl->out_msglen = p - buf; 01048 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01049 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01050 01051 ssl->state++; 01052 01053 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01054 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01055 mbedtls_ssl_send_flight_completed( ssl ); 01056 #endif 01057 01058 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01059 { 01060 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01061 return( ret ); 01062 } 01063 01064 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01065 01066 return( 0 ); 01067 } 01068 01069 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01070 const unsigned char *buf, 01071 size_t len ) 01072 { 01073 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01074 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01075 { 01076 /* Check verify-data in constant-time. The length OTOH is no secret */ 01077 if( len != 1 + ssl->verify_data_len * 2 || 01078 buf[0] != ssl->verify_data_len * 2 || 01079 mbedtls_ssl_safer_memcmp( buf + 1, 01080 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01081 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01082 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01083 { 01084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01085 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01086 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01087 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01088 } 01089 } 01090 else 01091 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01092 { 01093 if( len != 1 || buf[0] != 0x00 ) 01094 { 01095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01096 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01097 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01098 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01099 } 01100 01101 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01102 } 01103 01104 return( 0 ); 01105 } 01106 01107 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01108 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01109 const unsigned char *buf, 01110 size_t len ) 01111 { 01112 /* 01113 * server should use the extension only if we did, 01114 * and if so the server's value should match ours (and len is always 1) 01115 */ 01116 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01117 len != 1 || 01118 buf[0] != ssl->conf->mfl_code ) 01119 { 01120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 01121 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01122 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01123 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01124 } 01125 01126 return( 0 ); 01127 } 01128 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01129 01130 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01131 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01132 const unsigned char *buf, 01133 size_t len ) 01134 { 01135 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01136 len != 0 ) 01137 { 01138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 01139 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01140 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01141 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01142 } 01143 01144 ((void) buf); 01145 01146 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01147 01148 return( 0 ); 01149 } 01150 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01151 01152 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01153 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01154 const unsigned char *buf, 01155 size_t len ) 01156 { 01157 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01158 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01159 len != 0 ) 01160 { 01161 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 01162 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01163 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01164 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01165 } 01166 01167 ((void) buf); 01168 01169 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01170 01171 return( 0 ); 01172 } 01173 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01174 01175 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01176 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01177 const unsigned char *buf, 01178 size_t len ) 01179 { 01180 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01181 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01182 len != 0 ) 01183 { 01184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 01185 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01186 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01187 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01188 } 01189 01190 ((void) buf); 01191 01192 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01193 01194 return( 0 ); 01195 } 01196 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01197 01198 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01199 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01200 const unsigned char *buf, 01201 size_t len ) 01202 { 01203 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01204 len != 0 ) 01205 { 01206 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 01207 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01208 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01209 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01210 } 01211 01212 ((void) buf); 01213 01214 ssl->handshake->new_session_ticket = 1; 01215 01216 return( 0 ); 01217 } 01218 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01219 01220 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01221 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01222 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01223 const unsigned char *buf, 01224 size_t len ) 01225 { 01226 size_t list_size; 01227 const unsigned char *p; 01228 01229 list_size = buf[0]; 01230 if( list_size + 1 != len ) 01231 { 01232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01233 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01234 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01235 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01236 } 01237 01238 p = buf + 1; 01239 while( list_size > 0 ) 01240 { 01241 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01242 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01243 { 01244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01245 ssl->handshake->ecdh_ctx.point_format = p[0]; 01246 #endif 01247 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01248 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01249 #endif 01250 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01251 return( 0 ); 01252 } 01253 01254 list_size--; 01255 p++; 01256 } 01257 01258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01260 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01261 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01262 } 01263 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01264 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01265 01266 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01267 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01268 const unsigned char *buf, 01269 size_t len ) 01270 { 01271 int ret; 01272 01273 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01274 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01275 { 01276 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01277 return( 0 ); 01278 } 01279 01280 /* If we got here, we no longer need our cached extension */ 01281 mbedtls_free( ssl->handshake->ecjpake_cache ); 01282 ssl->handshake->ecjpake_cache = NULL; 01283 ssl->handshake->ecjpake_cache_len = 0; 01284 01285 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01286 buf, len ) ) != 0 ) 01287 { 01288 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01289 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01290 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01291 return( ret ); 01292 } 01293 01294 return( 0 ); 01295 } 01296 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01297 01298 #if defined(MBEDTLS_SSL_ALPN) 01299 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01300 const unsigned char *buf, size_t len ) 01301 { 01302 size_t list_len, name_len; 01303 const char **p; 01304 01305 /* If we didn't send it, the server shouldn't send it */ 01306 if( ssl->conf->alpn_list == NULL ) 01307 { 01308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 01309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01310 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01311 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01312 } 01313 01314 /* 01315 * opaque ProtocolName<1..2^8-1>; 01316 * 01317 * struct { 01318 * ProtocolName protocol_name_list<2..2^16-1> 01319 * } ProtocolNameList; 01320 * 01321 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01322 */ 01323 01324 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01325 if( len < 4 ) 01326 { 01327 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01328 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01329 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01330 } 01331 01332 list_len = ( buf[0] << 8 ) | buf[1]; 01333 if( list_len != len - 2 ) 01334 { 01335 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01336 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01337 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01338 } 01339 01340 name_len = buf[2]; 01341 if( name_len != list_len - 1 ) 01342 { 01343 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01344 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01345 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01346 } 01347 01348 /* Check that the server chosen protocol was in our list and save it */ 01349 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01350 { 01351 if( name_len == strlen( *p ) && 01352 memcmp( buf + 3, *p, name_len ) == 0 ) 01353 { 01354 ssl->alpn_chosen = *p; 01355 return( 0 ); 01356 } 01357 } 01358 01359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 01360 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01361 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01362 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01363 } 01364 #endif /* MBEDTLS_SSL_ALPN */ 01365 01366 /* 01367 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01368 */ 01369 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01370 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01371 { 01372 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01373 int major_ver, minor_ver; 01374 unsigned char cookie_len; 01375 01376 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01377 01378 /* 01379 * struct { 01380 * ProtocolVersion server_version; 01381 * opaque cookie<0..2^8-1>; 01382 * } HelloVerifyRequest; 01383 */ 01384 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01385 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01386 p += 2; 01387 01388 /* 01389 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01390 * even is lower than our min version. 01391 */ 01392 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01393 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01394 major_ver > ssl->conf->max_major_ver || 01395 minor_ver > ssl->conf->max_minor_ver ) 01396 { 01397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01398 01399 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01400 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01401 01402 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01403 } 01404 01405 cookie_len = *p++; 01406 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01407 01408 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01409 { 01410 MBEDTLS_SSL_DEBUG_MSG( 1, 01411 ( "cookie length does not match incoming message size" ) ); 01412 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01413 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01414 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01415 } 01416 01417 mbedtls_free( ssl->handshake->verify_cookie ); 01418 01419 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01420 if( ssl->handshake->verify_cookie == NULL ) 01421 { 01422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01423 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01424 } 01425 01426 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01427 ssl->handshake->verify_cookie_len = cookie_len; 01428 01429 /* Start over at ClientHello */ 01430 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01431 mbedtls_ssl_reset_checksum( ssl ); 01432 01433 mbedtls_ssl_recv_flight_completed( ssl ); 01434 01435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01436 01437 return( 0 ); 01438 } 01439 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01440 01441 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01442 { 01443 int ret, i; 01444 size_t n; 01445 size_t ext_len; 01446 unsigned char *buf, *ext; 01447 unsigned char comp; 01448 #if defined(MBEDTLS_ZLIB_SUPPORT) 01449 int accept_comp; 01450 #endif 01451 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01452 int renegotiation_info_seen = 0; 01453 #endif 01454 int handshake_failure = 0; 01455 const mbedtls_ssl_ciphersuite_t *suite_info; 01456 01457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01458 01459 buf = ssl->in_msg; 01460 01461 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01462 { 01463 /* No alert on a read error. */ 01464 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01465 return( ret ); 01466 } 01467 01468 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01469 { 01470 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01471 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01472 { 01473 ssl->renego_records_seen++; 01474 01475 if( ssl->conf->renego_max_records >= 0 && 01476 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01477 { 01478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01479 "but not honored by server" ) ); 01480 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01481 } 01482 01483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01484 01485 ssl->keep_current_message = 1; 01486 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01487 } 01488 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01489 01490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01492 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 01493 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01494 } 01495 01496 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01497 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01498 { 01499 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01500 { 01501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01503 return( ssl_parse_hello_verify_request( ssl ) ); 01504 } 01505 else 01506 { 01507 /* We made it through the verification process */ 01508 mbedtls_free( ssl->handshake->verify_cookie ); 01509 ssl->handshake->verify_cookie = NULL; 01510 ssl->handshake->verify_cookie_len = 0; 01511 } 01512 } 01513 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01514 01515 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01516 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01517 { 01518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01519 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01520 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01521 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01522 } 01523 01524 /* 01525 * 0 . 1 server_version 01526 * 2 . 33 random (maybe including 4 bytes of Unix time) 01527 * 34 . 34 session_id length = n 01528 * 35 . 34+n session_id 01529 * 35+n . 36+n cipher_suite 01530 * 37+n . 37+n compression_method 01531 * 01532 * 38+n . 39+n extensions length (optional) 01533 * 40+n . .. extensions 01534 */ 01535 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01536 01537 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01538 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01539 ssl->conf->transport, buf + 0 ); 01540 01541 if( ssl->major_ver < ssl->conf->min_major_ver || 01542 ssl->minor_ver < ssl->conf->min_minor_ver || 01543 ssl->major_ver > ssl->conf->max_major_ver || 01544 ssl->minor_ver > ssl->conf->max_minor_ver ) 01545 { 01546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01547 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01548 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01549 ssl->major_ver, ssl->minor_ver, 01550 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01551 01552 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01553 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01554 01555 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01556 } 01557 01558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 01559 ( (uint32_t) buf[2] << 24 ) | 01560 ( (uint32_t) buf[3] << 16 ) | 01561 ( (uint32_t) buf[4] << 8 ) | 01562 ( (uint32_t) buf[5] ) ) ); 01563 01564 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01565 01566 n = buf[34]; 01567 01568 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01569 01570 if( n > 32 ) 01571 { 01572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01573 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01574 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01575 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01576 } 01577 01578 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01579 { 01580 ext_len = ( ( buf[38 + n] << 8 ) 01581 | ( buf[39 + n] ) ); 01582 01583 if( ( ext_len > 0 && ext_len < 4 ) || 01584 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01585 { 01586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01587 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01588 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01589 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01590 } 01591 } 01592 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01593 { 01594 ext_len = 0; 01595 } 01596 else 01597 { 01598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01599 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01600 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01601 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01602 } 01603 01604 /* ciphersuite (used later) */ 01605 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01606 01607 /* 01608 * Read and check compression 01609 */ 01610 comp = buf[37 + n]; 01611 01612 #if defined(MBEDTLS_ZLIB_SUPPORT) 01613 /* See comments in ssl_write_client_hello() */ 01614 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01615 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01616 accept_comp = 0; 01617 else 01618 #endif 01619 accept_comp = 1; 01620 01621 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01622 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01623 #else /* MBEDTLS_ZLIB_SUPPORT */ 01624 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01625 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01626 { 01627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01629 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01630 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01631 } 01632 01633 /* 01634 * Initialize update checksum functions 01635 */ 01636 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01637 01638 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01639 { 01640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01641 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01642 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01643 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01644 } 01645 01646 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01647 01648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01649 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01650 01651 /* 01652 * Check if the session can be resumed 01653 */ 01654 if( ssl->handshake->resume == 0 || n == 0 || 01655 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01656 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01657 #endif 01658 ssl->session_negotiate->ciphersuite != i || 01659 ssl->session_negotiate->compression != comp || 01660 ssl->session_negotiate->id_len != n || 01661 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01662 { 01663 ssl->state++; 01664 ssl->handshake->resume = 0; 01665 #if defined(MBEDTLS_HAVE_TIME) 01666 ssl->session_negotiate->start = mbedtls_time( NULL ); 01667 #endif 01668 ssl->session_negotiate->ciphersuite = i; 01669 ssl->session_negotiate->compression = comp; 01670 ssl->session_negotiate->id_len = n; 01671 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01672 } 01673 else 01674 { 01675 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01676 01677 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01678 { 01679 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01680 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01681 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01682 return( ret ); 01683 } 01684 } 01685 01686 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01687 ssl->handshake->resume ? "a" : "no" ) ); 01688 01689 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01690 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01691 01692 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01693 if( suite_info == NULL 01694 #if defined(MBEDTLS_ARC4_C) 01695 || ( ssl->conf->arc4_disabled && 01696 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01697 #endif 01698 ) 01699 { 01700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01701 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01702 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01703 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01704 } 01705 01706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01707 01708 i = 0; 01709 while( 1 ) 01710 { 01711 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01712 { 01713 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01714 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01715 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01716 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01717 } 01718 01719 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01720 ssl->session_negotiate->ciphersuite ) 01721 { 01722 break; 01723 } 01724 } 01725 01726 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01727 #if defined(MBEDTLS_ZLIB_SUPPORT) 01728 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01729 #endif 01730 ) 01731 { 01732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01733 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01734 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01735 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01736 } 01737 ssl->session_negotiate->compression = comp; 01738 01739 ext = buf + 40 + n; 01740 01741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01742 01743 while( ext_len ) 01744 { 01745 unsigned int ext_id = ( ( ext[0] << 8 ) 01746 | ( ext[1] ) ); 01747 unsigned int ext_size = ( ( ext[2] << 8 ) 01748 | ( ext[3] ) ); 01749 01750 if( ext_size + 4 > ext_len ) 01751 { 01752 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01753 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01754 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01755 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01756 } 01757 01758 switch( ext_id ) 01759 { 01760 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01761 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01762 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01763 renegotiation_info_seen = 1; 01764 #endif 01765 01766 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01767 ext_size ) ) != 0 ) 01768 return( ret ); 01769 01770 break; 01771 01772 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01773 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01775 01776 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01777 ext + 4, ext_size ) ) != 0 ) 01778 { 01779 return( ret ); 01780 } 01781 01782 break; 01783 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01784 01785 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01786 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01787 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01788 01789 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01790 ext + 4, ext_size ) ) != 0 ) 01791 { 01792 return( ret ); 01793 } 01794 01795 break; 01796 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01797 01798 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01799 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01800 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01801 01802 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01803 ext + 4, ext_size ) ) != 0 ) 01804 { 01805 return( ret ); 01806 } 01807 01808 break; 01809 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01810 01811 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01812 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01813 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01814 01815 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01816 ext + 4, ext_size ) ) != 0 ) 01817 { 01818 return( ret ); 01819 } 01820 01821 break; 01822 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01823 01824 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01825 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01826 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01827 01828 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01829 ext + 4, ext_size ) ) != 0 ) 01830 { 01831 return( ret ); 01832 } 01833 01834 break; 01835 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01836 01837 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01838 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01839 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01840 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01841 01842 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01843 ext + 4, ext_size ) ) != 0 ) 01844 { 01845 return( ret ); 01846 } 01847 01848 break; 01849 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01850 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01851 01852 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01853 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01854 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01855 01856 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01857 ext + 4, ext_size ) ) != 0 ) 01858 { 01859 return( ret ); 01860 } 01861 01862 break; 01863 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01864 01865 #if defined(MBEDTLS_SSL_ALPN) 01866 case MBEDTLS_TLS_EXT_ALPN: 01867 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01868 01869 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01870 return( ret ); 01871 01872 break; 01873 #endif /* MBEDTLS_SSL_ALPN */ 01874 01875 default: 01876 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01877 ext_id ) ); 01878 } 01879 01880 ext_len -= 4 + ext_size; 01881 ext += 4 + ext_size; 01882 01883 if( ext_len > 0 && ext_len < 4 ) 01884 { 01885 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01886 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01887 } 01888 } 01889 01890 /* 01891 * Renegotiation security checks 01892 */ 01893 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01894 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01895 { 01896 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01897 handshake_failure = 1; 01898 } 01899 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01900 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01901 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01902 renegotiation_info_seen == 0 ) 01903 { 01904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01905 handshake_failure = 1; 01906 } 01907 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01908 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01909 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01910 { 01911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01912 handshake_failure = 1; 01913 } 01914 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01915 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01916 renegotiation_info_seen == 1 ) 01917 { 01918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01919 handshake_failure = 1; 01920 } 01921 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01922 01923 if( handshake_failure == 1 ) 01924 { 01925 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01926 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01927 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01928 } 01929 01930 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01931 01932 return( 0 ); 01933 } 01934 01935 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01936 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01937 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01938 unsigned char *end ) 01939 { 01940 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01941 01942 /* 01943 * Ephemeral DH parameters: 01944 * 01945 * struct { 01946 * opaque dh_p<1..2^16-1>; 01947 * opaque dh_g<1..2^16-1>; 01948 * opaque dh_Ys<1..2^16-1>; 01949 * } ServerDHParams; 01950 */ 01951 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01952 { 01953 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01954 return( ret ); 01955 } 01956 01957 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01958 { 01959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01960 ssl->handshake->dhm_ctx.len * 8, 01961 ssl->conf->dhm_min_bitlen ) ); 01962 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01963 } 01964 01965 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01966 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01967 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01968 01969 return( ret ); 01970 } 01971 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01972 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01973 01974 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01975 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01976 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01977 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01978 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01979 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01980 { 01981 const mbedtls_ecp_curve_info *curve_info; 01982 01983 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01984 if( curve_info == NULL ) 01985 { 01986 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01987 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01988 } 01989 01990 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01991 01992 #if defined(MBEDTLS_ECP_C) 01993 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01994 #else 01995 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01996 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01997 #endif 01998 return( -1 ); 01999 02000 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 02001 02002 return( 0 ); 02003 } 02004 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02005 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02006 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02007 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02008 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02009 02010 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02011 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02012 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02013 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 02014 unsigned char **p, 02015 unsigned char *end ) 02016 { 02017 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02018 02019 /* 02020 * Ephemeral ECDH parameters: 02021 * 02022 * struct { 02023 * ECParameters curve_params; 02024 * ECPoint public; 02025 * } ServerECDHParams; 02026 */ 02027 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 02028 (const unsigned char **) p, end ) ) != 0 ) 02029 { 02030 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 02031 return( ret ); 02032 } 02033 02034 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02035 { 02036 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 02037 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02038 } 02039 02040 return( ret ); 02041 } 02042 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02043 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02044 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02045 02046 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02047 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 02048 unsigned char **p, 02049 unsigned char *end ) 02050 { 02051 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02052 size_t len; 02053 ((void) ssl); 02054 02055 /* 02056 * PSK parameters: 02057 * 02058 * opaque psk_identity_hint<0..2^16-1>; 02059 */ 02060 len = (*p)[0] << 8 | (*p)[1]; 02061 *p += 2; 02062 02063 if( (*p) + len > end ) 02064 { 02065 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02066 "(psk_identity_hint length)" ) ); 02067 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02068 } 02069 02070 /* 02071 * Note: we currently ignore the PKS identity hint, as we only allow one 02072 * PSK to be provisionned on the client. This could be changed later if 02073 * someone needs that feature. 02074 */ 02075 *p += len; 02076 ret = 0; 02077 02078 return( ret ); 02079 } 02080 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02081 02082 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02083 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02084 /* 02085 * Generate a pre-master secret and encrypt it with the server's RSA key 02086 */ 02087 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02088 size_t offset, size_t *olen, 02089 size_t pms_offset ) 02090 { 02091 int ret; 02092 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02093 unsigned char *p = ssl->handshake->premaster + pms_offset; 02094 02095 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02096 { 02097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02098 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02099 } 02100 02101 /* 02102 * Generate (part of) the pre-master as 02103 * struct { 02104 * ProtocolVersion client_version; 02105 * opaque random[46]; 02106 * } PreMasterSecret; 02107 */ 02108 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02109 ssl->conf->transport, p ); 02110 02111 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02112 { 02113 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02114 return( ret ); 02115 } 02116 02117 ssl->handshake->pmslen = 48; 02118 02119 if( ssl->session_negotiate->peer_cert == NULL ) 02120 { 02121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02122 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02123 } 02124 02125 /* 02126 * Now write it out, encrypted 02127 */ 02128 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02129 MBEDTLS_PK_RSA ) ) 02130 { 02131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02132 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02133 } 02134 02135 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02136 p, ssl->handshake->pmslen, 02137 ssl->out_msg + offset + len_bytes, olen, 02138 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02139 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02140 { 02141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02142 return( ret ); 02143 } 02144 02145 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02146 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02147 if( len_bytes == 2 ) 02148 { 02149 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02150 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02151 *olen += 2; 02152 } 02153 #endif 02154 02155 return( 0 ); 02156 } 02157 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02158 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02159 02160 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02161 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02162 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02163 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02164 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02165 unsigned char **p, 02166 unsigned char *end, 02167 mbedtls_md_type_t *md_alg, 02168 mbedtls_pk_type_t *pk_alg ) 02169 { 02170 ((void) ssl); 02171 *md_alg = MBEDTLS_MD_NONE; 02172 *pk_alg = MBEDTLS_PK_NONE; 02173 02174 /* Only in TLS 1.2 */ 02175 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02176 { 02177 return( 0 ); 02178 } 02179 02180 if( (*p) + 2 > end ) 02181 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02182 02183 /* 02184 * Get hash algorithm 02185 */ 02186 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02187 { 02188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02189 "HashAlgorithm %d", *(p)[0] ) ); 02190 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02191 } 02192 02193 /* 02194 * Get signature algorithm 02195 */ 02196 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02197 { 02198 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02199 "SignatureAlgorithm %d", (*p)[1] ) ); 02200 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02201 } 02202 02203 /* 02204 * Check if the hash is acceptable 02205 */ 02206 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02207 { 02208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 02209 *(p)[0] ) ); 02210 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02211 } 02212 02213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02215 *p += 2; 02216 02217 return( 0 ); 02218 } 02219 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02220 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02221 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02222 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02223 02224 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02225 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02226 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02227 { 02228 int ret; 02229 const mbedtls_ecp_keypair *peer_key; 02230 02231 if( ssl->session_negotiate->peer_cert == NULL ) 02232 { 02233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02234 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02235 } 02236 02237 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02238 MBEDTLS_PK_ECKEY ) ) 02239 { 02240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02241 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02242 } 02243 02244 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02245 02246 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02247 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02248 { 02249 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02250 return( ret ); 02251 } 02252 02253 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02254 { 02255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02256 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02257 } 02258 02259 return( ret ); 02260 } 02261 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02262 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02263 02264 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02265 { 02266 int ret; 02267 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02268 ssl->transform_negotiate->ciphersuite_info; 02269 unsigned char *p = NULL, *end = NULL; 02270 02271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02272 02273 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02274 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02275 { 02276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02277 ssl->state++; 02278 return( 0 ); 02279 } 02280 ((void) p); 02281 ((void) end); 02282 #endif 02283 02284 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02285 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02286 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02287 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02288 { 02289 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02290 { 02291 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02292 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02293 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02294 return( ret ); 02295 } 02296 02297 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02298 ssl->state++; 02299 return( 0 ); 02300 } 02301 ((void) p); 02302 ((void) end); 02303 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02304 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02305 02306 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02307 { 02308 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02309 return( ret ); 02310 } 02311 02312 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02313 { 02314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02315 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02316 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02317 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02318 } 02319 02320 /* 02321 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02322 * doesn't use a psk_identity_hint 02323 */ 02324 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02325 { 02326 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02327 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02328 { 02329 /* Current message is probably either 02330 * CertificateRequest or ServerHelloDone */ 02331 ssl->keep_current_message = 1; 02332 goto exit; 02333 } 02334 02335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 02336 "not be skipped" ) ); 02337 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02338 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02339 02340 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02341 } 02342 02343 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02344 end = ssl->in_msg + ssl->in_hslen; 02345 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02346 02347 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02348 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02349 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02350 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02351 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02352 { 02353 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02354 { 02355 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02356 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02357 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02358 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02359 } 02360 } /* FALLTROUGH */ 02361 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02362 02363 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02364 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02365 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02366 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02367 ; /* nothing more to do */ 02368 else 02369 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02370 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02371 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02372 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02373 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02374 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02375 { 02376 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02377 { 02378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02379 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02380 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02381 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02382 } 02383 } 02384 else 02385 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02386 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02387 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02388 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02389 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02390 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02391 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02392 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02393 { 02394 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02395 { 02396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02397 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02398 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02399 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02400 } 02401 } 02402 else 02403 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02404 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02405 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02406 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02407 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02408 { 02409 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02410 p, end - p ); 02411 if( ret != 0 ) 02412 { 02413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02414 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02415 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02416 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02417 } 02418 } 02419 else 02420 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02421 { 02422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02424 } 02425 02426 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02427 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 02428 { 02429 size_t sig_len, hashlen; 02430 unsigned char hash[64]; 02431 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02432 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02433 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02434 size_t params_len = p - params; 02435 02436 /* 02437 * Handle the digitally-signed structure 02438 */ 02439 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02440 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02441 { 02442 if( ssl_parse_signature_algorithm( ssl, &p, end, 02443 &md_alg, &pk_alg ) != 0 ) 02444 { 02445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02446 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02447 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02448 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02449 } 02450 02451 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02452 { 02453 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02454 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02455 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02456 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02457 } 02458 } 02459 else 02460 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02461 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02462 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02463 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02464 { 02465 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02466 02467 /* Default hash for ECDSA is SHA-1 */ 02468 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02469 md_alg = MBEDTLS_MD_SHA1; 02470 } 02471 else 02472 #endif 02473 { 02474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02475 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02476 } 02477 02478 /* 02479 * Read signature 02480 */ 02481 sig_len = ( p[0] << 8 ) | p[1]; 02482 p += 2; 02483 02484 if( end != p + sig_len ) 02485 { 02486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02487 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02488 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02489 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02490 } 02491 02492 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02493 02494 /* 02495 * Compute the hash that has been signed 02496 */ 02497 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02498 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02499 if( md_alg == MBEDTLS_MD_NONE ) 02500 { 02501 hashlen = 36; 02502 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 02503 params_len ); 02504 if( ret != 0 ) 02505 return( ret ); 02506 } 02507 else 02508 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02509 MBEDTLS_SSL_PROTO_TLS1_1 */ 02510 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02511 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02512 if( md_alg != MBEDTLS_MD_NONE ) 02513 { 02514 /* Info from md_alg will be used instead */ 02515 hashlen = 0; 02516 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params, 02517 params_len, md_alg ); 02518 if( ret != 0 ) 02519 return( ret ); 02520 } 02521 else 02522 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02523 MBEDTLS_SSL_PROTO_TLS1_2 */ 02524 { 02525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02527 } 02528 02529 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02530 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02531 02532 if( ssl->session_negotiate->peer_cert == NULL ) 02533 { 02534 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02535 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02536 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02537 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02538 } 02539 02540 /* 02541 * Verify signature 02542 */ 02543 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02544 { 02545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02546 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02547 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02548 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02549 } 02550 02551 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02552 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02553 { 02554 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02555 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 02556 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02557 return( ret ); 02558 } 02559 } 02560 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02561 02562 exit: 02563 ssl->state++; 02564 02565 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02566 02567 return( 0 ); 02568 } 02569 02570 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02571 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02572 { 02573 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02574 ssl->transform_negotiate->ciphersuite_info; 02575 02576 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02577 02578 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02579 { 02580 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02581 ssl->state++; 02582 return( 0 ); 02583 } 02584 02585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02586 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02587 } 02588 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02589 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02590 { 02591 int ret; 02592 unsigned char *buf; 02593 size_t n = 0; 02594 size_t cert_type_len = 0, dn_len = 0; 02595 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02596 ssl->transform_negotiate->ciphersuite_info; 02597 02598 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02599 02600 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02601 { 02602 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02603 ssl->state++; 02604 return( 0 ); 02605 } 02606 02607 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02608 { 02609 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02610 return( ret ); 02611 } 02612 02613 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02614 { 02615 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02616 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02617 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02618 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02619 } 02620 02621 ssl->state++; 02622 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 02623 02624 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02625 ssl->client_auth ? "a" : "no" ) ); 02626 02627 if( ssl->client_auth == 0 ) 02628 { 02629 /* Current message is probably the ServerHelloDone */ 02630 ssl->keep_current_message = 1; 02631 goto exit; 02632 } 02633 02634 /* 02635 * struct { 02636 * ClientCertificateType certificate_types<1..2^8-1>; 02637 * SignatureAndHashAlgorithm 02638 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02639 * DistinguishedName certificate_authorities<0..2^16-1>; 02640 * } CertificateRequest; 02641 * 02642 * Since we only support a single certificate on clients, let's just 02643 * ignore all the information that's supposed to help us pick a 02644 * certificate. 02645 * 02646 * We could check that our certificate matches the request, and bail out 02647 * if it doesn't, but it's simpler to just send the certificate anyway, 02648 * and give the server the opportunity to decide if it should terminate 02649 * the connection when it doesn't like our certificate. 02650 * 02651 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02652 * point we only have one hash available (see comments in 02653 * write_certificate_verify), so let's just use what we have. 02654 * 02655 * However, we still minimally parse the message to check it is at least 02656 * superficially sane. 02657 */ 02658 buf = ssl->in_msg; 02659 02660 /* certificate_types */ 02661 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02662 n = cert_type_len; 02663 02664 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02665 { 02666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02667 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02668 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02669 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02670 } 02671 02672 /* supported_signature_algorithms */ 02673 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02674 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02675 { 02676 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02677 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02678 #if defined(MBEDTLS_DEBUG_C) 02679 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02680 size_t i; 02681 02682 for( i = 0; i < sig_alg_len; i += 2 ) 02683 { 02684 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 02685 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 02686 } 02687 #endif 02688 02689 n += 2 + sig_alg_len; 02690 02691 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02692 { 02693 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02694 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02695 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02696 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02697 } 02698 } 02699 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02700 02701 /* certificate_authorities */ 02702 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02703 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02704 02705 n += dn_len; 02706 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02707 { 02708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02709 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02710 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02711 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02712 } 02713 02714 exit: 02715 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02716 02717 return( 0 ); 02718 } 02719 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02720 02721 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02722 { 02723 int ret; 02724 02725 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02726 02727 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02728 { 02729 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02730 return( ret ); 02731 } 02732 02733 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02734 { 02735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02736 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02737 } 02738 02739 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02740 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02741 { 02742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02744 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02745 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02746 } 02747 02748 ssl->state++; 02749 02750 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02751 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02752 mbedtls_ssl_recv_flight_completed( ssl ); 02753 #endif 02754 02755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02756 02757 return( 0 ); 02758 } 02759 02760 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02761 { 02762 int ret; 02763 size_t i, n; 02764 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02765 ssl->transform_negotiate->ciphersuite_info; 02766 02767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02768 02769 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02770 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02771 { 02772 /* 02773 * DHM key exchange -- send G^X mod P 02774 */ 02775 n = ssl->handshake->dhm_ctx.len; 02776 02777 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02778 ssl->out_msg[5] = (unsigned char)( n ); 02779 i = 6; 02780 02781 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02782 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02783 &ssl->out_msg[i], n, 02784 ssl->conf->f_rng, ssl->conf->p_rng ); 02785 if( ret != 0 ) 02786 { 02787 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02788 return( ret ); 02789 } 02790 02791 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02792 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02793 02794 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02795 ssl->handshake->premaster, 02796 MBEDTLS_PREMASTER_SIZE, 02797 &ssl->handshake->pmslen, 02798 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02799 { 02800 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02801 return( ret ); 02802 } 02803 02804 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02805 } 02806 else 02807 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02808 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02809 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02810 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02811 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02812 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02813 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02814 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02815 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02816 { 02817 /* 02818 * ECDH key exchange -- send client public value 02819 */ 02820 i = 4; 02821 02822 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02823 &n, 02824 &ssl->out_msg[i], 1000, 02825 ssl->conf->f_rng, ssl->conf->p_rng ); 02826 if( ret != 0 ) 02827 { 02828 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02829 return( ret ); 02830 } 02831 02832 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02833 02834 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02835 &ssl->handshake->pmslen, 02836 ssl->handshake->premaster, 02837 MBEDTLS_MPI_MAX_SIZE, 02838 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02839 { 02840 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02841 return( ret ); 02842 } 02843 02844 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02845 } 02846 else 02847 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02848 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02849 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02850 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02851 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02852 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 02853 { 02854 /* 02855 * opaque psk_identity<0..2^16-1>; 02856 */ 02857 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02858 { 02859 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02860 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02861 } 02862 02863 i = 4; 02864 n = ssl->conf->psk_identity_len; 02865 02866 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02867 { 02868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02869 "SSL buffer too short" ) ); 02870 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02871 } 02872 02873 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02874 ssl->out_msg[i++] = (unsigned char)( n ); 02875 02876 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02877 i += ssl->conf->psk_identity_len; 02878 02879 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02880 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02881 { 02882 n = 0; 02883 } 02884 else 02885 #endif 02886 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02887 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02888 { 02889 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02890 return( ret ); 02891 } 02892 else 02893 #endif 02894 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02895 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02896 { 02897 /* 02898 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02899 */ 02900 n = ssl->handshake->dhm_ctx.len; 02901 02902 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02903 { 02904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02905 " or SSL buffer too short" ) ); 02906 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02907 } 02908 02909 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02910 ssl->out_msg[i++] = (unsigned char)( n ); 02911 02912 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02913 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02914 &ssl->out_msg[i], n, 02915 ssl->conf->f_rng, ssl->conf->p_rng ); 02916 if( ret != 0 ) 02917 { 02918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02919 return( ret ); 02920 } 02921 } 02922 else 02923 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02924 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02925 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02926 { 02927 /* 02928 * ClientECDiffieHellmanPublic public; 02929 */ 02930 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02931 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02932 ssl->conf->f_rng, ssl->conf->p_rng ); 02933 if( ret != 0 ) 02934 { 02935 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02936 return( ret ); 02937 } 02938 02939 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02940 } 02941 else 02942 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02943 { 02944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02945 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02946 } 02947 02948 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02949 ciphersuite_info->key_exchange ) ) != 0 ) 02950 { 02951 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02952 return( ret ); 02953 } 02954 } 02955 else 02956 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02957 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02958 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02959 { 02960 i = 4; 02961 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02962 return( ret ); 02963 } 02964 else 02965 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02966 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02967 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02968 { 02969 i = 4; 02970 02971 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02972 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02973 ssl->conf->f_rng, ssl->conf->p_rng ); 02974 if( ret != 0 ) 02975 { 02976 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02977 return( ret ); 02978 } 02979 02980 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02981 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02982 ssl->conf->f_rng, ssl->conf->p_rng ); 02983 if( ret != 0 ) 02984 { 02985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02986 return( ret ); 02987 } 02988 } 02989 else 02990 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02991 { 02992 ((void) ciphersuite_info); 02993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02995 } 02996 02997 ssl->out_msglen = i + n; 02998 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02999 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 03000 03001 ssl->state++; 03002 03003 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03004 { 03005 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03006 return( ret ); 03007 } 03008 03009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 03010 03011 return( 0 ); 03012 } 03013 03014 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03015 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03016 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03017 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03018 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03019 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03020 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03021 { 03022 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03023 ssl->transform_negotiate->ciphersuite_info; 03024 int ret; 03025 03026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03027 03028 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03029 { 03030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03031 return( ret ); 03032 } 03033 03034 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03035 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03036 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03037 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03038 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03039 { 03040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03041 ssl->state++; 03042 return( 0 ); 03043 } 03044 03045 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03046 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03047 } 03048 #else 03049 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03050 { 03051 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03052 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03053 ssl->transform_negotiate->ciphersuite_info; 03054 size_t n = 0, offset = 0; 03055 unsigned char hash[48]; 03056 unsigned char *hash_start = hash; 03057 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03058 unsigned int hashlen; 03059 03060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03061 03062 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03063 { 03064 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03065 return( ret ); 03066 } 03067 03068 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03069 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03070 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03071 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03072 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03073 { 03074 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03075 ssl->state++; 03076 return( 0 ); 03077 } 03078 03079 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03080 { 03081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03082 ssl->state++; 03083 return( 0 ); 03084 } 03085 03086 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03087 { 03088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03089 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03090 } 03091 03092 /* 03093 * Make an RSA signature of the handshake digests 03094 */ 03095 ssl->handshake->calc_verify( ssl, hash ); 03096 03097 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03098 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03099 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03100 { 03101 /* 03102 * digitally-signed struct { 03103 * opaque md5_hash[16]; 03104 * opaque sha_hash[20]; 03105 * }; 03106 * 03107 * md5_hash 03108 * MD5(handshake_messages); 03109 * 03110 * sha_hash 03111 * SHA(handshake_messages); 03112 */ 03113 hashlen = 36; 03114 md_alg = MBEDTLS_MD_NONE; 03115 03116 /* 03117 * For ECDSA, default hash is SHA-1 only 03118 */ 03119 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03120 { 03121 hash_start += 16; 03122 hashlen -= 16; 03123 md_alg = MBEDTLS_MD_SHA1; 03124 } 03125 } 03126 else 03127 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03128 MBEDTLS_SSL_PROTO_TLS1_1 */ 03129 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03130 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03131 { 03132 /* 03133 * digitally-signed struct { 03134 * opaque handshake_messages[handshake_messages_length]; 03135 * }; 03136 * 03137 * Taking shortcut here. We assume that the server always allows the 03138 * PRF Hash function and has sent it in the allowed signature 03139 * algorithms list received in the Certificate Request message. 03140 * 03141 * Until we encounter a server that does not, we will take this 03142 * shortcut. 03143 * 03144 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03145 * in order to satisfy 'weird' needs from the server side. 03146 */ 03147 if( ssl->transform_negotiate->ciphersuite_info->mac == 03148 MBEDTLS_MD_SHA384 ) 03149 { 03150 md_alg = MBEDTLS_MD_SHA384; 03151 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03152 } 03153 else 03154 { 03155 md_alg = MBEDTLS_MD_SHA256; 03156 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03157 } 03158 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03159 03160 /* Info from md_alg will be used instead */ 03161 hashlen = 0; 03162 offset = 2; 03163 } 03164 else 03165 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03166 { 03167 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03168 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03169 } 03170 03171 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03172 ssl->out_msg + 6 + offset, &n, 03173 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03174 { 03175 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03176 return( ret ); 03177 } 03178 03179 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03180 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03181 03182 ssl->out_msglen = 6 + n + offset; 03183 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03184 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03185 03186 ssl->state++; 03187 03188 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03189 { 03190 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03191 return( ret ); 03192 } 03193 03194 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03195 03196 return( ret ); 03197 } 03198 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03199 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03200 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03201 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03202 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03203 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03204 03205 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03206 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03207 { 03208 int ret; 03209 uint32_t lifetime; 03210 size_t ticket_len; 03211 unsigned char *ticket; 03212 const unsigned char *msg; 03213 03214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03215 03216 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03217 { 03218 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03219 return( ret ); 03220 } 03221 03222 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03223 { 03224 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03225 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03226 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03227 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03228 } 03229 03230 /* 03231 * struct { 03232 * uint32 ticket_lifetime_hint; 03233 * opaque ticket<0..2^16-1>; 03234 * } NewSessionTicket; 03235 * 03236 * 0 . 3 ticket_lifetime_hint 03237 * 4 . 5 ticket_len (n) 03238 * 6 . 5+n ticket content 03239 */ 03240 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03241 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03242 { 03243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03244 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03245 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03246 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03247 } 03248 03249 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03250 03251 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03252 ( msg[2] << 8 ) | ( msg[3] ); 03253 03254 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03255 03256 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03257 { 03258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03261 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03262 } 03263 03264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03265 03266 /* We're not waiting for a NewSessionTicket message any more */ 03267 ssl->handshake->new_session_ticket = 0; 03268 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03269 03270 /* 03271 * Zero-length ticket means the server changed his mind and doesn't want 03272 * to send a ticket after all, so just forget it 03273 */ 03274 if( ticket_len == 0 ) 03275 return( 0 ); 03276 03277 mbedtls_zeroize( ssl->session_negotiate->ticket, 03278 ssl->session_negotiate->ticket_len ); 03279 mbedtls_free( ssl->session_negotiate->ticket ); 03280 ssl->session_negotiate->ticket = NULL; 03281 ssl->session_negotiate->ticket_len = 0; 03282 03283 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03284 { 03285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03286 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03287 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 03288 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03289 } 03290 03291 memcpy( ticket, msg + 6, ticket_len ); 03292 03293 ssl->session_negotiate->ticket = ticket; 03294 ssl->session_negotiate->ticket_len = ticket_len; 03295 ssl->session_negotiate->ticket_lifetime = lifetime; 03296 03297 /* 03298 * RFC 5077 section 3.4: 03299 * "If the client receives a session ticket from the server, then it 03300 * discards any Session ID that was sent in the ServerHello." 03301 */ 03302 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03303 ssl->session_negotiate->id_len = 0; 03304 03305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03306 03307 return( 0 ); 03308 } 03309 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03310 03311 /* 03312 * SSL handshake -- client side -- single step 03313 */ 03314 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03315 { 03316 int ret = 0; 03317 03318 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03319 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03320 03321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03322 03323 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03324 return( ret ); 03325 03326 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03327 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03328 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03329 { 03330 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03331 return( ret ); 03332 } 03333 #endif 03334 03335 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03336 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03337 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03338 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03339 ssl->handshake->new_session_ticket != 0 ) 03340 { 03341 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03342 } 03343 #endif 03344 03345 switch( ssl->state ) 03346 { 03347 case MBEDTLS_SSL_HELLO_REQUEST: 03348 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03349 break; 03350 03351 /* 03352 * ==> ClientHello 03353 */ 03354 case MBEDTLS_SSL_CLIENT_HELLO: 03355 ret = ssl_write_client_hello( ssl ); 03356 break; 03357 03358 /* 03359 * <== ServerHello 03360 * Certificate 03361 * ( ServerKeyExchange ) 03362 * ( CertificateRequest ) 03363 * ServerHelloDone 03364 */ 03365 case MBEDTLS_SSL_SERVER_HELLO: 03366 ret = ssl_parse_server_hello( ssl ); 03367 break; 03368 03369 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03370 ret = mbedtls_ssl_parse_certificate( ssl ); 03371 break; 03372 03373 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03374 ret = ssl_parse_server_key_exchange( ssl ); 03375 break; 03376 03377 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03378 ret = ssl_parse_certificate_request( ssl ); 03379 break; 03380 03381 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03382 ret = ssl_parse_server_hello_done( ssl ); 03383 break; 03384 03385 /* 03386 * ==> ( Certificate/Alert ) 03387 * ClientKeyExchange 03388 * ( CertificateVerify ) 03389 * ChangeCipherSpec 03390 * Finished 03391 */ 03392 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03393 ret = mbedtls_ssl_write_certificate( ssl ); 03394 break; 03395 03396 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03397 ret = ssl_write_client_key_exchange( ssl ); 03398 break; 03399 03400 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03401 ret = ssl_write_certificate_verify( ssl ); 03402 break; 03403 03404 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03405 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03406 break; 03407 03408 case MBEDTLS_SSL_CLIENT_FINISHED: 03409 ret = mbedtls_ssl_write_finished( ssl ); 03410 break; 03411 03412 /* 03413 * <== ( NewSessionTicket ) 03414 * ChangeCipherSpec 03415 * Finished 03416 */ 03417 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03418 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03419 ret = ssl_parse_new_session_ticket( ssl ); 03420 break; 03421 #endif 03422 03423 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03424 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03425 break; 03426 03427 case MBEDTLS_SSL_SERVER_FINISHED: 03428 ret = mbedtls_ssl_parse_finished( ssl ); 03429 break; 03430 03431 case MBEDTLS_SSL_FLUSH_BUFFERS: 03432 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03433 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03434 break; 03435 03436 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03437 mbedtls_ssl_handshake_wrapup( ssl ); 03438 break; 03439 03440 default: 03441 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03442 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03443 } 03444 03445 return( ret ); 03446 } 03447 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 14:24:38 by
1.7.2