takashi kadono
/
Nucleo_446
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 #include "mbedtls/platform_util.h" 00052 #endif 00053 00054 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00055 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00056 unsigned char *buf, 00057 size_t *olen ) 00058 { 00059 unsigned char *p = buf; 00060 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00061 size_t hostname_len; 00062 00063 *olen = 0; 00064 00065 if( ssl->hostname == NULL ) 00066 return; 00067 00068 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00069 ssl->hostname ) ); 00070 00071 hostname_len = strlen( ssl->hostname ); 00072 00073 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00074 { 00075 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00076 return; 00077 } 00078 00079 /* 00080 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 00081 * 00082 * In order to provide any of the server names, clients MAY include an 00083 * extension of type "server_name" in the (extended) client hello. The 00084 * "extension_data" field of this extension SHALL contain 00085 * "ServerNameList" where: 00086 * 00087 * struct { 00088 * NameType name_type; 00089 * select (name_type) { 00090 * case host_name: HostName; 00091 * } name; 00092 * } ServerName; 00093 * 00094 * enum { 00095 * host_name(0), (255) 00096 * } NameType; 00097 * 00098 * opaque HostName<1..2^16-1>; 00099 * 00100 * struct { 00101 * ServerName server_name_list<1..2^16-1> 00102 * } ServerNameList; 00103 * 00104 */ 00105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00107 00108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00110 00111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00113 00114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00117 00118 memcpy( p, ssl->hostname, hostname_len ); 00119 00120 *olen = hostname_len + 9; 00121 } 00122 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00123 00124 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00125 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00126 unsigned char *buf, 00127 size_t *olen ) 00128 { 00129 unsigned char *p = buf; 00130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00131 00132 *olen = 0; 00133 00134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 00135 * initial ClientHello, in which case also adding the renegotiation 00136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 00137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00138 return; 00139 00140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00141 00142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00143 { 00144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00145 return; 00146 } 00147 00148 /* 00149 * Secure renegotiation 00150 */ 00151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00153 00154 *p++ = 0x00; 00155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00156 *p++ = ssl->verify_data_len & 0xFF; 00157 00158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00159 00160 *olen = 5 + ssl->verify_data_len; 00161 } 00162 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00163 00164 /* 00165 * Only if we handle at least one key exchange that needs signatures. 00166 */ 00167 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00169 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00170 unsigned char *buf, 00171 size_t *olen ) 00172 { 00173 unsigned char *p = buf; 00174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00175 size_t sig_alg_len = 0; 00176 const int *md; 00177 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00178 unsigned char *sig_alg_list = buf + 6; 00179 #endif 00180 00181 *olen = 0; 00182 00183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00184 return; 00185 00186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00187 00188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00189 { 00190 #if defined(MBEDTLS_ECDSA_C) 00191 sig_alg_len += 2; 00192 #endif 00193 #if defined(MBEDTLS_RSA_C) 00194 sig_alg_len += 2; 00195 #endif 00196 } 00197 00198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00199 { 00200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00201 return; 00202 } 00203 00204 /* 00205 * Prepare signature_algorithms extension (TLS 1.2) 00206 */ 00207 sig_alg_len = 0; 00208 00209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00210 { 00211 #if defined(MBEDTLS_ECDSA_C) 00212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00214 #endif 00215 #if defined(MBEDTLS_RSA_C) 00216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00218 #endif 00219 } 00220 00221 /* 00222 * enum { 00223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00224 * sha512(6), (255) 00225 * } HashAlgorithm; 00226 * 00227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00228 * SignatureAlgorithm; 00229 * 00230 * struct { 00231 * HashAlgorithm hash; 00232 * SignatureAlgorithm signature; 00233 * } SignatureAndHashAlgorithm; 00234 * 00235 * SignatureAndHashAlgorithm 00236 * supported_signature_algorithms<2..2^16-2>; 00237 */ 00238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00240 00241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00243 00244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00246 00247 *olen = 6 + sig_alg_len; 00248 } 00249 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00251 00252 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00254 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00255 unsigned char *buf, 00256 size_t *olen ) 00257 { 00258 unsigned char *p = buf; 00259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00260 unsigned char *elliptic_curve_list = p + 6; 00261 size_t elliptic_curve_len = 0; 00262 const mbedtls_ecp_curve_info *info; 00263 #if defined(MBEDTLS_ECP_C) 00264 const mbedtls_ecp_group_id *grp_id; 00265 #else 00266 ((void) ssl); 00267 #endif 00268 00269 *olen = 0; 00270 00271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00272 00273 #if defined(MBEDTLS_ECP_C) 00274 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00275 #else 00276 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00277 #endif 00278 { 00279 #if defined(MBEDTLS_ECP_C) 00280 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00281 #endif 00282 if( info == NULL ) 00283 { 00284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00285 return; 00286 } 00287 00288 elliptic_curve_len += 2; 00289 } 00290 00291 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00292 { 00293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00294 return; 00295 } 00296 00297 elliptic_curve_len = 0; 00298 00299 #if defined(MBEDTLS_ECP_C) 00300 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00301 #else 00302 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00303 #endif 00304 { 00305 #if defined(MBEDTLS_ECP_C) 00306 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00307 #endif 00308 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00309 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00310 } 00311 00312 if( elliptic_curve_len == 0 ) 00313 return; 00314 00315 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00316 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00317 00318 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00319 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00320 00321 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00322 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00323 00324 *olen = 6 + elliptic_curve_len; 00325 } 00326 00327 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00328 unsigned char *buf, 00329 size_t *olen ) 00330 { 00331 unsigned char *p = buf; 00332 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00333 00334 *olen = 0; 00335 00336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00337 00338 if( end < p || (size_t)( end - p ) < 6 ) 00339 { 00340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00341 return; 00342 } 00343 00344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00345 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00346 00347 *p++ = 0x00; 00348 *p++ = 2; 00349 00350 *p++ = 1; 00351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00352 00353 *olen = 6; 00354 } 00355 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00357 00358 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00359 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00360 unsigned char *buf, 00361 size_t *olen ) 00362 { 00363 int ret; 00364 unsigned char *p = buf; 00365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00366 size_t kkpp_len; 00367 00368 *olen = 0; 00369 00370 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00372 return; 00373 00374 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00375 00376 if( end - p < 4 ) 00377 { 00378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00379 return; 00380 } 00381 00382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00384 00385 /* 00386 * We may need to send ClientHello multiple times for Hello verification. 00387 * We don't want to compute fresh values every time (both for performance 00388 * and consistency reasons), so cache the extension content. 00389 */ 00390 if( ssl->handshake->ecjpake_cache == NULL || 00391 ssl->handshake->ecjpake_cache_len == 0 ) 00392 { 00393 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00394 00395 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00396 p + 2, end - p - 2, &kkpp_len, 00397 ssl->conf->f_rng, ssl->conf->p_rng ); 00398 if( ret != 0 ) 00399 { 00400 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00401 return; 00402 } 00403 00404 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00405 if( ssl->handshake->ecjpake_cache == NULL ) 00406 { 00407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00408 return; 00409 } 00410 00411 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00412 ssl->handshake->ecjpake_cache_len = kkpp_len; 00413 } 00414 else 00415 { 00416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00417 00418 kkpp_len = ssl->handshake->ecjpake_cache_len; 00419 00420 if( (size_t)( end - p - 2 ) < kkpp_len ) 00421 { 00422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00423 return; 00424 } 00425 00426 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00427 } 00428 00429 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00430 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00431 00432 *olen = kkpp_len + 4; 00433 } 00434 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00435 00436 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00437 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00438 unsigned char *buf, 00439 size_t *olen ) 00440 { 00441 unsigned char *p = buf; 00442 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00443 00444 *olen = 0; 00445 00446 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00447 return; 00448 } 00449 00450 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00451 00452 if( end < p || (size_t)( end - p ) < 5 ) 00453 { 00454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00455 return; 00456 } 00457 00458 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00459 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00460 00461 *p++ = 0x00; 00462 *p++ = 1; 00463 00464 *p++ = ssl->conf->mfl_code; 00465 00466 *olen = 5; 00467 } 00468 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00469 00470 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00471 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00472 unsigned char *buf, size_t *olen ) 00473 { 00474 unsigned char *p = buf; 00475 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00476 00477 *olen = 0; 00478 00479 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00480 { 00481 return; 00482 } 00483 00484 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00485 00486 if( end < p || (size_t)( end - p ) < 4 ) 00487 { 00488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00489 return; 00490 } 00491 00492 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00493 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00494 00495 *p++ = 0x00; 00496 *p++ = 0x00; 00497 00498 *olen = 4; 00499 } 00500 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00501 00502 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00503 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00504 unsigned char *buf, size_t *olen ) 00505 { 00506 unsigned char *p = buf; 00507 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00508 00509 *olen = 0; 00510 00511 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00512 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00513 { 00514 return; 00515 } 00516 00517 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00518 "extension" ) ); 00519 00520 if( end < p || (size_t)( end - p ) < 4 ) 00521 { 00522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00523 return; 00524 } 00525 00526 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00527 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00528 00529 *p++ = 0x00; 00530 *p++ = 0x00; 00531 00532 *olen = 4; 00533 } 00534 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00535 00536 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00537 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00538 unsigned char *buf, size_t *olen ) 00539 { 00540 unsigned char *p = buf; 00541 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00542 00543 *olen = 0; 00544 00545 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00546 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00547 { 00548 return; 00549 } 00550 00551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00552 "extension" ) ); 00553 00554 if( end < p || (size_t)( end - p ) < 4 ) 00555 { 00556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00557 return; 00558 } 00559 00560 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00561 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00562 00563 *p++ = 0x00; 00564 *p++ = 0x00; 00565 00566 *olen = 4; 00567 } 00568 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00569 00570 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00571 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00572 unsigned char *buf, size_t *olen ) 00573 { 00574 unsigned char *p = buf; 00575 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00576 size_t tlen = ssl->session_negotiate->ticket_len; 00577 00578 *olen = 0; 00579 00580 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00581 { 00582 return; 00583 } 00584 00585 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00586 00587 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00588 { 00589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00590 return; 00591 } 00592 00593 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00594 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00595 00596 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00597 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00598 00599 *olen = 4; 00600 00601 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00602 { 00603 return; 00604 } 00605 00606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00607 00608 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00609 00610 *olen += tlen; 00611 } 00612 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00613 00614 #if defined(MBEDTLS_SSL_ALPN) 00615 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00616 unsigned char *buf, size_t *olen ) 00617 { 00618 unsigned char *p = buf; 00619 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00620 size_t alpnlen = 0; 00621 const char **cur; 00622 00623 *olen = 0; 00624 00625 if( ssl->conf->alpn_list == NULL ) 00626 { 00627 return; 00628 } 00629 00630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00631 00632 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00633 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00634 00635 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00636 { 00637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00638 return; 00639 } 00640 00641 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00642 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00643 00644 /* 00645 * opaque ProtocolName<1..2^8-1>; 00646 * 00647 * struct { 00648 * ProtocolName protocol_name_list<2..2^16-1> 00649 * } ProtocolNameList; 00650 */ 00651 00652 /* Skip writing extension and list length for now */ 00653 p += 4; 00654 00655 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00656 { 00657 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00658 memcpy( p + 1, *cur, *p ); 00659 p += 1 + *p; 00660 } 00661 00662 *olen = p - buf; 00663 00664 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00665 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00666 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00667 00668 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00669 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00670 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00671 } 00672 #endif /* MBEDTLS_SSL_ALPN */ 00673 00674 /* 00675 * Generate random bytes for ClientHello 00676 */ 00677 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00678 { 00679 int ret; 00680 unsigned char *p = ssl->handshake->randbytes; 00681 #if defined(MBEDTLS_HAVE_TIME) 00682 mbedtls_time_t t; 00683 #endif 00684 00685 /* 00686 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00687 */ 00688 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00689 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00690 ssl->handshake->verify_cookie != NULL ) 00691 { 00692 return( 0 ); 00693 } 00694 #endif 00695 00696 #if defined(MBEDTLS_HAVE_TIME) 00697 t = mbedtls_time( NULL ); 00698 *p++ = (unsigned char)( t >> 24 ); 00699 *p++ = (unsigned char)( t >> 16 ); 00700 *p++ = (unsigned char)( t >> 8 ); 00701 *p++ = (unsigned char)( t ); 00702 00703 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00704 #else 00705 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00706 return( ret ); 00707 00708 p += 4; 00709 #endif /* MBEDTLS_HAVE_TIME */ 00710 00711 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00712 return( ret ); 00713 00714 return( 0 ); 00715 } 00716 00717 /** 00718 * \brief Validate cipher suite against config in SSL context. 00719 * 00720 * \param suite_info cipher suite to validate 00721 * \param ssl SSL context 00722 * \param min_minor_ver Minimal minor version to accept a cipher suite 00723 * \param max_minor_ver Maximal minor version to accept a cipher suite 00724 * 00725 * \return 0 if valid, else 1 00726 */ 00727 static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info, 00728 const mbedtls_ssl_context * ssl, 00729 int min_minor_ver, int max_minor_ver ) 00730 { 00731 (void) ssl; 00732 if( suite_info == NULL ) 00733 return( 1 ); 00734 00735 if( suite_info->min_minor_ver > max_minor_ver || 00736 suite_info->max_minor_ver < min_minor_ver ) 00737 return( 1 ); 00738 00739 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00740 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00741 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00742 return( 1 ); 00743 #endif 00744 00745 #if defined(MBEDTLS_ARC4_C) 00746 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00747 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00748 return( 1 ); 00749 #endif 00750 00751 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00752 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00753 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00754 return( 1 ); 00755 #endif 00756 00757 return( 0 ); 00758 } 00759 00760 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00761 { 00762 int ret; 00763 size_t i, n, olen, ext_len = 0; 00764 unsigned char *buf; 00765 unsigned char *p, *q; 00766 unsigned char offer_compress; 00767 const int *ciphersuites; 00768 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00769 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00770 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00771 int uses_ec = 0; 00772 #endif 00773 00774 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00775 00776 if( ssl->conf->f_rng == NULL ) 00777 { 00778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00779 return( MBEDTLS_ERR_SSL_NO_RNG ); 00780 } 00781 00782 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00783 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00784 #endif 00785 { 00786 ssl->major_ver = ssl->conf->min_major_ver; 00787 ssl->minor_ver = ssl->conf->min_minor_ver; 00788 } 00789 00790 if( ssl->conf->max_major_ver == 0 ) 00791 { 00792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00793 "consider using mbedtls_ssl_config_defaults()" ) ); 00794 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00795 } 00796 00797 /* 00798 * 0 . 0 handshake type 00799 * 1 . 3 handshake length 00800 * 4 . 5 highest version supported 00801 * 6 . 9 current UNIX time 00802 * 10 . 37 random bytes 00803 */ 00804 buf = ssl->out_msg; 00805 p = buf + 4; 00806 00807 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00808 ssl->conf->transport, p ); 00809 p += 2; 00810 00811 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00812 buf[4], buf[5] ) ); 00813 00814 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00815 { 00816 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00817 return( ret ); 00818 } 00819 00820 memcpy( p, ssl->handshake->randbytes, 32 ); 00821 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00822 p += 32; 00823 00824 /* 00825 * 38 . 38 session id length 00826 * 39 . 39+n session id 00827 * 39+n . 39+n DTLS only: cookie length (1 byte) 00828 * 40+n . .. DTSL only: cookie 00829 * .. . .. ciphersuitelist length (2 bytes) 00830 * .. . .. ciphersuitelist 00831 * .. . .. compression methods length (1 byte) 00832 * .. . .. compression methods 00833 * .. . .. extensions length (2 bytes) 00834 * .. . .. extensions 00835 */ 00836 n = ssl->session_negotiate->id_len; 00837 00838 if( n < 16 || n > 32 || 00839 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00840 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00841 #endif 00842 ssl->handshake->resume == 0 ) 00843 { 00844 n = 0; 00845 } 00846 00847 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00848 /* 00849 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00850 * generate and include a Session ID in the TLS ClientHello." 00851 */ 00852 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00853 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00854 #endif 00855 { 00856 if( ssl->session_negotiate->ticket != NULL && 00857 ssl->session_negotiate->ticket_len != 0 ) 00858 { 00859 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00860 00861 if( ret != 0 ) 00862 return( ret ); 00863 00864 ssl->session_negotiate->id_len = n = 32; 00865 } 00866 } 00867 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00868 00869 *p++ = (unsigned char) n; 00870 00871 for( i = 0; i < n; i++ ) 00872 *p++ = ssl->session_negotiate->id[i]; 00873 00874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00875 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00876 00877 /* 00878 * DTLS cookie 00879 */ 00880 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00881 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00882 { 00883 if( ssl->handshake->verify_cookie == NULL ) 00884 { 00885 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00886 *p++ = 0; 00887 } 00888 else 00889 { 00890 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00891 ssl->handshake->verify_cookie, 00892 ssl->handshake->verify_cookie_len ); 00893 00894 *p++ = ssl->handshake->verify_cookie_len; 00895 memcpy( p, ssl->handshake->verify_cookie, 00896 ssl->handshake->verify_cookie_len ); 00897 p += ssl->handshake->verify_cookie_len; 00898 } 00899 } 00900 #endif 00901 00902 /* 00903 * Ciphersuite list 00904 */ 00905 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00906 00907 /* Skip writing ciphersuite length for now */ 00908 n = 0; 00909 q = p; 00910 p += 2; 00911 00912 for( i = 0; ciphersuites[i] != 0; i++ ) 00913 { 00914 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00915 00916 if( ssl_validate_ciphersuite( ciphersuite_info, ssl, 00917 ssl->conf->min_minor_ver, 00918 ssl->conf->max_minor_ver ) != 0 ) 00919 continue; 00920 00921 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00922 ciphersuites[i] ) ); 00923 00924 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00925 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00926 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info ); 00927 #endif 00928 00929 n++; 00930 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00931 *p++ = (unsigned char)( ciphersuites[i] ); 00932 } 00933 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) ); 00935 00936 /* 00937 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00938 */ 00939 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00940 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00941 #endif 00942 { 00943 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); 00944 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00945 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00946 n++; 00947 } 00948 00949 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00950 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00951 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00952 { 00953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00954 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00955 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00956 n++; 00957 } 00958 #endif 00959 00960 *q++ = (unsigned char)( n >> 7 ); 00961 *q++ = (unsigned char)( n << 1 ); 00962 00963 #if defined(MBEDTLS_ZLIB_SUPPORT) 00964 offer_compress = 1; 00965 #else 00966 offer_compress = 0; 00967 #endif 00968 00969 /* 00970 * We don't support compression with DTLS right now: if many records come 00971 * in the same datagram, uncompressing one could overwrite the next one. 00972 * We don't want to add complexity for handling that case unless there is 00973 * an actual need for it. 00974 */ 00975 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00976 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00977 offer_compress = 0; 00978 #endif 00979 00980 if( offer_compress ) 00981 { 00982 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00984 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00985 00986 *p++ = 2; 00987 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00988 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00989 } 00990 else 00991 { 00992 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00993 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00994 MBEDTLS_SSL_COMPRESS_NULL ) ); 00995 00996 *p++ = 1; 00997 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00998 } 00999 01000 // First write extensions, then the total length 01001 // 01002 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01003 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 01004 ext_len += olen; 01005 #endif 01006 01007 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 01008 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 01009 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01010 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01015 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01016 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 01017 ext_len += olen; 01018 #endif 01019 01020 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01021 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01022 if( uses_ec ) 01023 { 01024 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 01025 ext_len += olen; 01026 01027 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 01028 ext_len += olen; 01029 } 01030 #endif 01031 01032 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01033 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 01034 ext_len += olen; 01035 #endif 01036 01037 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01038 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 01039 ext_len += olen; 01040 #endif 01041 01042 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01043 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 01044 ext_len += olen; 01045 #endif 01046 01047 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01048 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01049 ext_len += olen; 01050 #endif 01051 01052 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01053 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01054 ext_len += olen; 01055 #endif 01056 01057 #if defined(MBEDTLS_SSL_ALPN) 01058 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01059 ext_len += olen; 01060 #endif 01061 01062 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01063 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01064 ext_len += olen; 01065 #endif 01066 01067 /* olen unused if all extensions are disabled */ 01068 ((void) olen); 01069 01070 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01071 ext_len ) ); 01072 01073 if( ext_len > 0 ) 01074 { 01075 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01076 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01077 p += ext_len; 01078 } 01079 01080 ssl->out_msglen = p - buf; 01081 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01082 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01083 01084 ssl->state++; 01085 01086 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01087 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01088 mbedtls_ssl_send_flight_completed( ssl ); 01089 #endif 01090 01091 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 01092 { 01093 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 01094 return( ret ); 01095 } 01096 01097 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01098 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 01099 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 01100 { 01101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); 01102 return( ret ); 01103 } 01104 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01105 01106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01107 01108 return( 0 ); 01109 } 01110 01111 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01112 const unsigned char *buf, 01113 size_t len ) 01114 { 01115 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01116 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01117 { 01118 /* Check verify-data in constant-time. The length OTOH is no secret */ 01119 if( len != 1 + ssl->verify_data_len * 2 || 01120 buf[0] != ssl->verify_data_len * 2 || 01121 mbedtls_ssl_safer_memcmp( buf + 1, 01122 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01123 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01124 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01125 { 01126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01127 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01128 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01129 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01130 } 01131 } 01132 else 01133 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01134 { 01135 if( len != 1 || buf[0] != 0x00 ) 01136 { 01137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01138 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01139 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01140 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01141 } 01142 01143 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01144 } 01145 01146 return( 0 ); 01147 } 01148 01149 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01150 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01151 const unsigned char *buf, 01152 size_t len ) 01153 { 01154 /* 01155 * server should use the extension only if we did, 01156 * and if so the server's value should match ours (and len is always 1) 01157 */ 01158 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01159 len != 1 || 01160 buf[0] != ssl->conf->mfl_code ) 01161 { 01162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 01163 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01164 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01165 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01166 } 01167 01168 return( 0 ); 01169 } 01170 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01171 01172 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01173 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01174 const unsigned char *buf, 01175 size_t len ) 01176 { 01177 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01178 len != 0 ) 01179 { 01180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 01181 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01182 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01183 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01184 } 01185 01186 ((void) buf); 01187 01188 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01189 01190 return( 0 ); 01191 } 01192 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01193 01194 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01195 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01196 const unsigned char *buf, 01197 size_t len ) 01198 { 01199 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01200 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01201 len != 0 ) 01202 { 01203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 01204 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01205 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01206 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01207 } 01208 01209 ((void) buf); 01210 01211 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01212 01213 return( 0 ); 01214 } 01215 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01216 01217 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01218 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01219 const unsigned char *buf, 01220 size_t len ) 01221 { 01222 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01223 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01224 len != 0 ) 01225 { 01226 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 01227 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01228 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01229 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01230 } 01231 01232 ((void) buf); 01233 01234 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01235 01236 return( 0 ); 01237 } 01238 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01239 01240 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01241 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01242 const unsigned char *buf, 01243 size_t len ) 01244 { 01245 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01246 len != 0 ) 01247 { 01248 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 01249 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01250 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01251 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01252 } 01253 01254 ((void) buf); 01255 01256 ssl->handshake->new_session_ticket = 1; 01257 01258 return( 0 ); 01259 } 01260 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01261 01262 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01263 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01264 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01265 const unsigned char *buf, 01266 size_t len ) 01267 { 01268 size_t list_size; 01269 const unsigned char *p; 01270 01271 if( len == 0 || (size_t)( buf[0] + 1 ) != len ) 01272 { 01273 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01274 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01275 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01276 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01277 } 01278 list_size = buf[0]; 01279 01280 p = buf + 1; 01281 while( list_size > 0 ) 01282 { 01283 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01284 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01285 { 01286 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01287 ssl->handshake->ecdh_ctx.point_format = p[0]; 01288 #endif 01289 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01290 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01291 #endif 01292 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01293 return( 0 ); 01294 } 01295 01296 list_size--; 01297 p++; 01298 } 01299 01300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01301 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01302 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01303 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01304 } 01305 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01306 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01307 01308 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01309 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01310 const unsigned char *buf, 01311 size_t len ) 01312 { 01313 int ret; 01314 01315 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01316 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01317 { 01318 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01319 return( 0 ); 01320 } 01321 01322 /* If we got here, we no longer need our cached extension */ 01323 mbedtls_free( ssl->handshake->ecjpake_cache ); 01324 ssl->handshake->ecjpake_cache = NULL; 01325 ssl->handshake->ecjpake_cache_len = 0; 01326 01327 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01328 buf, len ) ) != 0 ) 01329 { 01330 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01331 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01332 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01333 return( ret ); 01334 } 01335 01336 return( 0 ); 01337 } 01338 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01339 01340 #if defined(MBEDTLS_SSL_ALPN) 01341 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01342 const unsigned char *buf, size_t len ) 01343 { 01344 size_t list_len, name_len; 01345 const char **p; 01346 01347 /* If we didn't send it, the server shouldn't send it */ 01348 if( ssl->conf->alpn_list == NULL ) 01349 { 01350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 01351 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01352 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01353 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01354 } 01355 01356 /* 01357 * opaque ProtocolName<1..2^8-1>; 01358 * 01359 * struct { 01360 * ProtocolName protocol_name_list<2..2^16-1> 01361 * } ProtocolNameList; 01362 * 01363 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01364 */ 01365 01366 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01367 if( len < 4 ) 01368 { 01369 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01370 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01371 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01372 } 01373 01374 list_len = ( buf[0] << 8 ) | buf[1]; 01375 if( list_len != len - 2 ) 01376 { 01377 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01378 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01379 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01380 } 01381 01382 name_len = buf[2]; 01383 if( name_len != list_len - 1 ) 01384 { 01385 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01386 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01387 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01388 } 01389 01390 /* Check that the server chosen protocol was in our list and save it */ 01391 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01392 { 01393 if( name_len == strlen( *p ) && 01394 memcmp( buf + 3, *p, name_len ) == 0 ) 01395 { 01396 ssl->alpn_chosen = *p; 01397 return( 0 ); 01398 } 01399 } 01400 01401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 01402 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01403 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01404 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01405 } 01406 #endif /* MBEDTLS_SSL_ALPN */ 01407 01408 /* 01409 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01410 */ 01411 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01412 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01413 { 01414 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01415 int major_ver, minor_ver; 01416 unsigned char cookie_len; 01417 01418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01419 01420 /* 01421 * struct { 01422 * ProtocolVersion server_version; 01423 * opaque cookie<0..2^8-1>; 01424 * } HelloVerifyRequest; 01425 */ 01426 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01427 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01428 p += 2; 01429 01430 /* 01431 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01432 * even is lower than our min version. 01433 */ 01434 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01435 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01436 major_ver > ssl->conf->max_major_ver || 01437 minor_ver > ssl->conf->max_minor_ver ) 01438 { 01439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01440 01441 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01442 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01443 01444 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01445 } 01446 01447 cookie_len = *p++; 01448 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01449 01450 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01451 { 01452 MBEDTLS_SSL_DEBUG_MSG( 1, 01453 ( "cookie length does not match incoming message size" ) ); 01454 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01455 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01456 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01457 } 01458 01459 mbedtls_free( ssl->handshake->verify_cookie ); 01460 01461 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01462 if( ssl->handshake->verify_cookie == NULL ) 01463 { 01464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01465 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01466 } 01467 01468 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01469 ssl->handshake->verify_cookie_len = cookie_len; 01470 01471 /* Start over at ClientHello */ 01472 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01473 mbedtls_ssl_reset_checksum( ssl ); 01474 01475 mbedtls_ssl_recv_flight_completed( ssl ); 01476 01477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01478 01479 return( 0 ); 01480 } 01481 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01482 01483 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01484 { 01485 int ret, i; 01486 size_t n; 01487 size_t ext_len; 01488 unsigned char *buf, *ext; 01489 unsigned char comp; 01490 #if defined(MBEDTLS_ZLIB_SUPPORT) 01491 int accept_comp; 01492 #endif 01493 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01494 int renegotiation_info_seen = 0; 01495 #endif 01496 int handshake_failure = 0; 01497 const mbedtls_ssl_ciphersuite_t *suite_info; 01498 01499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01500 01501 buf = ssl->in_msg; 01502 01503 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 01504 { 01505 /* No alert on a read error. */ 01506 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01507 return( ret ); 01508 } 01509 01510 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01511 { 01512 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01513 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01514 { 01515 ssl->renego_records_seen++; 01516 01517 if( ssl->conf->renego_max_records >= 0 && 01518 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01519 { 01520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01521 "but not honored by server" ) ); 01522 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01523 } 01524 01525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01526 01527 ssl->keep_current_message = 1; 01528 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01529 } 01530 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01531 01532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01533 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01534 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 01535 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01536 } 01537 01538 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01539 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01540 { 01541 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01542 { 01543 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01544 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01545 return( ssl_parse_hello_verify_request( ssl ) ); 01546 } 01547 else 01548 { 01549 /* We made it through the verification process */ 01550 mbedtls_free( ssl->handshake->verify_cookie ); 01551 ssl->handshake->verify_cookie = NULL; 01552 ssl->handshake->verify_cookie_len = 0; 01553 } 01554 } 01555 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01556 01557 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01558 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01559 { 01560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01561 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01562 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01563 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01564 } 01565 01566 /* 01567 * 0 . 1 server_version 01568 * 2 . 33 random (maybe including 4 bytes of Unix time) 01569 * 34 . 34 session_id length = n 01570 * 35 . 34+n session_id 01571 * 35+n . 36+n cipher_suite 01572 * 37+n . 37+n compression_method 01573 * 01574 * 38+n . 39+n extensions length (optional) 01575 * 40+n . .. extensions 01576 */ 01577 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01578 01579 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01580 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01581 ssl->conf->transport, buf + 0 ); 01582 01583 if( ssl->major_ver < ssl->conf->min_major_ver || 01584 ssl->minor_ver < ssl->conf->min_minor_ver || 01585 ssl->major_ver > ssl->conf->max_major_ver || 01586 ssl->minor_ver > ssl->conf->max_minor_ver ) 01587 { 01588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01589 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01590 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01591 ssl->major_ver, ssl->minor_ver, 01592 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01593 01594 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01595 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01596 01597 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01598 } 01599 01600 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 01601 ( (uint32_t) buf[2] << 24 ) | 01602 ( (uint32_t) buf[3] << 16 ) | 01603 ( (uint32_t) buf[4] << 8 ) | 01604 ( (uint32_t) buf[5] ) ) ); 01605 01606 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01607 01608 n = buf[34]; 01609 01610 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01611 01612 if( n > 32 ) 01613 { 01614 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01615 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01616 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01617 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01618 } 01619 01620 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01621 { 01622 ext_len = ( ( buf[38 + n] << 8 ) 01623 | ( buf[39 + n] ) ); 01624 01625 if( ( ext_len > 0 && ext_len < 4 ) || 01626 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01627 { 01628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01629 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01630 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01631 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01632 } 01633 } 01634 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01635 { 01636 ext_len = 0; 01637 } 01638 else 01639 { 01640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01641 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01642 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01643 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01644 } 01645 01646 /* ciphersuite (used later) */ 01647 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01648 01649 /* 01650 * Read and check compression 01651 */ 01652 comp = buf[37 + n]; 01653 01654 #if defined(MBEDTLS_ZLIB_SUPPORT) 01655 /* See comments in ssl_write_client_hello() */ 01656 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01657 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01658 accept_comp = 0; 01659 else 01660 #endif 01661 accept_comp = 1; 01662 01663 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01664 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01665 #else /* MBEDTLS_ZLIB_SUPPORT */ 01666 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01667 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01668 { 01669 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01670 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01671 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01672 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01673 } 01674 01675 /* 01676 * Initialize update checksum functions 01677 */ 01678 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01679 01680 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01681 { 01682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01683 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01684 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01685 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01686 } 01687 01688 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01689 01690 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01691 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01692 01693 /* 01694 * Check if the session can be resumed 01695 */ 01696 if( ssl->handshake->resume == 0 || n == 0 || 01697 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01698 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01699 #endif 01700 ssl->session_negotiate->ciphersuite != i || 01701 ssl->session_negotiate->compression != comp || 01702 ssl->session_negotiate->id_len != n || 01703 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01704 { 01705 ssl->state++; 01706 ssl->handshake->resume = 0; 01707 #if defined(MBEDTLS_HAVE_TIME) 01708 ssl->session_negotiate->start = mbedtls_time( NULL ); 01709 #endif 01710 ssl->session_negotiate->ciphersuite = i; 01711 ssl->session_negotiate->compression = comp; 01712 ssl->session_negotiate->id_len = n; 01713 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01714 } 01715 else 01716 { 01717 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01718 01719 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01720 { 01721 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01722 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01723 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01724 return( ret ); 01725 } 01726 } 01727 01728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01729 ssl->handshake->resume ? "a" : "no" ) ); 01730 01731 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01733 01734 /* 01735 * Perform cipher suite validation in same way as in ssl_write_client_hello. 01736 */ 01737 i = 0; 01738 while( 1 ) 01739 { 01740 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01741 { 01742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01744 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01745 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01746 } 01747 01748 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01749 ssl->session_negotiate->ciphersuite ) 01750 { 01751 break; 01752 } 01753 } 01754 01755 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01756 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 ) 01757 { 01758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01759 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01760 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01761 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01762 } 01763 01764 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01765 01766 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01767 #if defined(MBEDTLS_ZLIB_SUPPORT) 01768 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01769 #endif 01770 ) 01771 { 01772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01773 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01774 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01775 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01776 } 01777 ssl->session_negotiate->compression = comp; 01778 01779 ext = buf + 40 + n; 01780 01781 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01782 01783 while( ext_len ) 01784 { 01785 unsigned int ext_id = ( ( ext[0] << 8 ) 01786 | ( ext[1] ) ); 01787 unsigned int ext_size = ( ( ext[2] << 8 ) 01788 | ( ext[3] ) ); 01789 01790 if( ext_size + 4 > ext_len ) 01791 { 01792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01793 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01794 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01795 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01796 } 01797 01798 switch( ext_id ) 01799 { 01800 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01801 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01802 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01803 renegotiation_info_seen = 1; 01804 #endif 01805 01806 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01807 ext_size ) ) != 0 ) 01808 return( ret ); 01809 01810 break; 01811 01812 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01813 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01814 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01815 01816 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01817 ext + 4, ext_size ) ) != 0 ) 01818 { 01819 return( ret ); 01820 } 01821 01822 break; 01823 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01824 01825 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01826 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01827 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01828 01829 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01830 ext + 4, ext_size ) ) != 0 ) 01831 { 01832 return( ret ); 01833 } 01834 01835 break; 01836 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01837 01838 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01839 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01840 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01841 01842 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01843 ext + 4, ext_size ) ) != 0 ) 01844 { 01845 return( ret ); 01846 } 01847 01848 break; 01849 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01850 01851 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01852 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01853 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01854 01855 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01856 ext + 4, ext_size ) ) != 0 ) 01857 { 01858 return( ret ); 01859 } 01860 01861 break; 01862 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01863 01864 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01865 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01866 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01867 01868 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01869 ext + 4, ext_size ) ) != 0 ) 01870 { 01871 return( ret ); 01872 } 01873 01874 break; 01875 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01876 01877 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01878 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01879 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01880 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01881 01882 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01883 ext + 4, ext_size ) ) != 0 ) 01884 { 01885 return( ret ); 01886 } 01887 01888 break; 01889 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01890 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01891 01892 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01893 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01894 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01895 01896 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01897 ext + 4, ext_size ) ) != 0 ) 01898 { 01899 return( ret ); 01900 } 01901 01902 break; 01903 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01904 01905 #if defined(MBEDTLS_SSL_ALPN) 01906 case MBEDTLS_TLS_EXT_ALPN: 01907 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01908 01909 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01910 return( ret ); 01911 01912 break; 01913 #endif /* MBEDTLS_SSL_ALPN */ 01914 01915 default: 01916 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01917 ext_id ) ); 01918 } 01919 01920 ext_len -= 4 + ext_size; 01921 ext += 4 + ext_size; 01922 01923 if( ext_len > 0 && ext_len < 4 ) 01924 { 01925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01926 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01927 } 01928 } 01929 01930 /* 01931 * Renegotiation security checks 01932 */ 01933 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01934 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01935 { 01936 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01937 handshake_failure = 1; 01938 } 01939 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01940 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01941 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01942 renegotiation_info_seen == 0 ) 01943 { 01944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01945 handshake_failure = 1; 01946 } 01947 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01948 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01949 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01950 { 01951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01952 handshake_failure = 1; 01953 } 01954 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01955 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01956 renegotiation_info_seen == 1 ) 01957 { 01958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01959 handshake_failure = 1; 01960 } 01961 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01962 01963 if( handshake_failure == 1 ) 01964 { 01965 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01966 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01967 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01968 } 01969 01970 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01971 01972 return( 0 ); 01973 } 01974 01975 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01976 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01977 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01978 unsigned char *end ) 01979 { 01980 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01981 01982 /* 01983 * Ephemeral DH parameters: 01984 * 01985 * struct { 01986 * opaque dh_p<1..2^16-1>; 01987 * opaque dh_g<1..2^16-1>; 01988 * opaque dh_Ys<1..2^16-1>; 01989 * } ServerDHParams; 01990 */ 01991 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01992 { 01993 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01994 return( ret ); 01995 } 01996 01997 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01998 { 01999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 02000 ssl->handshake->dhm_ctx.len * 8, 02001 ssl->conf->dhm_min_bitlen ) ); 02002 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02003 } 02004 02005 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02006 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02007 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 02008 02009 return( ret ); 02010 } 02011 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02012 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02013 02014 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02015 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02016 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02017 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02018 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02019 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 02020 { 02021 const mbedtls_ecp_curve_info *curve_info; 02022 02023 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 02024 if( curve_info == NULL ) 02025 { 02026 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02027 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02028 } 02029 02030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 02031 02032 #if defined(MBEDTLS_ECP_C) 02033 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 02034 #else 02035 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 02036 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 02037 #endif 02038 return( -1 ); 02039 02040 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 02041 02042 return( 0 ); 02043 } 02044 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02045 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02046 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02047 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02048 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02049 02050 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02051 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02052 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02053 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 02054 unsigned char **p, 02055 unsigned char *end ) 02056 { 02057 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02058 02059 /* 02060 * Ephemeral ECDH parameters: 02061 * 02062 * struct { 02063 * ECParameters curve_params; 02064 * ECPoint public; 02065 * } ServerECDHParams; 02066 */ 02067 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 02068 (const unsigned char **) p, end ) ) != 0 ) 02069 { 02070 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 02071 return( ret ); 02072 } 02073 02074 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02075 { 02076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 02077 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02078 } 02079 02080 return( ret ); 02081 } 02082 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02083 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02084 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02085 02086 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02087 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 02088 unsigned char **p, 02089 unsigned char *end ) 02090 { 02091 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02092 size_t len; 02093 ((void) ssl); 02094 02095 /* 02096 * PSK parameters: 02097 * 02098 * opaque psk_identity_hint<0..2^16-1>; 02099 */ 02100 if( (*p) > end - 2 ) 02101 { 02102 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02103 "(psk_identity_hint length)" ) ); 02104 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02105 } 02106 len = (*p)[0] << 8 | (*p)[1]; 02107 *p += 2; 02108 02109 if( (*p) > end - len ) 02110 { 02111 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02112 "(psk_identity_hint length)" ) ); 02113 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02114 } 02115 02116 /* 02117 * Note: we currently ignore the PKS identity hint, as we only allow one 02118 * PSK to be provisionned on the client. This could be changed later if 02119 * someone needs that feature. 02120 */ 02121 *p += len; 02122 ret = 0; 02123 02124 return( ret ); 02125 } 02126 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02127 02128 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02129 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02130 /* 02131 * Generate a pre-master secret and encrypt it with the server's RSA key 02132 */ 02133 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02134 size_t offset, size_t *olen, 02135 size_t pms_offset ) 02136 { 02137 int ret; 02138 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02139 unsigned char *p = ssl->handshake->premaster + pms_offset; 02140 02141 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN ) 02142 { 02143 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02144 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02145 } 02146 02147 /* 02148 * Generate (part of) the pre-master as 02149 * struct { 02150 * ProtocolVersion client_version; 02151 * opaque random[46]; 02152 * } PreMasterSecret; 02153 */ 02154 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02155 ssl->conf->transport, p ); 02156 02157 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02158 { 02159 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02160 return( ret ); 02161 } 02162 02163 ssl->handshake->pmslen = 48; 02164 02165 if( ssl->session_negotiate->peer_cert == NULL ) 02166 { 02167 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02168 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02169 } 02170 02171 /* 02172 * Now write it out, encrypted 02173 */ 02174 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02175 MBEDTLS_PK_RSA ) ) 02176 { 02177 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02178 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02179 } 02180 02181 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02182 p, ssl->handshake->pmslen, 02183 ssl->out_msg + offset + len_bytes, olen, 02184 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, 02185 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02186 { 02187 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02188 return( ret ); 02189 } 02190 02191 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02192 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02193 if( len_bytes == 2 ) 02194 { 02195 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02196 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02197 *olen += 2; 02198 } 02199 #endif 02200 02201 return( 0 ); 02202 } 02203 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02204 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02205 02206 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02207 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02208 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02209 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02210 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02211 unsigned char **p, 02212 unsigned char *end, 02213 mbedtls_md_type_t *md_alg, 02214 mbedtls_pk_type_t *pk_alg ) 02215 { 02216 ((void) ssl); 02217 *md_alg = MBEDTLS_MD_NONE; 02218 *pk_alg = MBEDTLS_PK_NONE; 02219 02220 /* Only in TLS 1.2 */ 02221 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02222 { 02223 return( 0 ); 02224 } 02225 02226 if( (*p) + 2 > end ) 02227 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02228 02229 /* 02230 * Get hash algorithm 02231 */ 02232 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02233 { 02234 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02235 "HashAlgorithm %d", *(p)[0] ) ); 02236 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02237 } 02238 02239 /* 02240 * Get signature algorithm 02241 */ 02242 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02243 { 02244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02245 "SignatureAlgorithm %d", (*p)[1] ) ); 02246 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02247 } 02248 02249 /* 02250 * Check if the hash is acceptable 02251 */ 02252 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02253 { 02254 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 02255 *(p)[0] ) ); 02256 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02257 } 02258 02259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02260 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02261 *p += 2; 02262 02263 return( 0 ); 02264 } 02265 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02266 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02267 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02268 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02269 02270 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02271 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02272 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02273 { 02274 int ret; 02275 const mbedtls_ecp_keypair *peer_key; 02276 02277 if( ssl->session_negotiate->peer_cert == NULL ) 02278 { 02279 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02280 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02281 } 02282 02283 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02284 MBEDTLS_PK_ECKEY ) ) 02285 { 02286 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02287 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02288 } 02289 02290 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02291 02292 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02293 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02294 { 02295 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02296 return( ret ); 02297 } 02298 02299 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02300 { 02301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02302 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02303 } 02304 02305 return( ret ); 02306 } 02307 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02308 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02309 02310 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02311 { 02312 int ret; 02313 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02314 ssl->transform_negotiate->ciphersuite_info; 02315 unsigned char *p = NULL, *end = NULL; 02316 02317 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02318 02319 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02320 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02321 { 02322 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02323 ssl->state++; 02324 return( 0 ); 02325 } 02326 ((void) p); 02327 ((void) end); 02328 #endif 02329 02330 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02331 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02332 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02333 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02334 { 02335 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02336 { 02337 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02338 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02339 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02340 return( ret ); 02341 } 02342 02343 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02344 ssl->state++; 02345 return( 0 ); 02346 } 02347 ((void) p); 02348 ((void) end); 02349 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02350 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02351 02352 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 02353 { 02354 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02355 return( ret ); 02356 } 02357 02358 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02359 { 02360 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02361 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02362 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02363 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02364 } 02365 02366 /* 02367 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02368 * doesn't use a psk_identity_hint 02369 */ 02370 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02371 { 02372 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02373 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02374 { 02375 /* Current message is probably either 02376 * CertificateRequest or ServerHelloDone */ 02377 ssl->keep_current_message = 1; 02378 goto exit; 02379 } 02380 02381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 02382 "not be skipped" ) ); 02383 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02384 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02385 02386 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02387 } 02388 02389 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02390 end = ssl->in_msg + ssl->in_hslen; 02391 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02392 02393 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02394 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02395 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02396 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02397 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02398 { 02399 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02400 { 02401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02402 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02403 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02404 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02405 } 02406 } /* FALLTROUGH */ 02407 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02408 02409 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02410 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02411 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02412 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02413 ; /* nothing more to do */ 02414 else 02415 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02416 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02417 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02418 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02419 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02420 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02421 { 02422 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02423 { 02424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02425 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02426 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02427 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02428 } 02429 } 02430 else 02431 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02432 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02433 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02434 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02435 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02436 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02437 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02438 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02439 { 02440 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02441 { 02442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02443 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02444 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02445 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02446 } 02447 } 02448 else 02449 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02450 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02451 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02452 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02453 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02454 { 02455 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02456 p, end - p ); 02457 if( ret != 0 ) 02458 { 02459 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02460 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02461 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02462 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02463 } 02464 } 02465 else 02466 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02467 { 02468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02469 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02470 } 02471 02472 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02473 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 02474 { 02475 size_t sig_len, hashlen; 02476 unsigned char hash[64]; 02477 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02478 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02479 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02480 size_t params_len = p - params; 02481 02482 /* 02483 * Handle the digitally-signed structure 02484 */ 02485 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02486 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02487 { 02488 if( ssl_parse_signature_algorithm( ssl, &p, end, 02489 &md_alg, &pk_alg ) != 0 ) 02490 { 02491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02492 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02493 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02494 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02495 } 02496 02497 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02498 { 02499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02500 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02501 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02502 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02503 } 02504 } 02505 else 02506 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02507 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02508 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02509 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02510 { 02511 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02512 02513 /* Default hash for ECDSA is SHA-1 */ 02514 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02515 md_alg = MBEDTLS_MD_SHA1; 02516 } 02517 else 02518 #endif 02519 { 02520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02521 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02522 } 02523 02524 /* 02525 * Read signature 02526 */ 02527 02528 if( p > end - 2 ) 02529 { 02530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02531 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02532 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02533 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02534 } 02535 sig_len = ( p[0] << 8 ) | p[1]; 02536 p += 2; 02537 02538 if( p != end - sig_len ) 02539 { 02540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02541 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02542 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02543 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02544 } 02545 02546 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02547 02548 /* 02549 * Compute the hash that has been signed 02550 */ 02551 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02552 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02553 if( md_alg == MBEDTLS_MD_NONE ) 02554 { 02555 hashlen = 36; 02556 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 02557 params_len ); 02558 if( ret != 0 ) 02559 return( ret ); 02560 } 02561 else 02562 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02563 MBEDTLS_SSL_PROTO_TLS1_1 */ 02564 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02565 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02566 if( md_alg != MBEDTLS_MD_NONE ) 02567 { 02568 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, 02569 params, params_len, 02570 md_alg ); 02571 if( ret != 0 ) 02572 return( ret ); 02573 } 02574 else 02575 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02576 MBEDTLS_SSL_PROTO_TLS1_2 */ 02577 { 02578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02579 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02580 } 02581 02582 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); 02583 02584 if( ssl->session_negotiate->peer_cert == NULL ) 02585 { 02586 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02587 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02588 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02589 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02590 } 02591 02592 /* 02593 * Verify signature 02594 */ 02595 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02596 { 02597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02598 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02599 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02600 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02601 } 02602 02603 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02604 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02605 { 02606 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02607 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 02608 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02609 return( ret ); 02610 } 02611 } 02612 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02613 02614 exit: 02615 ssl->state++; 02616 02617 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02618 02619 return( 0 ); 02620 } 02621 02622 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02623 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02624 { 02625 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02626 ssl->transform_negotiate->ciphersuite_info; 02627 02628 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02629 02630 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02631 { 02632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02633 ssl->state++; 02634 return( 0 ); 02635 } 02636 02637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02638 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02639 } 02640 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02641 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02642 { 02643 int ret; 02644 unsigned char *buf; 02645 size_t n = 0; 02646 size_t cert_type_len = 0, dn_len = 0; 02647 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02648 ssl->transform_negotiate->ciphersuite_info; 02649 02650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02651 02652 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02653 { 02654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02655 ssl->state++; 02656 return( 0 ); 02657 } 02658 02659 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 02660 { 02661 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02662 return( ret ); 02663 } 02664 02665 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02666 { 02667 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02668 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02669 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02670 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02671 } 02672 02673 ssl->state++; 02674 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 02675 02676 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02677 ssl->client_auth ? "a" : "no" ) ); 02678 02679 if( ssl->client_auth == 0 ) 02680 { 02681 /* Current message is probably the ServerHelloDone */ 02682 ssl->keep_current_message = 1; 02683 goto exit; 02684 } 02685 02686 /* 02687 * struct { 02688 * ClientCertificateType certificate_types<1..2^8-1>; 02689 * SignatureAndHashAlgorithm 02690 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02691 * DistinguishedName certificate_authorities<0..2^16-1>; 02692 * } CertificateRequest; 02693 * 02694 * Since we only support a single certificate on clients, let's just 02695 * ignore all the information that's supposed to help us pick a 02696 * certificate. 02697 * 02698 * We could check that our certificate matches the request, and bail out 02699 * if it doesn't, but it's simpler to just send the certificate anyway, 02700 * and give the server the opportunity to decide if it should terminate 02701 * the connection when it doesn't like our certificate. 02702 * 02703 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02704 * point we only have one hash available (see comments in 02705 * write_certificate_verify), so let's just use what we have. 02706 * 02707 * However, we still minimally parse the message to check it is at least 02708 * superficially sane. 02709 */ 02710 buf = ssl->in_msg; 02711 02712 /* certificate_types */ 02713 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) ) 02714 { 02715 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02716 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02717 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02718 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02719 } 02720 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02721 n = cert_type_len; 02722 02723 /* 02724 * In the subsequent code there are two paths that read from buf: 02725 * * the length of the signature algorithms field (if minor version of 02726 * SSL is 3), 02727 * * distinguished name length otherwise. 02728 * Both reach at most the index: 02729 * ...hdr_len + 2 + n, 02730 * therefore the buffer length at this point must be greater than that 02731 * regardless of the actual code path. 02732 */ 02733 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02734 { 02735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02736 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02737 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02738 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02739 } 02740 02741 /* supported_signature_algorithms */ 02742 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02743 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02744 { 02745 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02746 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02747 #if defined(MBEDTLS_DEBUG_C) 02748 unsigned char* sig_alg; 02749 size_t i; 02750 #endif 02751 02752 /* 02753 * The furthest access in buf is in the loop few lines below: 02754 * sig_alg[i + 1], 02755 * where: 02756 * sig_alg = buf + ...hdr_len + 3 + n, 02757 * max(i) = sig_alg_len - 1. 02758 * Therefore the furthest access is: 02759 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], 02760 * which reduces to: 02761 * buf[...hdr_len + 3 + n + sig_alg_len], 02762 * which is one less than we need the buf to be. 02763 */ 02764 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len ) 02765 { 02766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02767 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02768 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02769 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02770 } 02771 02772 #if defined(MBEDTLS_DEBUG_C) 02773 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02774 for( i = 0; i < sig_alg_len; i += 2 ) 02775 { 02776 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 02777 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 02778 } 02779 #endif 02780 02781 n += 2 + sig_alg_len; 02782 } 02783 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02784 02785 /* certificate_authorities */ 02786 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02787 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02788 02789 n += dn_len; 02790 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02791 { 02792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02793 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02794 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02795 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02796 } 02797 02798 exit: 02799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02800 02801 return( 0 ); 02802 } 02803 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02804 02805 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02806 { 02807 int ret; 02808 02809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02810 02811 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 02812 { 02813 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02814 return( ret ); 02815 } 02816 02817 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02818 { 02819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02820 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02821 } 02822 02823 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02824 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02825 { 02826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02827 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02828 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02829 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02830 } 02831 02832 ssl->state++; 02833 02834 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02835 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02836 mbedtls_ssl_recv_flight_completed( ssl ); 02837 #endif 02838 02839 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02840 02841 return( 0 ); 02842 } 02843 02844 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02845 { 02846 int ret; 02847 size_t i, n; 02848 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02849 ssl->transform_negotiate->ciphersuite_info; 02850 02851 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02852 02853 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02854 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02855 { 02856 /* 02857 * DHM key exchange -- send G^X mod P 02858 */ 02859 n = ssl->handshake->dhm_ctx.len; 02860 02861 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02862 ssl->out_msg[5] = (unsigned char)( n ); 02863 i = 6; 02864 02865 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02866 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02867 &ssl->out_msg[i], n, 02868 ssl->conf->f_rng, ssl->conf->p_rng ); 02869 if( ret != 0 ) 02870 { 02871 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02872 return( ret ); 02873 } 02874 02875 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02876 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02877 02878 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02879 ssl->handshake->premaster, 02880 MBEDTLS_PREMASTER_SIZE, 02881 &ssl->handshake->pmslen, 02882 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02883 { 02884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02885 return( ret ); 02886 } 02887 02888 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02889 } 02890 else 02891 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02892 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02893 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02894 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02895 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02896 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02897 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02898 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02899 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02900 { 02901 /* 02902 * ECDH key exchange -- send client public value 02903 */ 02904 i = 4; 02905 02906 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02907 &n, 02908 &ssl->out_msg[i], 1000, 02909 ssl->conf->f_rng, ssl->conf->p_rng ); 02910 if( ret != 0 ) 02911 { 02912 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02913 return( ret ); 02914 } 02915 02916 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02917 02918 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02919 &ssl->handshake->pmslen, 02920 ssl->handshake->premaster, 02921 MBEDTLS_MPI_MAX_SIZE, 02922 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02923 { 02924 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02925 return( ret ); 02926 } 02927 02928 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02929 } 02930 else 02931 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02932 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02933 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02934 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02935 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02936 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 02937 { 02938 /* 02939 * opaque psk_identity<0..2^16-1>; 02940 */ 02941 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02942 { 02943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02944 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02945 } 02946 02947 i = 4; 02948 n = ssl->conf->psk_identity_len; 02949 02950 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN ) 02951 { 02952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02953 "SSL buffer too short" ) ); 02954 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02955 } 02956 02957 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02958 ssl->out_msg[i++] = (unsigned char)( n ); 02959 02960 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02961 i += ssl->conf->psk_identity_len; 02962 02963 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02964 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02965 { 02966 n = 0; 02967 } 02968 else 02969 #endif 02970 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02971 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02972 { 02973 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02974 return( ret ); 02975 } 02976 else 02977 #endif 02978 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02979 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02980 { 02981 /* 02982 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02983 */ 02984 n = ssl->handshake->dhm_ctx.len; 02985 02986 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN ) 02987 { 02988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02989 " or SSL buffer too short" ) ); 02990 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02991 } 02992 02993 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02994 ssl->out_msg[i++] = (unsigned char)( n ); 02995 02996 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02997 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02998 &ssl->out_msg[i], n, 02999 ssl->conf->f_rng, ssl->conf->p_rng ); 03000 if( ret != 0 ) 03001 { 03002 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 03003 return( ret ); 03004 } 03005 } 03006 else 03007 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03008 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03009 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03010 { 03011 /* 03012 * ClientECDiffieHellmanPublic public; 03013 */ 03014 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 03015 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i, 03016 ssl->conf->f_rng, ssl->conf->p_rng ); 03017 if( ret != 0 ) 03018 { 03019 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 03020 return( ret ); 03021 } 03022 03023 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 03024 } 03025 else 03026 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03027 { 03028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03029 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03030 } 03031 03032 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03033 ciphersuite_info->key_exchange ) ) != 0 ) 03034 { 03035 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03036 return( ret ); 03037 } 03038 } 03039 else 03040 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03041 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03042 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03043 { 03044 i = 4; 03045 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 03046 return( ret ); 03047 } 03048 else 03049 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03050 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03051 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03052 { 03053 i = 4; 03054 03055 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 03056 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n, 03057 ssl->conf->f_rng, ssl->conf->p_rng ); 03058 if( ret != 0 ) 03059 { 03060 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 03061 return( ret ); 03062 } 03063 03064 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03065 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03066 ssl->conf->f_rng, ssl->conf->p_rng ); 03067 if( ret != 0 ) 03068 { 03069 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03070 return( ret ); 03071 } 03072 } 03073 else 03074 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03075 { 03076 ((void) ciphersuite_info); 03077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03078 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03079 } 03080 03081 ssl->out_msglen = i + n; 03082 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03083 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 03084 03085 ssl->state++; 03086 03087 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 03088 { 03089 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 03090 return( ret ); 03091 } 03092 03093 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 03094 03095 return( 0 ); 03096 } 03097 03098 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03099 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03100 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03101 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03102 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03103 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03104 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03105 { 03106 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03107 ssl->transform_negotiate->ciphersuite_info; 03108 int ret; 03109 03110 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03111 03112 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03113 { 03114 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03115 return( ret ); 03116 } 03117 03118 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03119 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03120 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03121 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03122 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03123 { 03124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03125 ssl->state++; 03126 return( 0 ); 03127 } 03128 03129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03130 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03131 } 03132 #else 03133 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03134 { 03135 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03136 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03137 ssl->transform_negotiate->ciphersuite_info; 03138 size_t n = 0, offset = 0; 03139 unsigned char hash[48]; 03140 unsigned char *hash_start = hash; 03141 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03142 unsigned int hashlen; 03143 03144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03145 03146 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03147 { 03148 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03149 return( ret ); 03150 } 03151 03152 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03153 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03154 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03155 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03156 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03157 { 03158 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03159 ssl->state++; 03160 return( 0 ); 03161 } 03162 03163 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03164 { 03165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03166 ssl->state++; 03167 return( 0 ); 03168 } 03169 03170 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03171 { 03172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03173 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03174 } 03175 03176 /* 03177 * Make an RSA signature of the handshake digests 03178 */ 03179 ssl->handshake->calc_verify( ssl, hash ); 03180 03181 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03182 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03183 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03184 { 03185 /* 03186 * digitally-signed struct { 03187 * opaque md5_hash[16]; 03188 * opaque sha_hash[20]; 03189 * }; 03190 * 03191 * md5_hash 03192 * MD5(handshake_messages); 03193 * 03194 * sha_hash 03195 * SHA(handshake_messages); 03196 */ 03197 hashlen = 36; 03198 md_alg = MBEDTLS_MD_NONE; 03199 03200 /* 03201 * For ECDSA, default hash is SHA-1 only 03202 */ 03203 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03204 { 03205 hash_start += 16; 03206 hashlen -= 16; 03207 md_alg = MBEDTLS_MD_SHA1; 03208 } 03209 } 03210 else 03211 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03212 MBEDTLS_SSL_PROTO_TLS1_1 */ 03213 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03214 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03215 { 03216 /* 03217 * digitally-signed struct { 03218 * opaque handshake_messages[handshake_messages_length]; 03219 * }; 03220 * 03221 * Taking shortcut here. We assume that the server always allows the 03222 * PRF Hash function and has sent it in the allowed signature 03223 * algorithms list received in the Certificate Request message. 03224 * 03225 * Until we encounter a server that does not, we will take this 03226 * shortcut. 03227 * 03228 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03229 * in order to satisfy 'weird' needs from the server side. 03230 */ 03231 if( ssl->transform_negotiate->ciphersuite_info->mac == 03232 MBEDTLS_MD_SHA384 ) 03233 { 03234 md_alg = MBEDTLS_MD_SHA384; 03235 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03236 } 03237 else 03238 { 03239 md_alg = MBEDTLS_MD_SHA256; 03240 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03241 } 03242 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03243 03244 /* Info from md_alg will be used instead */ 03245 hashlen = 0; 03246 offset = 2; 03247 } 03248 else 03249 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03250 { 03251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03252 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03253 } 03254 03255 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03256 ssl->out_msg + 6 + offset, &n, 03257 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03258 { 03259 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03260 return( ret ); 03261 } 03262 03263 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03264 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03265 03266 ssl->out_msglen = 6 + n + offset; 03267 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03268 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03269 03270 ssl->state++; 03271 03272 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 03273 { 03274 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 03275 return( ret ); 03276 } 03277 03278 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03279 03280 return( ret ); 03281 } 03282 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03283 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03284 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03285 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03286 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03287 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03288 03289 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03290 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03291 { 03292 int ret; 03293 uint32_t lifetime; 03294 size_t ticket_len; 03295 unsigned char *ticket; 03296 const unsigned char *msg; 03297 03298 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03299 03300 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 03301 { 03302 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03303 return( ret ); 03304 } 03305 03306 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03307 { 03308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03310 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03311 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03312 } 03313 03314 /* 03315 * struct { 03316 * uint32 ticket_lifetime_hint; 03317 * opaque ticket<0..2^16-1>; 03318 * } NewSessionTicket; 03319 * 03320 * 0 . 3 ticket_lifetime_hint 03321 * 4 . 5 ticket_len (n) 03322 * 6 . 5+n ticket content 03323 */ 03324 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03325 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03326 { 03327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03328 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03329 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03330 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03331 } 03332 03333 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03334 03335 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) | 03336 ( msg[2] << 8 ) | ( msg[3] ); 03337 03338 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03339 03340 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03341 { 03342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03343 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03344 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03345 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03346 } 03347 03348 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03349 03350 /* We're not waiting for a NewSessionTicket message any more */ 03351 ssl->handshake->new_session_ticket = 0; 03352 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03353 03354 /* 03355 * Zero-length ticket means the server changed his mind and doesn't want 03356 * to send a ticket after all, so just forget it 03357 */ 03358 if( ticket_len == 0 ) 03359 return( 0 ); 03360 03361 mbedtls_platform_zeroize( ssl->session_negotiate->ticket, 03362 ssl->session_negotiate->ticket_len ); 03363 mbedtls_free( ssl->session_negotiate->ticket ); 03364 ssl->session_negotiate->ticket = NULL; 03365 ssl->session_negotiate->ticket_len = 0; 03366 03367 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03368 { 03369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03370 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03371 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 03372 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03373 } 03374 03375 memcpy( ticket, msg + 6, ticket_len ); 03376 03377 ssl->session_negotiate->ticket = ticket; 03378 ssl->session_negotiate->ticket_len = ticket_len; 03379 ssl->session_negotiate->ticket_lifetime = lifetime; 03380 03381 /* 03382 * RFC 5077 section 3.4: 03383 * "If the client receives a session ticket from the server, then it 03384 * discards any Session ID that was sent in the ServerHello." 03385 */ 03386 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03387 ssl->session_negotiate->id_len = 0; 03388 03389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03390 03391 return( 0 ); 03392 } 03393 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03394 03395 /* 03396 * SSL handshake -- client side -- single step 03397 */ 03398 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03399 { 03400 int ret = 0; 03401 03402 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03403 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03404 03405 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03406 03407 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03408 return( ret ); 03409 03410 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03411 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03412 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03413 { 03414 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 03415 return( ret ); 03416 } 03417 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03418 03419 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03420 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03421 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03422 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03423 ssl->handshake->new_session_ticket != 0 ) 03424 { 03425 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03426 } 03427 #endif 03428 03429 switch( ssl->state ) 03430 { 03431 case MBEDTLS_SSL_HELLO_REQUEST: 03432 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03433 break; 03434 03435 /* 03436 * ==> ClientHello 03437 */ 03438 case MBEDTLS_SSL_CLIENT_HELLO: 03439 ret = ssl_write_client_hello( ssl ); 03440 break; 03441 03442 /* 03443 * <== ServerHello 03444 * Certificate 03445 * ( ServerKeyExchange ) 03446 * ( CertificateRequest ) 03447 * ServerHelloDone 03448 */ 03449 case MBEDTLS_SSL_SERVER_HELLO: 03450 ret = ssl_parse_server_hello( ssl ); 03451 break; 03452 03453 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03454 ret = mbedtls_ssl_parse_certificate( ssl ); 03455 break; 03456 03457 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03458 ret = ssl_parse_server_key_exchange( ssl ); 03459 break; 03460 03461 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03462 ret = ssl_parse_certificate_request( ssl ); 03463 break; 03464 03465 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03466 ret = ssl_parse_server_hello_done( ssl ); 03467 break; 03468 03469 /* 03470 * ==> ( Certificate/Alert ) 03471 * ClientKeyExchange 03472 * ( CertificateVerify ) 03473 * ChangeCipherSpec 03474 * Finished 03475 */ 03476 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03477 ret = mbedtls_ssl_write_certificate( ssl ); 03478 break; 03479 03480 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03481 ret = ssl_write_client_key_exchange( ssl ); 03482 break; 03483 03484 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03485 ret = ssl_write_certificate_verify( ssl ); 03486 break; 03487 03488 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03489 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03490 break; 03491 03492 case MBEDTLS_SSL_CLIENT_FINISHED: 03493 ret = mbedtls_ssl_write_finished( ssl ); 03494 break; 03495 03496 /* 03497 * <== ( NewSessionTicket ) 03498 * ChangeCipherSpec 03499 * Finished 03500 */ 03501 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03502 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03503 ret = ssl_parse_new_session_ticket( ssl ); 03504 break; 03505 #endif 03506 03507 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03508 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03509 break; 03510 03511 case MBEDTLS_SSL_SERVER_FINISHED: 03512 ret = mbedtls_ssl_parse_finished( ssl ); 03513 break; 03514 03515 case MBEDTLS_SSL_FLUSH_BUFFERS: 03516 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03517 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03518 break; 03519 03520 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03521 mbedtls_ssl_handshake_wrapup( ssl ); 03522 break; 03523 03524 default: 03525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03526 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03527 } 03528 03529 return( ret ); 03530 } 03531 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Aug 9 2022 00:37:20 by
1.7.2