Kenji Arai
mbed-os5 only for TYBLE16
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
features/mbedtls/src/ssl_srv.c@1:9db0e321a9f4, 2019-12-31 (annotated)
- Committer:
- kenjiArai
- Date:
- Tue Dec 31 06:02:27 2019 +0000
- Revision:
- 1:9db0e321a9f4
- Parent:
- 0:5b88d5760320
updated based on mbed-os5.15.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| kenjiArai | 0:5b88d5760320 | 1 | /* |
| kenjiArai | 0:5b88d5760320 | 2 | * SSLv3/TLSv1 server-side functions |
| kenjiArai | 0:5b88d5760320 | 3 | * |
| kenjiArai | 0:5b88d5760320 | 4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved |
| kenjiArai | 0:5b88d5760320 | 5 | * SPDX-License-Identifier: Apache-2.0 |
| kenjiArai | 0:5b88d5760320 | 6 | * |
| kenjiArai | 0:5b88d5760320 | 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| kenjiArai | 0:5b88d5760320 | 8 | * not use this file except in compliance with the License. |
| kenjiArai | 0:5b88d5760320 | 9 | * You may obtain a copy of the License at |
| kenjiArai | 0:5b88d5760320 | 10 | * |
| kenjiArai | 0:5b88d5760320 | 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| kenjiArai | 0:5b88d5760320 | 12 | * |
| kenjiArai | 0:5b88d5760320 | 13 | * Unless required by applicable law or agreed to in writing, software |
| kenjiArai | 0:5b88d5760320 | 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| kenjiArai | 0:5b88d5760320 | 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| kenjiArai | 0:5b88d5760320 | 16 | * See the License for the specific language governing permissions and |
| kenjiArai | 0:5b88d5760320 | 17 | * limitations under the License. |
| kenjiArai | 0:5b88d5760320 | 18 | * |
| kenjiArai | 0:5b88d5760320 | 19 | * This file is part of mbed TLS (https://tls.mbed.org) |
| kenjiArai | 0:5b88d5760320 | 20 | */ |
| kenjiArai | 0:5b88d5760320 | 21 | |
| kenjiArai | 0:5b88d5760320 | 22 | #if !defined(MBEDTLS_CONFIG_FILE) |
| kenjiArai | 0:5b88d5760320 | 23 | #include "mbedtls/config.h" |
| kenjiArai | 0:5b88d5760320 | 24 | #else |
| kenjiArai | 0:5b88d5760320 | 25 | #include MBEDTLS_CONFIG_FILE |
| kenjiArai | 0:5b88d5760320 | 26 | #endif |
| kenjiArai | 0:5b88d5760320 | 27 | |
| kenjiArai | 0:5b88d5760320 | 28 | #if defined(MBEDTLS_SSL_SRV_C) |
| kenjiArai | 0:5b88d5760320 | 29 | |
| kenjiArai | 0:5b88d5760320 | 30 | #if defined(MBEDTLS_PLATFORM_C) |
| kenjiArai | 0:5b88d5760320 | 31 | #include "mbedtls/platform.h" |
| kenjiArai | 0:5b88d5760320 | 32 | #else |
| kenjiArai | 0:5b88d5760320 | 33 | #include <stdlib.h> |
| kenjiArai | 0:5b88d5760320 | 34 | #define mbedtls_calloc calloc |
| kenjiArai | 0:5b88d5760320 | 35 | #define mbedtls_free free |
| kenjiArai | 0:5b88d5760320 | 36 | #endif |
| kenjiArai | 0:5b88d5760320 | 37 | |
| kenjiArai | 0:5b88d5760320 | 38 | #include "mbedtls/debug.h" |
| kenjiArai | 0:5b88d5760320 | 39 | #include "mbedtls/ssl.h" |
| kenjiArai | 0:5b88d5760320 | 40 | #include "mbedtls/ssl_internal.h" |
| kenjiArai | 0:5b88d5760320 | 41 | #include "mbedtls/platform_util.h" |
| kenjiArai | 0:5b88d5760320 | 42 | |
| kenjiArai | 0:5b88d5760320 | 43 | #include <string.h> |
| kenjiArai | 0:5b88d5760320 | 44 | |
| kenjiArai | 0:5b88d5760320 | 45 | #if defined(MBEDTLS_ECP_C) |
| kenjiArai | 0:5b88d5760320 | 46 | #include "mbedtls/ecp.h" |
| kenjiArai | 0:5b88d5760320 | 47 | #endif |
| kenjiArai | 0:5b88d5760320 | 48 | |
| kenjiArai | 0:5b88d5760320 | 49 | #if defined(MBEDTLS_HAVE_TIME) |
| kenjiArai | 0:5b88d5760320 | 50 | #include "mbedtls/platform_time.h" |
| kenjiArai | 0:5b88d5760320 | 51 | #endif |
| kenjiArai | 0:5b88d5760320 | 52 | |
| kenjiArai | 0:5b88d5760320 | 53 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| kenjiArai | 0:5b88d5760320 | 54 | int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 55 | const unsigned char *info, |
| kenjiArai | 0:5b88d5760320 | 56 | size_t ilen ) |
| kenjiArai | 0:5b88d5760320 | 57 | { |
| kenjiArai | 0:5b88d5760320 | 58 | if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) |
| kenjiArai | 0:5b88d5760320 | 59 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| kenjiArai | 0:5b88d5760320 | 60 | |
| kenjiArai | 0:5b88d5760320 | 61 | mbedtls_free( ssl->cli_id ); |
| kenjiArai | 0:5b88d5760320 | 62 | |
| kenjiArai | 0:5b88d5760320 | 63 | if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) |
| kenjiArai | 0:5b88d5760320 | 64 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| kenjiArai | 0:5b88d5760320 | 65 | |
| kenjiArai | 0:5b88d5760320 | 66 | memcpy( ssl->cli_id, info, ilen ); |
| kenjiArai | 0:5b88d5760320 | 67 | ssl->cli_id_len = ilen; |
| kenjiArai | 0:5b88d5760320 | 68 | |
| kenjiArai | 0:5b88d5760320 | 69 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 70 | } |
| kenjiArai | 0:5b88d5760320 | 71 | |
| kenjiArai | 0:5b88d5760320 | 72 | void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, |
| kenjiArai | 0:5b88d5760320 | 73 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| kenjiArai | 0:5b88d5760320 | 74 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| kenjiArai | 0:5b88d5760320 | 75 | void *p_cookie ) |
| kenjiArai | 0:5b88d5760320 | 76 | { |
| kenjiArai | 0:5b88d5760320 | 77 | conf->f_cookie_write = f_cookie_write; |
| kenjiArai | 0:5b88d5760320 | 78 | conf->f_cookie_check = f_cookie_check; |
| kenjiArai | 0:5b88d5760320 | 79 | conf->p_cookie = p_cookie; |
| kenjiArai | 0:5b88d5760320 | 80 | } |
| kenjiArai | 0:5b88d5760320 | 81 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| kenjiArai | 0:5b88d5760320 | 82 | |
| kenjiArai | 0:5b88d5760320 | 83 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| kenjiArai | 0:5b88d5760320 | 84 | static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 85 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 86 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 87 | { |
| kenjiArai | 0:5b88d5760320 | 88 | int ret; |
| kenjiArai | 0:5b88d5760320 | 89 | size_t servername_list_size, hostname_len; |
| kenjiArai | 0:5b88d5760320 | 90 | const unsigned char *p; |
| kenjiArai | 0:5b88d5760320 | 91 | |
| kenjiArai | 0:5b88d5760320 | 92 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 93 | |
| kenjiArai | 0:5b88d5760320 | 94 | if( len < 2 ) |
| kenjiArai | 0:5b88d5760320 | 95 | { |
| kenjiArai | 0:5b88d5760320 | 96 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 97 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 98 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 99 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 100 | } |
| kenjiArai | 0:5b88d5760320 | 101 | servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 102 | if( servername_list_size + 2 != len ) |
| kenjiArai | 0:5b88d5760320 | 103 | { |
| kenjiArai | 0:5b88d5760320 | 104 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 105 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 106 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 107 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 108 | } |
| kenjiArai | 0:5b88d5760320 | 109 | |
| kenjiArai | 0:5b88d5760320 | 110 | p = buf + 2; |
| kenjiArai | 0:5b88d5760320 | 111 | while( servername_list_size > 2 ) |
| kenjiArai | 0:5b88d5760320 | 112 | { |
| kenjiArai | 0:5b88d5760320 | 113 | hostname_len = ( ( p[1] << 8 ) | p[2] ); |
| kenjiArai | 0:5b88d5760320 | 114 | if( hostname_len + 3 > servername_list_size ) |
| kenjiArai | 0:5b88d5760320 | 115 | { |
| kenjiArai | 0:5b88d5760320 | 116 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 117 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 118 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 119 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 120 | } |
| kenjiArai | 0:5b88d5760320 | 121 | |
| kenjiArai | 0:5b88d5760320 | 122 | if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) |
| kenjiArai | 0:5b88d5760320 | 123 | { |
| kenjiArai | 0:5b88d5760320 | 124 | ret = ssl->conf->f_sni( ssl->conf->p_sni, |
| kenjiArai | 0:5b88d5760320 | 125 | ssl, p + 3, hostname_len ); |
| kenjiArai | 0:5b88d5760320 | 126 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 127 | { |
| kenjiArai | 0:5b88d5760320 | 128 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); |
| kenjiArai | 0:5b88d5760320 | 129 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 130 | MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); |
| kenjiArai | 0:5b88d5760320 | 131 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 132 | } |
| kenjiArai | 0:5b88d5760320 | 133 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 134 | } |
| kenjiArai | 0:5b88d5760320 | 135 | |
| kenjiArai | 0:5b88d5760320 | 136 | servername_list_size -= hostname_len + 3; |
| kenjiArai | 0:5b88d5760320 | 137 | p += hostname_len + 3; |
| kenjiArai | 0:5b88d5760320 | 138 | } |
| kenjiArai | 0:5b88d5760320 | 139 | |
| kenjiArai | 0:5b88d5760320 | 140 | if( servername_list_size != 0 ) |
| kenjiArai | 0:5b88d5760320 | 141 | { |
| kenjiArai | 0:5b88d5760320 | 142 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 143 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 144 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 145 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 146 | } |
| kenjiArai | 0:5b88d5760320 | 147 | |
| kenjiArai | 0:5b88d5760320 | 148 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 149 | } |
| kenjiArai | 0:5b88d5760320 | 150 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| kenjiArai | 0:5b88d5760320 | 151 | |
| kenjiArai | 0:5b88d5760320 | 152 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 153 | static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf ) |
| kenjiArai | 0:5b88d5760320 | 154 | { |
| kenjiArai | 0:5b88d5760320 | 155 | if( conf->f_psk != NULL ) |
| kenjiArai | 0:5b88d5760320 | 156 | return( 1 ); |
| kenjiArai | 0:5b88d5760320 | 157 | |
| kenjiArai | 0:5b88d5760320 | 158 | if( conf->psk_identity_len == 0 || conf->psk_identity == NULL ) |
| kenjiArai | 0:5b88d5760320 | 159 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 160 | |
| kenjiArai | 0:5b88d5760320 | 161 | if( conf->psk != NULL && conf->psk_len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 162 | return( 1 ); |
| kenjiArai | 0:5b88d5760320 | 163 | |
| kenjiArai | 0:5b88d5760320 | 164 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| kenjiArai | 0:5b88d5760320 | 165 | if( conf->psk_opaque != 0 ) |
| kenjiArai | 0:5b88d5760320 | 166 | return( 1 ); |
| kenjiArai | 0:5b88d5760320 | 167 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| kenjiArai | 0:5b88d5760320 | 168 | |
| kenjiArai | 0:5b88d5760320 | 169 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 170 | } |
| kenjiArai | 0:5b88d5760320 | 171 | |
| kenjiArai | 0:5b88d5760320 | 172 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| kenjiArai | 0:5b88d5760320 | 173 | static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) |
| kenjiArai | 0:5b88d5760320 | 174 | { |
| kenjiArai | 0:5b88d5760320 | 175 | if( ssl->conf->f_psk != NULL ) |
| kenjiArai | 0:5b88d5760320 | 176 | { |
| kenjiArai | 0:5b88d5760320 | 177 | /* If we've used a callback to select the PSK, |
| kenjiArai | 0:5b88d5760320 | 178 | * the static configuration is irrelevant. */ |
| kenjiArai | 0:5b88d5760320 | 179 | |
| kenjiArai | 0:5b88d5760320 | 180 | if( ssl->handshake->psk_opaque != 0 ) |
| kenjiArai | 0:5b88d5760320 | 181 | return( 1 ); |
| kenjiArai | 0:5b88d5760320 | 182 | |
| kenjiArai | 0:5b88d5760320 | 183 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 184 | } |
| kenjiArai | 0:5b88d5760320 | 185 | |
| kenjiArai | 0:5b88d5760320 | 186 | if( ssl->conf->psk_opaque != 0 ) |
| kenjiArai | 0:5b88d5760320 | 187 | return( 1 ); |
| kenjiArai | 0:5b88d5760320 | 188 | |
| kenjiArai | 0:5b88d5760320 | 189 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 190 | } |
| kenjiArai | 0:5b88d5760320 | 191 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| kenjiArai | 0:5b88d5760320 | 192 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 193 | |
| kenjiArai | 0:5b88d5760320 | 194 | static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 195 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 196 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 197 | { |
| kenjiArai | 0:5b88d5760320 | 198 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 199 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 200 | { |
| kenjiArai | 0:5b88d5760320 | 201 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| kenjiArai | 0:5b88d5760320 | 202 | if( len != 1 + ssl->verify_data_len || |
| kenjiArai | 0:5b88d5760320 | 203 | buf[0] != ssl->verify_data_len || |
| kenjiArai | 0:5b88d5760320 | 204 | mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, |
| kenjiArai | 0:5b88d5760320 | 205 | ssl->verify_data_len ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 206 | { |
| kenjiArai | 0:5b88d5760320 | 207 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); |
| kenjiArai | 0:5b88d5760320 | 208 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 209 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 210 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 211 | } |
| kenjiArai | 0:5b88d5760320 | 212 | } |
| kenjiArai | 0:5b88d5760320 | 213 | else |
| kenjiArai | 0:5b88d5760320 | 214 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| kenjiArai | 0:5b88d5760320 | 215 | { |
| kenjiArai | 0:5b88d5760320 | 216 | if( len != 1 || buf[0] != 0x0 ) |
| kenjiArai | 0:5b88d5760320 | 217 | { |
| kenjiArai | 0:5b88d5760320 | 218 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); |
| kenjiArai | 0:5b88d5760320 | 219 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 220 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 221 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 222 | } |
| kenjiArai | 0:5b88d5760320 | 223 | |
| kenjiArai | 0:5b88d5760320 | 224 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| kenjiArai | 0:5b88d5760320 | 225 | } |
| kenjiArai | 0:5b88d5760320 | 226 | |
| kenjiArai | 0:5b88d5760320 | 227 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 228 | } |
| kenjiArai | 0:5b88d5760320 | 229 | |
| kenjiArai | 0:5b88d5760320 | 230 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 231 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 232 | |
| kenjiArai | 0:5b88d5760320 | 233 | /* |
| kenjiArai | 0:5b88d5760320 | 234 | * Status of the implementation of signature-algorithms extension: |
| kenjiArai | 0:5b88d5760320 | 235 | * |
| kenjiArai | 0:5b88d5760320 | 236 | * Currently, we are only considering the signature-algorithm extension |
| kenjiArai | 0:5b88d5760320 | 237 | * to pick a ciphersuite which allows us to send the ServerKeyExchange |
| kenjiArai | 0:5b88d5760320 | 238 | * message with a signature-hash combination that the user allows. |
| kenjiArai | 0:5b88d5760320 | 239 | * |
| kenjiArai | 0:5b88d5760320 | 240 | * We do *not* check whether all certificates in our certificate |
| kenjiArai | 0:5b88d5760320 | 241 | * chain are signed with an allowed signature-hash pair. |
| kenjiArai | 0:5b88d5760320 | 242 | * This needs to be done at a later stage. |
| kenjiArai | 0:5b88d5760320 | 243 | * |
| kenjiArai | 0:5b88d5760320 | 244 | */ |
| kenjiArai | 0:5b88d5760320 | 245 | static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 246 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 247 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 248 | { |
| kenjiArai | 0:5b88d5760320 | 249 | size_t sig_alg_list_size; |
| kenjiArai | 0:5b88d5760320 | 250 | |
| kenjiArai | 0:5b88d5760320 | 251 | const unsigned char *p; |
| kenjiArai | 0:5b88d5760320 | 252 | const unsigned char *end = buf + len; |
| kenjiArai | 0:5b88d5760320 | 253 | |
| kenjiArai | 0:5b88d5760320 | 254 | mbedtls_md_type_t md_cur; |
| kenjiArai | 0:5b88d5760320 | 255 | mbedtls_pk_type_t sig_cur; |
| kenjiArai | 0:5b88d5760320 | 256 | |
| kenjiArai | 0:5b88d5760320 | 257 | if ( len < 2 ) { |
| kenjiArai | 0:5b88d5760320 | 258 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 259 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 260 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 261 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 262 | } |
| kenjiArai | 0:5b88d5760320 | 263 | sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 264 | if( sig_alg_list_size + 2 != len || |
| kenjiArai | 0:5b88d5760320 | 265 | sig_alg_list_size % 2 != 0 ) |
| kenjiArai | 0:5b88d5760320 | 266 | { |
| kenjiArai | 0:5b88d5760320 | 267 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 268 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 269 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 270 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 271 | } |
| kenjiArai | 0:5b88d5760320 | 272 | |
| kenjiArai | 0:5b88d5760320 | 273 | /* Currently we only guarantee signing the ServerKeyExchange message according |
| kenjiArai | 0:5b88d5760320 | 274 | * to the constraints specified in this extension (see above), so it suffices |
| kenjiArai | 0:5b88d5760320 | 275 | * to remember only one suitable hash for each possible signature algorithm. |
| kenjiArai | 0:5b88d5760320 | 276 | * |
| kenjiArai | 0:5b88d5760320 | 277 | * This will change when we also consider certificate signatures, |
| kenjiArai | 0:5b88d5760320 | 278 | * in which case we will need to remember the whole signature-hash |
| kenjiArai | 0:5b88d5760320 | 279 | * pair list from the extension. |
| kenjiArai | 0:5b88d5760320 | 280 | */ |
| kenjiArai | 0:5b88d5760320 | 281 | |
| kenjiArai | 0:5b88d5760320 | 282 | for( p = buf + 2; p < end; p += 2 ) |
| kenjiArai | 0:5b88d5760320 | 283 | { |
| kenjiArai | 0:5b88d5760320 | 284 | /* Silently ignore unknown signature or hash algorithms. */ |
| kenjiArai | 0:5b88d5760320 | 285 | |
| kenjiArai | 0:5b88d5760320 | 286 | if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) |
| kenjiArai | 0:5b88d5760320 | 287 | { |
| kenjiArai | 0:5b88d5760320 | 288 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" |
| kenjiArai | 0:5b88d5760320 | 289 | " unknown sig alg encoding %d", p[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 290 | continue; |
| kenjiArai | 0:5b88d5760320 | 291 | } |
| kenjiArai | 0:5b88d5760320 | 292 | |
| kenjiArai | 0:5b88d5760320 | 293 | /* Check if we support the hash the user proposes */ |
| kenjiArai | 0:5b88d5760320 | 294 | md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); |
| kenjiArai | 0:5b88d5760320 | 295 | if( md_cur == MBEDTLS_MD_NONE ) |
| kenjiArai | 0:5b88d5760320 | 296 | { |
| kenjiArai | 0:5b88d5760320 | 297 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" |
| kenjiArai | 0:5b88d5760320 | 298 | " unknown hash alg encoding %d", p[0] ) ); |
| kenjiArai | 0:5b88d5760320 | 299 | continue; |
| kenjiArai | 0:5b88d5760320 | 300 | } |
| kenjiArai | 0:5b88d5760320 | 301 | |
| kenjiArai | 0:5b88d5760320 | 302 | if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 303 | { |
| kenjiArai | 0:5b88d5760320 | 304 | mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); |
| kenjiArai | 0:5b88d5760320 | 305 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" |
| kenjiArai | 0:5b88d5760320 | 306 | " match sig %d and hash %d", |
| kenjiArai | 0:5b88d5760320 | 307 | sig_cur, md_cur ) ); |
| kenjiArai | 0:5b88d5760320 | 308 | } |
| kenjiArai | 0:5b88d5760320 | 309 | else |
| kenjiArai | 0:5b88d5760320 | 310 | { |
| kenjiArai | 0:5b88d5760320 | 311 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " |
| kenjiArai | 0:5b88d5760320 | 312 | "hash alg %d not supported", md_cur ) ); |
| kenjiArai | 0:5b88d5760320 | 313 | } |
| kenjiArai | 0:5b88d5760320 | 314 | } |
| kenjiArai | 0:5b88d5760320 | 315 | |
| kenjiArai | 0:5b88d5760320 | 316 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 317 | } |
| kenjiArai | 0:5b88d5760320 | 318 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| kenjiArai | 0:5b88d5760320 | 319 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 320 | |
| kenjiArai | 0:5b88d5760320 | 321 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| kenjiArai | 0:5b88d5760320 | 322 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 323 | static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 324 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 325 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 326 | { |
| kenjiArai | 0:5b88d5760320 | 327 | size_t list_size, our_size; |
| kenjiArai | 0:5b88d5760320 | 328 | const unsigned char *p; |
| kenjiArai | 0:5b88d5760320 | 329 | const mbedtls_ecp_curve_info *curve_info, **curves; |
| kenjiArai | 0:5b88d5760320 | 330 | |
| kenjiArai | 0:5b88d5760320 | 331 | if ( len < 2 ) { |
| kenjiArai | 0:5b88d5760320 | 332 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 333 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 334 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 335 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 336 | } |
| kenjiArai | 0:5b88d5760320 | 337 | list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 338 | if( list_size + 2 != len || |
| kenjiArai | 0:5b88d5760320 | 339 | list_size % 2 != 0 ) |
| kenjiArai | 0:5b88d5760320 | 340 | { |
| kenjiArai | 0:5b88d5760320 | 341 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 342 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 343 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 344 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 345 | } |
| kenjiArai | 0:5b88d5760320 | 346 | |
| kenjiArai | 0:5b88d5760320 | 347 | /* Should never happen unless client duplicates the extension */ |
| kenjiArai | 0:5b88d5760320 | 348 | if( ssl->handshake->curves != NULL ) |
| kenjiArai | 0:5b88d5760320 | 349 | { |
| kenjiArai | 0:5b88d5760320 | 350 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 351 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 352 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 353 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 354 | } |
| kenjiArai | 0:5b88d5760320 | 355 | |
| kenjiArai | 0:5b88d5760320 | 356 | /* Don't allow our peer to make us allocate too much memory, |
| kenjiArai | 0:5b88d5760320 | 357 | * and leave room for a final 0 */ |
| kenjiArai | 0:5b88d5760320 | 358 | our_size = list_size / 2 + 1; |
| kenjiArai | 0:5b88d5760320 | 359 | if( our_size > MBEDTLS_ECP_DP_MAX ) |
| kenjiArai | 0:5b88d5760320 | 360 | our_size = MBEDTLS_ECP_DP_MAX; |
| kenjiArai | 0:5b88d5760320 | 361 | |
| kenjiArai | 0:5b88d5760320 | 362 | if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) |
| kenjiArai | 0:5b88d5760320 | 363 | { |
| kenjiArai | 0:5b88d5760320 | 364 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 365 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 366 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| kenjiArai | 0:5b88d5760320 | 367 | } |
| kenjiArai | 0:5b88d5760320 | 368 | |
| kenjiArai | 0:5b88d5760320 | 369 | ssl->handshake->curves = curves; |
| kenjiArai | 0:5b88d5760320 | 370 | |
| kenjiArai | 0:5b88d5760320 | 371 | p = buf + 2; |
| kenjiArai | 0:5b88d5760320 | 372 | while( list_size > 0 && our_size > 1 ) |
| kenjiArai | 0:5b88d5760320 | 373 | { |
| kenjiArai | 0:5b88d5760320 | 374 | curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); |
| kenjiArai | 0:5b88d5760320 | 375 | |
| kenjiArai | 0:5b88d5760320 | 376 | if( curve_info != NULL ) |
| kenjiArai | 0:5b88d5760320 | 377 | { |
| kenjiArai | 0:5b88d5760320 | 378 | *curves++ = curve_info; |
| kenjiArai | 0:5b88d5760320 | 379 | our_size--; |
| kenjiArai | 0:5b88d5760320 | 380 | } |
| kenjiArai | 0:5b88d5760320 | 381 | |
| kenjiArai | 0:5b88d5760320 | 382 | list_size -= 2; |
| kenjiArai | 0:5b88d5760320 | 383 | p += 2; |
| kenjiArai | 0:5b88d5760320 | 384 | } |
| kenjiArai | 0:5b88d5760320 | 385 | |
| kenjiArai | 0:5b88d5760320 | 386 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 387 | } |
| kenjiArai | 0:5b88d5760320 | 388 | |
| kenjiArai | 0:5b88d5760320 | 389 | static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 390 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 391 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 392 | { |
| kenjiArai | 0:5b88d5760320 | 393 | size_t list_size; |
| kenjiArai | 0:5b88d5760320 | 394 | const unsigned char *p; |
| kenjiArai | 0:5b88d5760320 | 395 | |
| kenjiArai | 0:5b88d5760320 | 396 | if( len == 0 || (size_t)( buf[0] + 1 ) != len ) |
| kenjiArai | 0:5b88d5760320 | 397 | { |
| kenjiArai | 0:5b88d5760320 | 398 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 399 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 400 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 401 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 402 | } |
| kenjiArai | 0:5b88d5760320 | 403 | list_size = buf[0]; |
| kenjiArai | 0:5b88d5760320 | 404 | |
| kenjiArai | 0:5b88d5760320 | 405 | p = buf + 1; |
| kenjiArai | 0:5b88d5760320 | 406 | while( list_size > 0 ) |
| kenjiArai | 0:5b88d5760320 | 407 | { |
| kenjiArai | 0:5b88d5760320 | 408 | if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| kenjiArai | 0:5b88d5760320 | 409 | p[0] == MBEDTLS_ECP_PF_COMPRESSED ) |
| kenjiArai | 0:5b88d5760320 | 410 | { |
| kenjiArai | 0:5b88d5760320 | 411 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
| kenjiArai | 0:5b88d5760320 | 412 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| kenjiArai | 0:5b88d5760320 | 413 | #endif |
| kenjiArai | 0:5b88d5760320 | 414 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 415 | ssl->handshake->ecjpake_ctx.point_format = p[0]; |
| kenjiArai | 0:5b88d5760320 | 416 | #endif |
| kenjiArai | 0:5b88d5760320 | 417 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); |
| kenjiArai | 0:5b88d5760320 | 418 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 419 | } |
| kenjiArai | 0:5b88d5760320 | 420 | |
| kenjiArai | 0:5b88d5760320 | 421 | list_size--; |
| kenjiArai | 0:5b88d5760320 | 422 | p++; |
| kenjiArai | 0:5b88d5760320 | 423 | } |
| kenjiArai | 0:5b88d5760320 | 424 | |
| kenjiArai | 0:5b88d5760320 | 425 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 426 | } |
| kenjiArai | 0:5b88d5760320 | 427 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| kenjiArai | 0:5b88d5760320 | 428 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 429 | |
| kenjiArai | 0:5b88d5760320 | 430 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 431 | static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 432 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 433 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 434 | { |
| kenjiArai | 0:5b88d5760320 | 435 | int ret; |
| kenjiArai | 0:5b88d5760320 | 436 | |
| kenjiArai | 0:5b88d5760320 | 437 | if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 438 | { |
| kenjiArai | 0:5b88d5760320 | 439 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 440 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 441 | } |
| kenjiArai | 0:5b88d5760320 | 442 | |
| kenjiArai | 0:5b88d5760320 | 443 | if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, |
| kenjiArai | 0:5b88d5760320 | 444 | buf, len ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 445 | { |
| kenjiArai | 0:5b88d5760320 | 446 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); |
| kenjiArai | 0:5b88d5760320 | 447 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 448 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 449 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 450 | } |
| kenjiArai | 0:5b88d5760320 | 451 | |
| kenjiArai | 0:5b88d5760320 | 452 | /* Only mark the extension as OK when we're sure it is */ |
| kenjiArai | 0:5b88d5760320 | 453 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; |
| kenjiArai | 0:5b88d5760320 | 454 | |
| kenjiArai | 0:5b88d5760320 | 455 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 456 | } |
| kenjiArai | 0:5b88d5760320 | 457 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 458 | |
| kenjiArai | 0:5b88d5760320 | 459 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| kenjiArai | 0:5b88d5760320 | 460 | static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 461 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 462 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 463 | { |
| kenjiArai | 0:5b88d5760320 | 464 | if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) |
| kenjiArai | 0:5b88d5760320 | 465 | { |
| kenjiArai | 0:5b88d5760320 | 466 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 467 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 468 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 469 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 470 | } |
| kenjiArai | 0:5b88d5760320 | 471 | |
| kenjiArai | 0:5b88d5760320 | 472 | ssl->session_negotiate->mfl_code = buf[0]; |
| kenjiArai | 0:5b88d5760320 | 473 | |
| kenjiArai | 0:5b88d5760320 | 474 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 475 | } |
| kenjiArai | 0:5b88d5760320 | 476 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| kenjiArai | 0:5b88d5760320 | 477 | |
| kenjiArai | 0:5b88d5760320 | 478 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| kenjiArai | 0:5b88d5760320 | 479 | static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 480 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 481 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 482 | { |
| kenjiArai | 0:5b88d5760320 | 483 | size_t peer_cid_len; |
| kenjiArai | 0:5b88d5760320 | 484 | |
| kenjiArai | 0:5b88d5760320 | 485 | /* CID extension only makes sense in DTLS */ |
| kenjiArai | 0:5b88d5760320 | 486 | if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 487 | { |
| kenjiArai | 0:5b88d5760320 | 488 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 489 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 490 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 491 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 492 | } |
| kenjiArai | 0:5b88d5760320 | 493 | |
| kenjiArai | 0:5b88d5760320 | 494 | /* |
| kenjiArai | 0:5b88d5760320 | 495 | * Quoting draft-ietf-tls-dtls-connection-id-05 |
| kenjiArai | 0:5b88d5760320 | 496 | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 |
| kenjiArai | 0:5b88d5760320 | 497 | * |
| kenjiArai | 0:5b88d5760320 | 498 | * struct { |
| kenjiArai | 0:5b88d5760320 | 499 | * opaque cid<0..2^8-1>; |
| kenjiArai | 0:5b88d5760320 | 500 | * } ConnectionId; |
| kenjiArai | 0:5b88d5760320 | 501 | */ |
| kenjiArai | 0:5b88d5760320 | 502 | |
| kenjiArai | 0:5b88d5760320 | 503 | if( len < 1 ) |
| kenjiArai | 0:5b88d5760320 | 504 | { |
| kenjiArai | 0:5b88d5760320 | 505 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 506 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 507 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 508 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 509 | } |
| kenjiArai | 0:5b88d5760320 | 510 | |
| kenjiArai | 0:5b88d5760320 | 511 | peer_cid_len = *buf++; |
| kenjiArai | 0:5b88d5760320 | 512 | len--; |
| kenjiArai | 0:5b88d5760320 | 513 | |
| kenjiArai | 0:5b88d5760320 | 514 | if( len != peer_cid_len ) |
| kenjiArai | 0:5b88d5760320 | 515 | { |
| kenjiArai | 0:5b88d5760320 | 516 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 517 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 518 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 519 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 520 | } |
| kenjiArai | 0:5b88d5760320 | 521 | |
| kenjiArai | 0:5b88d5760320 | 522 | /* Ignore CID if the user has disabled its use. */ |
| kenjiArai | 0:5b88d5760320 | 523 | if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) |
| kenjiArai | 0:5b88d5760320 | 524 | { |
| kenjiArai | 0:5b88d5760320 | 525 | /* Leave ssl->handshake->cid_in_use in its default |
| kenjiArai | 0:5b88d5760320 | 526 | * value of MBEDTLS_SSL_CID_DISABLED. */ |
| kenjiArai | 0:5b88d5760320 | 527 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) ); |
| kenjiArai | 0:5b88d5760320 | 528 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 529 | } |
| kenjiArai | 0:5b88d5760320 | 530 | |
| kenjiArai | 0:5b88d5760320 | 531 | if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX ) |
| kenjiArai | 0:5b88d5760320 | 532 | { |
| kenjiArai | 0:5b88d5760320 | 533 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 534 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 535 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 536 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 537 | } |
| kenjiArai | 0:5b88d5760320 | 538 | |
| kenjiArai | 0:5b88d5760320 | 539 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| kenjiArai | 0:5b88d5760320 | 540 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| kenjiArai | 0:5b88d5760320 | 541 | memcpy( ssl->handshake->peer_cid, buf, peer_cid_len ); |
| kenjiArai | 0:5b88d5760320 | 542 | |
| kenjiArai | 0:5b88d5760320 | 543 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) ); |
| kenjiArai | 0:5b88d5760320 | 544 | MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len ); |
| kenjiArai | 0:5b88d5760320 | 545 | |
| kenjiArai | 0:5b88d5760320 | 546 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 547 | } |
| kenjiArai | 0:5b88d5760320 | 548 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| kenjiArai | 0:5b88d5760320 | 549 | |
| kenjiArai | 0:5b88d5760320 | 550 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| kenjiArai | 0:5b88d5760320 | 551 | static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 552 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 553 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 554 | { |
| kenjiArai | 0:5b88d5760320 | 555 | if( len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 556 | { |
| kenjiArai | 0:5b88d5760320 | 557 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 558 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 559 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 560 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 561 | } |
| kenjiArai | 0:5b88d5760320 | 562 | |
| kenjiArai | 0:5b88d5760320 | 563 | ((void) buf); |
| kenjiArai | 0:5b88d5760320 | 564 | |
| kenjiArai | 0:5b88d5760320 | 565 | if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) |
| kenjiArai | 0:5b88d5760320 | 566 | ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; |
| kenjiArai | 0:5b88d5760320 | 567 | |
| kenjiArai | 0:5b88d5760320 | 568 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 569 | } |
| kenjiArai | 0:5b88d5760320 | 570 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| kenjiArai | 0:5b88d5760320 | 571 | |
| kenjiArai | 0:5b88d5760320 | 572 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| kenjiArai | 0:5b88d5760320 | 573 | static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 574 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 575 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 576 | { |
| kenjiArai | 0:5b88d5760320 | 577 | if( len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 578 | { |
| kenjiArai | 0:5b88d5760320 | 579 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 580 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 581 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 582 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 583 | } |
| kenjiArai | 0:5b88d5760320 | 584 | |
| kenjiArai | 0:5b88d5760320 | 585 | ((void) buf); |
| kenjiArai | 0:5b88d5760320 | 586 | |
| kenjiArai | 0:5b88d5760320 | 587 | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && |
| kenjiArai | 0:5b88d5760320 | 588 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) |
| kenjiArai | 0:5b88d5760320 | 589 | { |
| kenjiArai | 0:5b88d5760320 | 590 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| kenjiArai | 0:5b88d5760320 | 591 | } |
| kenjiArai | 0:5b88d5760320 | 592 | |
| kenjiArai | 0:5b88d5760320 | 593 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 594 | } |
| kenjiArai | 0:5b88d5760320 | 595 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| kenjiArai | 0:5b88d5760320 | 596 | |
| kenjiArai | 0:5b88d5760320 | 597 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| kenjiArai | 0:5b88d5760320 | 598 | static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 599 | const unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 600 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 601 | { |
| kenjiArai | 0:5b88d5760320 | 602 | if( len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 603 | { |
| kenjiArai | 0:5b88d5760320 | 604 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 605 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 606 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 607 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 608 | } |
| kenjiArai | 0:5b88d5760320 | 609 | |
| kenjiArai | 0:5b88d5760320 | 610 | ((void) buf); |
| kenjiArai | 0:5b88d5760320 | 611 | |
| kenjiArai | 0:5b88d5760320 | 612 | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && |
| kenjiArai | 0:5b88d5760320 | 613 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) |
| kenjiArai | 0:5b88d5760320 | 614 | { |
| kenjiArai | 0:5b88d5760320 | 615 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| kenjiArai | 0:5b88d5760320 | 616 | } |
| kenjiArai | 0:5b88d5760320 | 617 | |
| kenjiArai | 0:5b88d5760320 | 618 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 619 | } |
| kenjiArai | 0:5b88d5760320 | 620 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| kenjiArai | 0:5b88d5760320 | 621 | |
| kenjiArai | 0:5b88d5760320 | 622 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 623 | static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 624 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 625 | size_t len ) |
| kenjiArai | 0:5b88d5760320 | 626 | { |
| kenjiArai | 0:5b88d5760320 | 627 | int ret; |
| kenjiArai | 0:5b88d5760320 | 628 | mbedtls_ssl_session session; |
| kenjiArai | 0:5b88d5760320 | 629 | |
| kenjiArai | 0:5b88d5760320 | 630 | mbedtls_ssl_session_init( &session ); |
| kenjiArai | 0:5b88d5760320 | 631 | |
| kenjiArai | 0:5b88d5760320 | 632 | if( ssl->conf->f_ticket_parse == NULL || |
| kenjiArai | 0:5b88d5760320 | 633 | ssl->conf->f_ticket_write == NULL ) |
| kenjiArai | 0:5b88d5760320 | 634 | { |
| kenjiArai | 0:5b88d5760320 | 635 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 636 | } |
| kenjiArai | 0:5b88d5760320 | 637 | |
| kenjiArai | 0:5b88d5760320 | 638 | /* Remember the client asked us to send a new ticket */ |
| kenjiArai | 0:5b88d5760320 | 639 | ssl->handshake->new_session_ticket = 1; |
| kenjiArai | 0:5b88d5760320 | 640 | |
| kenjiArai | 0:5b88d5760320 | 641 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); |
| kenjiArai | 0:5b88d5760320 | 642 | |
| kenjiArai | 0:5b88d5760320 | 643 | if( len == 0 ) |
| kenjiArai | 0:5b88d5760320 | 644 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 645 | |
| kenjiArai | 0:5b88d5760320 | 646 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 647 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 648 | { |
| kenjiArai | 0:5b88d5760320 | 649 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); |
| kenjiArai | 0:5b88d5760320 | 650 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 651 | } |
| kenjiArai | 0:5b88d5760320 | 652 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| kenjiArai | 0:5b88d5760320 | 653 | |
| kenjiArai | 0:5b88d5760320 | 654 | /* |
| kenjiArai | 0:5b88d5760320 | 655 | * Failures are ok: just ignore the ticket and proceed. |
| kenjiArai | 0:5b88d5760320 | 656 | */ |
| kenjiArai | 0:5b88d5760320 | 657 | if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, |
| kenjiArai | 0:5b88d5760320 | 658 | buf, len ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 659 | { |
| kenjiArai | 0:5b88d5760320 | 660 | mbedtls_ssl_session_free( &session ); |
| kenjiArai | 0:5b88d5760320 | 661 | |
| kenjiArai | 0:5b88d5760320 | 662 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
| kenjiArai | 0:5b88d5760320 | 663 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); |
| kenjiArai | 0:5b88d5760320 | 664 | else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) |
| kenjiArai | 0:5b88d5760320 | 665 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); |
| kenjiArai | 0:5b88d5760320 | 666 | else |
| kenjiArai | 0:5b88d5760320 | 667 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); |
| kenjiArai | 0:5b88d5760320 | 668 | |
| kenjiArai | 0:5b88d5760320 | 669 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 670 | } |
| kenjiArai | 0:5b88d5760320 | 671 | |
| kenjiArai | 0:5b88d5760320 | 672 | /* |
| kenjiArai | 0:5b88d5760320 | 673 | * Keep the session ID sent by the client, since we MUST send it back to |
| kenjiArai | 0:5b88d5760320 | 674 | * inform them we're accepting the ticket (RFC 5077 section 3.4) |
| kenjiArai | 0:5b88d5760320 | 675 | */ |
| kenjiArai | 0:5b88d5760320 | 676 | session.id_len = ssl->session_negotiate->id_len; |
| kenjiArai | 0:5b88d5760320 | 677 | memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); |
| kenjiArai | 0:5b88d5760320 | 678 | |
| kenjiArai | 0:5b88d5760320 | 679 | mbedtls_ssl_session_free( ssl->session_negotiate ); |
| kenjiArai | 0:5b88d5760320 | 680 | memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); |
| kenjiArai | 0:5b88d5760320 | 681 | |
| kenjiArai | 0:5b88d5760320 | 682 | /* Zeroize instead of free as we copied the content */ |
| kenjiArai | 0:5b88d5760320 | 683 | mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) ); |
| kenjiArai | 0:5b88d5760320 | 684 | |
| kenjiArai | 0:5b88d5760320 | 685 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); |
| kenjiArai | 0:5b88d5760320 | 686 | |
| kenjiArai | 0:5b88d5760320 | 687 | ssl->handshake->resume = 1; |
| kenjiArai | 0:5b88d5760320 | 688 | |
| kenjiArai | 0:5b88d5760320 | 689 | /* Don't send a new ticket after all, this one is OK */ |
| kenjiArai | 0:5b88d5760320 | 690 | ssl->handshake->new_session_ticket = 0; |
| kenjiArai | 0:5b88d5760320 | 691 | |
| kenjiArai | 0:5b88d5760320 | 692 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 693 | } |
| kenjiArai | 0:5b88d5760320 | 694 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| kenjiArai | 0:5b88d5760320 | 695 | |
| kenjiArai | 0:5b88d5760320 | 696 | #if defined(MBEDTLS_SSL_ALPN) |
| kenjiArai | 0:5b88d5760320 | 697 | static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 698 | const unsigned char *buf, size_t len ) |
| kenjiArai | 0:5b88d5760320 | 699 | { |
| kenjiArai | 0:5b88d5760320 | 700 | size_t list_len, cur_len, ours_len; |
| kenjiArai | 0:5b88d5760320 | 701 | const unsigned char *theirs, *start, *end; |
| kenjiArai | 0:5b88d5760320 | 702 | const char **ours; |
| kenjiArai | 0:5b88d5760320 | 703 | |
| kenjiArai | 0:5b88d5760320 | 704 | /* If ALPN not configured, just ignore the extension */ |
| kenjiArai | 0:5b88d5760320 | 705 | if( ssl->conf->alpn_list == NULL ) |
| kenjiArai | 0:5b88d5760320 | 706 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 707 | |
| kenjiArai | 0:5b88d5760320 | 708 | /* |
| kenjiArai | 0:5b88d5760320 | 709 | * opaque ProtocolName<1..2^8-1>; |
| kenjiArai | 0:5b88d5760320 | 710 | * |
| kenjiArai | 0:5b88d5760320 | 711 | * struct { |
| kenjiArai | 0:5b88d5760320 | 712 | * ProtocolName protocol_name_list<2..2^16-1> |
| kenjiArai | 0:5b88d5760320 | 713 | * } ProtocolNameList; |
| kenjiArai | 0:5b88d5760320 | 714 | */ |
| kenjiArai | 0:5b88d5760320 | 715 | |
| kenjiArai | 0:5b88d5760320 | 716 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
| kenjiArai | 0:5b88d5760320 | 717 | if( len < 4 ) |
| kenjiArai | 0:5b88d5760320 | 718 | { |
| kenjiArai | 0:5b88d5760320 | 719 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 720 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 721 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 722 | } |
| kenjiArai | 0:5b88d5760320 | 723 | |
| kenjiArai | 0:5b88d5760320 | 724 | list_len = ( buf[0] << 8 ) | buf[1]; |
| kenjiArai | 0:5b88d5760320 | 725 | if( list_len != len - 2 ) |
| kenjiArai | 0:5b88d5760320 | 726 | { |
| kenjiArai | 0:5b88d5760320 | 727 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 728 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 729 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 730 | } |
| kenjiArai | 0:5b88d5760320 | 731 | |
| kenjiArai | 0:5b88d5760320 | 732 | /* |
| kenjiArai | 0:5b88d5760320 | 733 | * Validate peer's list (lengths) |
| kenjiArai | 0:5b88d5760320 | 734 | */ |
| kenjiArai | 0:5b88d5760320 | 735 | start = buf + 2; |
| kenjiArai | 0:5b88d5760320 | 736 | end = buf + len; |
| kenjiArai | 0:5b88d5760320 | 737 | for( theirs = start; theirs != end; theirs += cur_len ) |
| kenjiArai | 0:5b88d5760320 | 738 | { |
| kenjiArai | 0:5b88d5760320 | 739 | cur_len = *theirs++; |
| kenjiArai | 0:5b88d5760320 | 740 | |
| kenjiArai | 0:5b88d5760320 | 741 | /* Current identifier must fit in list */ |
| kenjiArai | 0:5b88d5760320 | 742 | if( cur_len > (size_t)( end - theirs ) ) |
| kenjiArai | 0:5b88d5760320 | 743 | { |
| kenjiArai | 0:5b88d5760320 | 744 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 745 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 746 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 747 | } |
| kenjiArai | 0:5b88d5760320 | 748 | |
| kenjiArai | 0:5b88d5760320 | 749 | /* Empty strings MUST NOT be included */ |
| kenjiArai | 0:5b88d5760320 | 750 | if( cur_len == 0 ) |
| kenjiArai | 0:5b88d5760320 | 751 | { |
| kenjiArai | 0:5b88d5760320 | 752 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 753 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| kenjiArai | 0:5b88d5760320 | 754 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 755 | } |
| kenjiArai | 0:5b88d5760320 | 756 | } |
| kenjiArai | 0:5b88d5760320 | 757 | |
| kenjiArai | 0:5b88d5760320 | 758 | /* |
| kenjiArai | 0:5b88d5760320 | 759 | * Use our order of preference |
| kenjiArai | 0:5b88d5760320 | 760 | */ |
| kenjiArai | 0:5b88d5760320 | 761 | for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) |
| kenjiArai | 0:5b88d5760320 | 762 | { |
| kenjiArai | 0:5b88d5760320 | 763 | ours_len = strlen( *ours ); |
| kenjiArai | 0:5b88d5760320 | 764 | for( theirs = start; theirs != end; theirs += cur_len ) |
| kenjiArai | 0:5b88d5760320 | 765 | { |
| kenjiArai | 0:5b88d5760320 | 766 | cur_len = *theirs++; |
| kenjiArai | 0:5b88d5760320 | 767 | |
| kenjiArai | 0:5b88d5760320 | 768 | if( cur_len == ours_len && |
| kenjiArai | 0:5b88d5760320 | 769 | memcmp( theirs, *ours, cur_len ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 770 | { |
| kenjiArai | 0:5b88d5760320 | 771 | ssl->alpn_chosen = *ours; |
| kenjiArai | 0:5b88d5760320 | 772 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 773 | } |
| kenjiArai | 0:5b88d5760320 | 774 | } |
| kenjiArai | 0:5b88d5760320 | 775 | } |
| kenjiArai | 0:5b88d5760320 | 776 | |
| kenjiArai | 0:5b88d5760320 | 777 | /* If we get there, no match was found */ |
| kenjiArai | 0:5b88d5760320 | 778 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 779 | MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); |
| kenjiArai | 0:5b88d5760320 | 780 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 781 | } |
| kenjiArai | 0:5b88d5760320 | 782 | #endif /* MBEDTLS_SSL_ALPN */ |
| kenjiArai | 0:5b88d5760320 | 783 | |
| kenjiArai | 0:5b88d5760320 | 784 | /* |
| kenjiArai | 0:5b88d5760320 | 785 | * Auxiliary functions for ServerHello parsing and related actions |
| kenjiArai | 0:5b88d5760320 | 786 | */ |
| kenjiArai | 0:5b88d5760320 | 787 | |
| kenjiArai | 0:5b88d5760320 | 788 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| kenjiArai | 0:5b88d5760320 | 789 | /* |
| kenjiArai | 0:5b88d5760320 | 790 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
| kenjiArai | 0:5b88d5760320 | 791 | */ |
| kenjiArai | 0:5b88d5760320 | 792 | #if defined(MBEDTLS_ECDSA_C) |
| kenjiArai | 0:5b88d5760320 | 793 | static int ssl_check_key_curve( mbedtls_pk_context *pk, |
| kenjiArai | 0:5b88d5760320 | 794 | const mbedtls_ecp_curve_info **curves ) |
| kenjiArai | 0:5b88d5760320 | 795 | { |
| kenjiArai | 0:5b88d5760320 | 796 | const mbedtls_ecp_curve_info **crv = curves; |
| kenjiArai | 0:5b88d5760320 | 797 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id; |
| kenjiArai | 0:5b88d5760320 | 798 | |
| kenjiArai | 0:5b88d5760320 | 799 | while( *crv != NULL ) |
| kenjiArai | 0:5b88d5760320 | 800 | { |
| kenjiArai | 0:5b88d5760320 | 801 | if( (*crv)->grp_id == grp_id ) |
| kenjiArai | 0:5b88d5760320 | 802 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 803 | crv++; |
| kenjiArai | 0:5b88d5760320 | 804 | } |
| kenjiArai | 0:5b88d5760320 | 805 | |
| kenjiArai | 0:5b88d5760320 | 806 | return( -1 ); |
| kenjiArai | 0:5b88d5760320 | 807 | } |
| kenjiArai | 0:5b88d5760320 | 808 | #endif /* MBEDTLS_ECDSA_C */ |
| kenjiArai | 0:5b88d5760320 | 809 | |
| kenjiArai | 0:5b88d5760320 | 810 | /* |
| kenjiArai | 0:5b88d5760320 | 811 | * Try picking a certificate for this ciphersuite, |
| kenjiArai | 0:5b88d5760320 | 812 | * return 0 on success and -1 on failure. |
| kenjiArai | 0:5b88d5760320 | 813 | */ |
| kenjiArai | 0:5b88d5760320 | 814 | static int ssl_pick_cert( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 815 | const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) |
| kenjiArai | 0:5b88d5760320 | 816 | { |
| kenjiArai | 0:5b88d5760320 | 817 | mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; |
| kenjiArai | 0:5b88d5760320 | 818 | mbedtls_pk_type_t pk_alg = |
| kenjiArai | 0:5b88d5760320 | 819 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
| kenjiArai | 0:5b88d5760320 | 820 | uint32_t flags; |
| kenjiArai | 0:5b88d5760320 | 821 | |
| kenjiArai | 0:5b88d5760320 | 822 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| kenjiArai | 0:5b88d5760320 | 823 | if( ssl->handshake->sni_key_cert != NULL ) |
| kenjiArai | 0:5b88d5760320 | 824 | list = ssl->handshake->sni_key_cert; |
| kenjiArai | 0:5b88d5760320 | 825 | else |
| kenjiArai | 0:5b88d5760320 | 826 | #endif |
| kenjiArai | 0:5b88d5760320 | 827 | list = ssl->conf->key_cert; |
| kenjiArai | 0:5b88d5760320 | 828 | |
| kenjiArai | 0:5b88d5760320 | 829 | if( pk_alg == MBEDTLS_PK_NONE ) |
| kenjiArai | 0:5b88d5760320 | 830 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 831 | |
| kenjiArai | 0:5b88d5760320 | 832 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); |
| kenjiArai | 0:5b88d5760320 | 833 | |
| kenjiArai | 0:5b88d5760320 | 834 | if( list == NULL ) |
| kenjiArai | 0:5b88d5760320 | 835 | { |
| kenjiArai | 0:5b88d5760320 | 836 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); |
| kenjiArai | 0:5b88d5760320 | 837 | return( -1 ); |
| kenjiArai | 0:5b88d5760320 | 838 | } |
| kenjiArai | 0:5b88d5760320 | 839 | |
| kenjiArai | 0:5b88d5760320 | 840 | for( cur = list; cur != NULL; cur = cur->next ) |
| kenjiArai | 0:5b88d5760320 | 841 | { |
| kenjiArai | 0:5b88d5760320 | 842 | MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", |
| kenjiArai | 0:5b88d5760320 | 843 | cur->cert ); |
| kenjiArai | 0:5b88d5760320 | 844 | |
| kenjiArai | 0:5b88d5760320 | 845 | if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) ) |
| kenjiArai | 0:5b88d5760320 | 846 | { |
| kenjiArai | 0:5b88d5760320 | 847 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); |
| kenjiArai | 0:5b88d5760320 | 848 | continue; |
| kenjiArai | 0:5b88d5760320 | 849 | } |
| kenjiArai | 0:5b88d5760320 | 850 | |
| kenjiArai | 0:5b88d5760320 | 851 | /* |
| kenjiArai | 0:5b88d5760320 | 852 | * This avoids sending the client a cert it'll reject based on |
| kenjiArai | 0:5b88d5760320 | 853 | * keyUsage or other extensions. |
| kenjiArai | 0:5b88d5760320 | 854 | * |
| kenjiArai | 0:5b88d5760320 | 855 | * It also allows the user to provision different certificates for |
| kenjiArai | 0:5b88d5760320 | 856 | * different uses based on keyUsage, eg if they want to avoid signing |
| kenjiArai | 0:5b88d5760320 | 857 | * and decrypting with the same RSA key. |
| kenjiArai | 0:5b88d5760320 | 858 | */ |
| kenjiArai | 0:5b88d5760320 | 859 | if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, |
| kenjiArai | 0:5b88d5760320 | 860 | MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 861 | { |
| kenjiArai | 0:5b88d5760320 | 862 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " |
| kenjiArai | 0:5b88d5760320 | 863 | "(extended) key usage extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 864 | continue; |
| kenjiArai | 0:5b88d5760320 | 865 | } |
| kenjiArai | 0:5b88d5760320 | 866 | |
| kenjiArai | 0:5b88d5760320 | 867 | #if defined(MBEDTLS_ECDSA_C) |
| kenjiArai | 0:5b88d5760320 | 868 | if( pk_alg == MBEDTLS_PK_ECDSA && |
| kenjiArai | 0:5b88d5760320 | 869 | ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 870 | { |
| kenjiArai | 0:5b88d5760320 | 871 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); |
| kenjiArai | 0:5b88d5760320 | 872 | continue; |
| kenjiArai | 0:5b88d5760320 | 873 | } |
| kenjiArai | 0:5b88d5760320 | 874 | #endif |
| kenjiArai | 0:5b88d5760320 | 875 | |
| kenjiArai | 0:5b88d5760320 | 876 | /* |
| kenjiArai | 0:5b88d5760320 | 877 | * Try to select a SHA-1 certificate for pre-1.2 clients, but still |
| kenjiArai | 0:5b88d5760320 | 878 | * present them a SHA-higher cert rather than failing if it's the only |
| kenjiArai | 0:5b88d5760320 | 879 | * one we got that satisfies the other conditions. |
| kenjiArai | 0:5b88d5760320 | 880 | */ |
| kenjiArai | 0:5b88d5760320 | 881 | if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && |
| kenjiArai | 0:5b88d5760320 | 882 | cur->cert->sig_md != MBEDTLS_MD_SHA1 ) |
| kenjiArai | 0:5b88d5760320 | 883 | { |
| kenjiArai | 0:5b88d5760320 | 884 | if( fallback == NULL ) |
| kenjiArai | 0:5b88d5760320 | 885 | fallback = cur; |
| kenjiArai | 0:5b88d5760320 | 886 | { |
| kenjiArai | 0:5b88d5760320 | 887 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " |
| kenjiArai | 0:5b88d5760320 | 888 | "sha-2 with pre-TLS 1.2 client" ) ); |
| kenjiArai | 0:5b88d5760320 | 889 | continue; |
| kenjiArai | 0:5b88d5760320 | 890 | } |
| kenjiArai | 0:5b88d5760320 | 891 | } |
| kenjiArai | 0:5b88d5760320 | 892 | |
| kenjiArai | 0:5b88d5760320 | 893 | /* If we get there, we got a winner */ |
| kenjiArai | 0:5b88d5760320 | 894 | break; |
| kenjiArai | 0:5b88d5760320 | 895 | } |
| kenjiArai | 0:5b88d5760320 | 896 | |
| kenjiArai | 0:5b88d5760320 | 897 | if( cur == NULL ) |
| kenjiArai | 0:5b88d5760320 | 898 | cur = fallback; |
| kenjiArai | 0:5b88d5760320 | 899 | |
| kenjiArai | 0:5b88d5760320 | 900 | /* Do not update ssl->handshake->key_cert unless there is a match */ |
| kenjiArai | 0:5b88d5760320 | 901 | if( cur != NULL ) |
| kenjiArai | 0:5b88d5760320 | 902 | { |
| kenjiArai | 0:5b88d5760320 | 903 | ssl->handshake->key_cert = cur; |
| kenjiArai | 0:5b88d5760320 | 904 | MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", |
| kenjiArai | 0:5b88d5760320 | 905 | ssl->handshake->key_cert->cert ); |
| kenjiArai | 0:5b88d5760320 | 906 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 907 | } |
| kenjiArai | 0:5b88d5760320 | 908 | |
| kenjiArai | 0:5b88d5760320 | 909 | return( -1 ); |
| kenjiArai | 0:5b88d5760320 | 910 | } |
| kenjiArai | 0:5b88d5760320 | 911 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| kenjiArai | 0:5b88d5760320 | 912 | |
| kenjiArai | 0:5b88d5760320 | 913 | /* |
| kenjiArai | 0:5b88d5760320 | 914 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
| kenjiArai | 0:5b88d5760320 | 915 | * Sets ciphersuite_info only if the suite matches. |
| kenjiArai | 0:5b88d5760320 | 916 | */ |
| kenjiArai | 0:5b88d5760320 | 917 | static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, |
| kenjiArai | 0:5b88d5760320 | 918 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) |
| kenjiArai | 0:5b88d5760320 | 919 | { |
| kenjiArai | 0:5b88d5760320 | 920 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| kenjiArai | 0:5b88d5760320 | 921 | |
| kenjiArai | 0:5b88d5760320 | 922 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 923 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 924 | mbedtls_pk_type_t sig_type; |
| kenjiArai | 0:5b88d5760320 | 925 | #endif |
| kenjiArai | 0:5b88d5760320 | 926 | |
| kenjiArai | 0:5b88d5760320 | 927 | suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); |
| kenjiArai | 0:5b88d5760320 | 928 | if( suite_info == NULL ) |
| kenjiArai | 0:5b88d5760320 | 929 | { |
| kenjiArai | 0:5b88d5760320 | 930 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 931 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 932 | } |
| kenjiArai | 0:5b88d5760320 | 933 | |
| kenjiArai | 0:5b88d5760320 | 934 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); |
| kenjiArai | 0:5b88d5760320 | 935 | |
| kenjiArai | 0:5b88d5760320 | 936 | if( suite_info->min_minor_ver > ssl->minor_ver || |
| kenjiArai | 0:5b88d5760320 | 937 | suite_info->max_minor_ver < ssl->minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 938 | { |
| kenjiArai | 0:5b88d5760320 | 939 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); |
| kenjiArai | 0:5b88d5760320 | 940 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 941 | } |
| kenjiArai | 0:5b88d5760320 | 942 | |
| kenjiArai | 0:5b88d5760320 | 943 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 944 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| kenjiArai | 0:5b88d5760320 | 945 | ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) |
| kenjiArai | 0:5b88d5760320 | 946 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 947 | #endif |
| kenjiArai | 0:5b88d5760320 | 948 | |
| kenjiArai | 0:5b88d5760320 | 949 | #if defined(MBEDTLS_ARC4_C) |
| kenjiArai | 0:5b88d5760320 | 950 | if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && |
| kenjiArai | 0:5b88d5760320 | 951 | suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) |
| kenjiArai | 0:5b88d5760320 | 952 | { |
| kenjiArai | 0:5b88d5760320 | 953 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); |
| kenjiArai | 0:5b88d5760320 | 954 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 955 | } |
| kenjiArai | 0:5b88d5760320 | 956 | #endif |
| kenjiArai | 0:5b88d5760320 | 957 | |
| kenjiArai | 0:5b88d5760320 | 958 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 959 | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
| kenjiArai | 0:5b88d5760320 | 960 | ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 961 | { |
| kenjiArai | 0:5b88d5760320 | 962 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " |
| kenjiArai | 0:5b88d5760320 | 963 | "not configured or ext missing" ) ); |
| kenjiArai | 0:5b88d5760320 | 964 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 965 | } |
| kenjiArai | 0:5b88d5760320 | 966 | #endif |
| kenjiArai | 0:5b88d5760320 | 967 | |
| kenjiArai | 0:5b88d5760320 | 968 | |
| kenjiArai | 0:5b88d5760320 | 969 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
| kenjiArai | 0:5b88d5760320 | 970 | if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && |
| kenjiArai | 0:5b88d5760320 | 971 | ( ssl->handshake->curves == NULL || |
| kenjiArai | 0:5b88d5760320 | 972 | ssl->handshake->curves[0] == NULL ) ) |
| kenjiArai | 0:5b88d5760320 | 973 | { |
| kenjiArai | 0:5b88d5760320 | 974 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
| kenjiArai | 0:5b88d5760320 | 975 | "no common elliptic curve" ) ); |
| kenjiArai | 0:5b88d5760320 | 976 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 977 | } |
| kenjiArai | 0:5b88d5760320 | 978 | #endif |
| kenjiArai | 0:5b88d5760320 | 979 | |
| kenjiArai | 0:5b88d5760320 | 980 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 981 | /* If the ciphersuite requires a pre-shared key and we don't |
| kenjiArai | 0:5b88d5760320 | 982 | * have one, skip it now rather than failing later */ |
| kenjiArai | 0:5b88d5760320 | 983 | if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && |
| kenjiArai | 0:5b88d5760320 | 984 | ssl_conf_has_psk_or_cb( ssl->conf ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 985 | { |
| kenjiArai | 0:5b88d5760320 | 986 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); |
| kenjiArai | 0:5b88d5760320 | 987 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 988 | } |
| kenjiArai | 0:5b88d5760320 | 989 | #endif |
| kenjiArai | 0:5b88d5760320 | 990 | |
| kenjiArai | 0:5b88d5760320 | 991 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 992 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 993 | /* If the ciphersuite requires signing, check whether |
| kenjiArai | 0:5b88d5760320 | 994 | * a suitable hash algorithm is present. */ |
| kenjiArai | 0:5b88d5760320 | 995 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 996 | { |
| kenjiArai | 0:5b88d5760320 | 997 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); |
| kenjiArai | 0:5b88d5760320 | 998 | if( sig_type != MBEDTLS_PK_NONE && |
| kenjiArai | 0:5b88d5760320 | 999 | mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) |
| kenjiArai | 0:5b88d5760320 | 1000 | { |
| kenjiArai | 0:5b88d5760320 | 1001 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " |
| kenjiArai | 0:5b88d5760320 | 1002 | "for signature algorithm %d", sig_type ) ); |
| kenjiArai | 0:5b88d5760320 | 1003 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 1004 | } |
| kenjiArai | 0:5b88d5760320 | 1005 | } |
| kenjiArai | 0:5b88d5760320 | 1006 | |
| kenjiArai | 0:5b88d5760320 | 1007 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| kenjiArai | 0:5b88d5760320 | 1008 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 1009 | |
| kenjiArai | 0:5b88d5760320 | 1010 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| kenjiArai | 0:5b88d5760320 | 1011 | /* |
| kenjiArai | 0:5b88d5760320 | 1012 | * Final check: if ciphersuite requires us to have a |
| kenjiArai | 0:5b88d5760320 | 1013 | * certificate/key of a particular type: |
| kenjiArai | 0:5b88d5760320 | 1014 | * - select the appropriate certificate if we have one, or |
| kenjiArai | 0:5b88d5760320 | 1015 | * - try the next ciphersuite if we don't |
| kenjiArai | 0:5b88d5760320 | 1016 | * This must be done last since we modify the key_cert list. |
| kenjiArai | 0:5b88d5760320 | 1017 | */ |
| kenjiArai | 0:5b88d5760320 | 1018 | if( ssl_pick_cert( ssl, suite_info ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1019 | { |
| kenjiArai | 0:5b88d5760320 | 1020 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
| kenjiArai | 0:5b88d5760320 | 1021 | "no suitable certificate" ) ); |
| kenjiArai | 0:5b88d5760320 | 1022 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 1023 | } |
| kenjiArai | 0:5b88d5760320 | 1024 | #endif |
| kenjiArai | 0:5b88d5760320 | 1025 | |
| kenjiArai | 0:5b88d5760320 | 1026 | *ciphersuite_info = suite_info; |
| kenjiArai | 0:5b88d5760320 | 1027 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 1028 | } |
| kenjiArai | 0:5b88d5760320 | 1029 | |
| kenjiArai | 0:5b88d5760320 | 1030 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) |
| kenjiArai | 0:5b88d5760320 | 1031 | static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 1032 | { |
| kenjiArai | 0:5b88d5760320 | 1033 | int ret, got_common_suite; |
| kenjiArai | 0:5b88d5760320 | 1034 | unsigned int i, j; |
| kenjiArai | 0:5b88d5760320 | 1035 | size_t n; |
| kenjiArai | 0:5b88d5760320 | 1036 | unsigned int ciph_len, sess_len, chal_len; |
| kenjiArai | 0:5b88d5760320 | 1037 | unsigned char *buf, *p; |
| kenjiArai | 0:5b88d5760320 | 1038 | const int *ciphersuites; |
| kenjiArai | 0:5b88d5760320 | 1039 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 1040 | |
| kenjiArai | 0:5b88d5760320 | 1041 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); |
| kenjiArai | 0:5b88d5760320 | 1042 | |
| kenjiArai | 0:5b88d5760320 | 1043 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1044 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 1045 | { |
| kenjiArai | 0:5b88d5760320 | 1046 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); |
| kenjiArai | 0:5b88d5760320 | 1047 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1048 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 1049 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1050 | } |
| kenjiArai | 0:5b88d5760320 | 1051 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| kenjiArai | 0:5b88d5760320 | 1052 | |
| kenjiArai | 0:5b88d5760320 | 1053 | buf = ssl->in_hdr; |
| kenjiArai | 0:5b88d5760320 | 1054 | |
| kenjiArai | 0:5b88d5760320 | 1055 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); |
| kenjiArai | 0:5b88d5760320 | 1056 | |
| kenjiArai | 0:5b88d5760320 | 1057 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", |
| kenjiArai | 0:5b88d5760320 | 1058 | buf[2] ) ); |
| kenjiArai | 0:5b88d5760320 | 1059 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", |
| kenjiArai | 0:5b88d5760320 | 1060 | ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 1061 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", |
| kenjiArai | 0:5b88d5760320 | 1062 | buf[3], buf[4] ) ); |
| kenjiArai | 0:5b88d5760320 | 1063 | |
| kenjiArai | 0:5b88d5760320 | 1064 | /* |
| kenjiArai | 0:5b88d5760320 | 1065 | * SSLv2 Client Hello |
| kenjiArai | 0:5b88d5760320 | 1066 | * |
| kenjiArai | 0:5b88d5760320 | 1067 | * Record layer: |
| kenjiArai | 0:5b88d5760320 | 1068 | * 0 . 1 message length |
| kenjiArai | 0:5b88d5760320 | 1069 | * |
| kenjiArai | 0:5b88d5760320 | 1070 | * SSL layer: |
| kenjiArai | 0:5b88d5760320 | 1071 | * 2 . 2 message type |
| kenjiArai | 0:5b88d5760320 | 1072 | * 3 . 4 protocol version |
| kenjiArai | 0:5b88d5760320 | 1073 | */ |
| kenjiArai | 0:5b88d5760320 | 1074 | if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || |
| kenjiArai | 0:5b88d5760320 | 1075 | buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 1076 | { |
| kenjiArai | 0:5b88d5760320 | 1077 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1078 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1079 | } |
| kenjiArai | 0:5b88d5760320 | 1080 | |
| kenjiArai | 0:5b88d5760320 | 1081 | n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; |
| kenjiArai | 0:5b88d5760320 | 1082 | |
| kenjiArai | 0:5b88d5760320 | 1083 | if( n < 17 || n > 512 ) |
| kenjiArai | 0:5b88d5760320 | 1084 | { |
| kenjiArai | 0:5b88d5760320 | 1085 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1086 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1087 | } |
| kenjiArai | 0:5b88d5760320 | 1088 | |
| kenjiArai | 0:5b88d5760320 | 1089 | ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; |
| kenjiArai | 0:5b88d5760320 | 1090 | ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 1091 | ? buf[4] : ssl->conf->max_minor_ver; |
| kenjiArai | 0:5b88d5760320 | 1092 | |
| kenjiArai | 0:5b88d5760320 | 1093 | if( ssl->minor_ver < ssl->conf->min_minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 1094 | { |
| kenjiArai | 0:5b88d5760320 | 1095 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" |
| kenjiArai | 0:5b88d5760320 | 1096 | " [%d:%d] < [%d:%d]", |
| kenjiArai | 0:5b88d5760320 | 1097 | ssl->major_ver, ssl->minor_ver, |
| kenjiArai | 0:5b88d5760320 | 1098 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); |
| kenjiArai | 0:5b88d5760320 | 1099 | |
| kenjiArai | 0:5b88d5760320 | 1100 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1101 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
| kenjiArai | 0:5b88d5760320 | 1102 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
| kenjiArai | 0:5b88d5760320 | 1103 | } |
| kenjiArai | 0:5b88d5760320 | 1104 | |
| kenjiArai | 0:5b88d5760320 | 1105 | ssl->handshake->max_major_ver = buf[3]; |
| kenjiArai | 0:5b88d5760320 | 1106 | ssl->handshake->max_minor_ver = buf[4]; |
| kenjiArai | 0:5b88d5760320 | 1107 | |
| kenjiArai | 0:5b88d5760320 | 1108 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1109 | { |
| kenjiArai | 0:5b88d5760320 | 1110 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| kenjiArai | 0:5b88d5760320 | 1111 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1112 | } |
| kenjiArai | 0:5b88d5760320 | 1113 | |
| kenjiArai | 0:5b88d5760320 | 1114 | ssl->handshake->update_checksum( ssl, buf + 2, n ); |
| kenjiArai | 0:5b88d5760320 | 1115 | |
| kenjiArai | 0:5b88d5760320 | 1116 | buf = ssl->in_msg; |
| kenjiArai | 0:5b88d5760320 | 1117 | n = ssl->in_left - 5; |
| kenjiArai | 0:5b88d5760320 | 1118 | |
| kenjiArai | 0:5b88d5760320 | 1119 | /* |
| kenjiArai | 0:5b88d5760320 | 1120 | * 0 . 1 ciphersuitelist length |
| kenjiArai | 0:5b88d5760320 | 1121 | * 2 . 3 session id length |
| kenjiArai | 0:5b88d5760320 | 1122 | * 4 . 5 challenge length |
| kenjiArai | 0:5b88d5760320 | 1123 | * 6 . .. ciphersuitelist |
| kenjiArai | 0:5b88d5760320 | 1124 | * .. . .. session id |
| kenjiArai | 0:5b88d5760320 | 1125 | * .. . .. challenge |
| kenjiArai | 0:5b88d5760320 | 1126 | */ |
| kenjiArai | 0:5b88d5760320 | 1127 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); |
| kenjiArai | 0:5b88d5760320 | 1128 | |
| kenjiArai | 0:5b88d5760320 | 1129 | ciph_len = ( buf[0] << 8 ) | buf[1]; |
| kenjiArai | 0:5b88d5760320 | 1130 | sess_len = ( buf[2] << 8 ) | buf[3]; |
| kenjiArai | 0:5b88d5760320 | 1131 | chal_len = ( buf[4] << 8 ) | buf[5]; |
| kenjiArai | 0:5b88d5760320 | 1132 | |
| kenjiArai | 0:5b88d5760320 | 1133 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", |
| kenjiArai | 0:5b88d5760320 | 1134 | ciph_len, sess_len, chal_len ) ); |
| kenjiArai | 0:5b88d5760320 | 1135 | |
| kenjiArai | 0:5b88d5760320 | 1136 | /* |
| kenjiArai | 0:5b88d5760320 | 1137 | * Make sure each parameter length is valid |
| kenjiArai | 0:5b88d5760320 | 1138 | */ |
| kenjiArai | 0:5b88d5760320 | 1139 | if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1140 | { |
| kenjiArai | 0:5b88d5760320 | 1141 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1142 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1143 | } |
| kenjiArai | 0:5b88d5760320 | 1144 | |
| kenjiArai | 0:5b88d5760320 | 1145 | if( sess_len > 32 ) |
| kenjiArai | 0:5b88d5760320 | 1146 | { |
| kenjiArai | 0:5b88d5760320 | 1147 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1148 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1149 | } |
| kenjiArai | 0:5b88d5760320 | 1150 | |
| kenjiArai | 0:5b88d5760320 | 1151 | if( chal_len < 8 || chal_len > 32 ) |
| kenjiArai | 0:5b88d5760320 | 1152 | { |
| kenjiArai | 0:5b88d5760320 | 1153 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1154 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1155 | } |
| kenjiArai | 0:5b88d5760320 | 1156 | |
| kenjiArai | 0:5b88d5760320 | 1157 | if( n != 6 + ciph_len + sess_len + chal_len ) |
| kenjiArai | 0:5b88d5760320 | 1158 | { |
| kenjiArai | 0:5b88d5760320 | 1159 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1160 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1161 | } |
| kenjiArai | 0:5b88d5760320 | 1162 | |
| kenjiArai | 0:5b88d5760320 | 1163 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
| kenjiArai | 0:5b88d5760320 | 1164 | buf + 6, ciph_len ); |
| kenjiArai | 0:5b88d5760320 | 1165 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", |
| kenjiArai | 0:5b88d5760320 | 1166 | buf + 6 + ciph_len, sess_len ); |
| kenjiArai | 0:5b88d5760320 | 1167 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", |
| kenjiArai | 0:5b88d5760320 | 1168 | buf + 6 + ciph_len + sess_len, chal_len ); |
| kenjiArai | 0:5b88d5760320 | 1169 | |
| kenjiArai | 0:5b88d5760320 | 1170 | p = buf + 6 + ciph_len; |
| kenjiArai | 0:5b88d5760320 | 1171 | ssl->session_negotiate->id_len = sess_len; |
| kenjiArai | 0:5b88d5760320 | 1172 | memset( ssl->session_negotiate->id, 0, |
| kenjiArai | 0:5b88d5760320 | 1173 | sizeof( ssl->session_negotiate->id ) ); |
| kenjiArai | 0:5b88d5760320 | 1174 | memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); |
| kenjiArai | 0:5b88d5760320 | 1175 | |
| kenjiArai | 0:5b88d5760320 | 1176 | p += sess_len; |
| kenjiArai | 0:5b88d5760320 | 1177 | memset( ssl->handshake->randbytes, 0, 64 ); |
| kenjiArai | 0:5b88d5760320 | 1178 | memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); |
| kenjiArai | 0:5b88d5760320 | 1179 | |
| kenjiArai | 0:5b88d5760320 | 1180 | /* |
| kenjiArai | 0:5b88d5760320 | 1181 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| kenjiArai | 0:5b88d5760320 | 1182 | */ |
| kenjiArai | 0:5b88d5760320 | 1183 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) |
| kenjiArai | 0:5b88d5760320 | 1184 | { |
| kenjiArai | 0:5b88d5760320 | 1185 | if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) |
| kenjiArai | 0:5b88d5760320 | 1186 | { |
| kenjiArai | 0:5b88d5760320 | 1187 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
| kenjiArai | 0:5b88d5760320 | 1188 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1189 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 1190 | { |
| kenjiArai | 0:5b88d5760320 | 1191 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " |
| kenjiArai | 0:5b88d5760320 | 1192 | "during renegotiation" ) ); |
| kenjiArai | 0:5b88d5760320 | 1193 | |
| kenjiArai | 0:5b88d5760320 | 1194 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1195 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 1196 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1197 | } |
| kenjiArai | 0:5b88d5760320 | 1198 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| kenjiArai | 0:5b88d5760320 | 1199 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| kenjiArai | 0:5b88d5760320 | 1200 | break; |
| kenjiArai | 0:5b88d5760320 | 1201 | } |
| kenjiArai | 0:5b88d5760320 | 1202 | } |
| kenjiArai | 0:5b88d5760320 | 1203 | |
| kenjiArai | 0:5b88d5760320 | 1204 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV) |
| kenjiArai | 0:5b88d5760320 | 1205 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) |
| kenjiArai | 0:5b88d5760320 | 1206 | { |
| kenjiArai | 0:5b88d5760320 | 1207 | if( p[0] == 0 && |
| kenjiArai | 0:5b88d5760320 | 1208 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && |
| kenjiArai | 0:5b88d5760320 | 1209 | p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) |
| kenjiArai | 0:5b88d5760320 | 1210 | { |
| kenjiArai | 0:5b88d5760320 | 1211 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); |
| kenjiArai | 0:5b88d5760320 | 1212 | |
| kenjiArai | 0:5b88d5760320 | 1213 | if( ssl->minor_ver < ssl->conf->max_minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 1214 | { |
| kenjiArai | 0:5b88d5760320 | 1215 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); |
| kenjiArai | 0:5b88d5760320 | 1216 | |
| kenjiArai | 0:5b88d5760320 | 1217 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1218 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); |
| kenjiArai | 0:5b88d5760320 | 1219 | |
| kenjiArai | 0:5b88d5760320 | 1220 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1221 | } |
| kenjiArai | 0:5b88d5760320 | 1222 | |
| kenjiArai | 0:5b88d5760320 | 1223 | break; |
| kenjiArai | 0:5b88d5760320 | 1224 | } |
| kenjiArai | 0:5b88d5760320 | 1225 | } |
| kenjiArai | 0:5b88d5760320 | 1226 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ |
| kenjiArai | 0:5b88d5760320 | 1227 | |
| kenjiArai | 0:5b88d5760320 | 1228 | got_common_suite = 0; |
| kenjiArai | 0:5b88d5760320 | 1229 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; |
| kenjiArai | 0:5b88d5760320 | 1230 | ciphersuite_info = NULL; |
| kenjiArai | 0:5b88d5760320 | 1231 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
| kenjiArai | 0:5b88d5760320 | 1232 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) |
| kenjiArai | 0:5b88d5760320 | 1233 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| kenjiArai | 0:5b88d5760320 | 1234 | #else |
| kenjiArai | 0:5b88d5760320 | 1235 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| kenjiArai | 0:5b88d5760320 | 1236 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) |
| kenjiArai | 0:5b88d5760320 | 1237 | #endif |
| kenjiArai | 0:5b88d5760320 | 1238 | { |
| kenjiArai | 0:5b88d5760320 | 1239 | if( p[0] != 0 || |
| kenjiArai | 0:5b88d5760320 | 1240 | p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || |
| kenjiArai | 0:5b88d5760320 | 1241 | p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) |
| kenjiArai | 0:5b88d5760320 | 1242 | continue; |
| kenjiArai | 0:5b88d5760320 | 1243 | |
| kenjiArai | 0:5b88d5760320 | 1244 | got_common_suite = 1; |
| kenjiArai | 0:5b88d5760320 | 1245 | |
| kenjiArai | 0:5b88d5760320 | 1246 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
| kenjiArai | 0:5b88d5760320 | 1247 | &ciphersuite_info ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1248 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1249 | |
| kenjiArai | 0:5b88d5760320 | 1250 | if( ciphersuite_info != NULL ) |
| kenjiArai | 0:5b88d5760320 | 1251 | goto have_ciphersuite_v2; |
| kenjiArai | 0:5b88d5760320 | 1252 | } |
| kenjiArai | 0:5b88d5760320 | 1253 | |
| kenjiArai | 0:5b88d5760320 | 1254 | if( got_common_suite ) |
| kenjiArai | 0:5b88d5760320 | 1255 | { |
| kenjiArai | 0:5b88d5760320 | 1256 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
| kenjiArai | 0:5b88d5760320 | 1257 | "but none of them usable" ) ); |
| kenjiArai | 0:5b88d5760320 | 1258 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); |
| kenjiArai | 0:5b88d5760320 | 1259 | } |
| kenjiArai | 0:5b88d5760320 | 1260 | else |
| kenjiArai | 0:5b88d5760320 | 1261 | { |
| kenjiArai | 0:5b88d5760320 | 1262 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
| kenjiArai | 0:5b88d5760320 | 1263 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); |
| kenjiArai | 0:5b88d5760320 | 1264 | } |
| kenjiArai | 0:5b88d5760320 | 1265 | |
| kenjiArai | 0:5b88d5760320 | 1266 | have_ciphersuite_v2: |
| kenjiArai | 0:5b88d5760320 | 1267 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
| kenjiArai | 0:5b88d5760320 | 1268 | |
| kenjiArai | 0:5b88d5760320 | 1269 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| kenjiArai | 0:5b88d5760320 | 1270 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 1271 | |
| kenjiArai | 0:5b88d5760320 | 1272 | /* |
| kenjiArai | 0:5b88d5760320 | 1273 | * SSLv2 Client Hello relevant renegotiation security checks |
| kenjiArai | 0:5b88d5760320 | 1274 | */ |
| kenjiArai | 0:5b88d5760320 | 1275 | if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| kenjiArai | 0:5b88d5760320 | 1276 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 1277 | { |
| kenjiArai | 0:5b88d5760320 | 1278 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
| kenjiArai | 0:5b88d5760320 | 1279 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1280 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 1281 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1282 | } |
| kenjiArai | 0:5b88d5760320 | 1283 | |
| kenjiArai | 0:5b88d5760320 | 1284 | ssl->in_left = 0; |
| kenjiArai | 0:5b88d5760320 | 1285 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 1286 | |
| kenjiArai | 0:5b88d5760320 | 1287 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); |
| kenjiArai | 0:5b88d5760320 | 1288 | |
| kenjiArai | 0:5b88d5760320 | 1289 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 1290 | } |
| kenjiArai | 0:5b88d5760320 | 1291 | #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ |
| kenjiArai | 0:5b88d5760320 | 1292 | |
| kenjiArai | 0:5b88d5760320 | 1293 | /* This function doesn't alert on errors that happen early during |
| kenjiArai | 0:5b88d5760320 | 1294 | ClientHello parsing because they might indicate that the client is |
| kenjiArai | 0:5b88d5760320 | 1295 | not talking SSL/TLS at all and would not understand our alert. */ |
| kenjiArai | 0:5b88d5760320 | 1296 | static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 1297 | { |
| kenjiArai | 0:5b88d5760320 | 1298 | int ret, got_common_suite; |
| kenjiArai | 0:5b88d5760320 | 1299 | size_t i, j; |
| kenjiArai | 0:5b88d5760320 | 1300 | size_t ciph_offset, comp_offset, ext_offset; |
| kenjiArai | 0:5b88d5760320 | 1301 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len; |
| kenjiArai | 0:5b88d5760320 | 1302 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1303 | size_t cookie_offset, cookie_len; |
| kenjiArai | 0:5b88d5760320 | 1304 | #endif |
| kenjiArai | 0:5b88d5760320 | 1305 | unsigned char *buf, *p, *ext; |
| kenjiArai | 0:5b88d5760320 | 1306 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1307 | int renegotiation_info_seen = 0; |
| kenjiArai | 0:5b88d5760320 | 1308 | #endif |
| kenjiArai | 0:5b88d5760320 | 1309 | int handshake_failure = 0; |
| kenjiArai | 0:5b88d5760320 | 1310 | const int *ciphersuites; |
| kenjiArai | 0:5b88d5760320 | 1311 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 1312 | int major, minor; |
| kenjiArai | 0:5b88d5760320 | 1313 | |
| kenjiArai | 0:5b88d5760320 | 1314 | /* If there is no signature-algorithm extension present, |
| kenjiArai | 0:5b88d5760320 | 1315 | * we need to fall back to the default values for allowed |
| kenjiArai | 0:5b88d5760320 | 1316 | * signature-hash pairs. */ |
| kenjiArai | 0:5b88d5760320 | 1317 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 1318 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 1319 | int sig_hash_alg_ext_present = 0; |
| kenjiArai | 0:5b88d5760320 | 1320 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| kenjiArai | 0:5b88d5760320 | 1321 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 1322 | |
| kenjiArai | 0:5b88d5760320 | 1323 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); |
| kenjiArai | 0:5b88d5760320 | 1324 | |
| kenjiArai | 0:5b88d5760320 | 1325 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| kenjiArai | 0:5b88d5760320 | 1326 | read_record_header: |
| kenjiArai | 0:5b88d5760320 | 1327 | #endif |
| kenjiArai | 0:5b88d5760320 | 1328 | /* |
| kenjiArai | 0:5b88d5760320 | 1329 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(), |
| kenjiArai | 0:5b88d5760320 | 1330 | * otherwise read it ourselves manually in order to support SSLv2 |
| kenjiArai | 0:5b88d5760320 | 1331 | * ClientHello, which doesn't use the same record layer format. |
| kenjiArai | 0:5b88d5760320 | 1332 | */ |
| kenjiArai | 0:5b88d5760320 | 1333 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1334 | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 1335 | #endif |
| kenjiArai | 0:5b88d5760320 | 1336 | { |
| kenjiArai | 0:5b88d5760320 | 1337 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1338 | { |
| kenjiArai | 0:5b88d5760320 | 1339 | /* No alert on a read error. */ |
| kenjiArai | 0:5b88d5760320 | 1340 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| kenjiArai | 0:5b88d5760320 | 1341 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1342 | } |
| kenjiArai | 0:5b88d5760320 | 1343 | } |
| kenjiArai | 0:5b88d5760320 | 1344 | |
| kenjiArai | 0:5b88d5760320 | 1345 | buf = ssl->in_hdr; |
| kenjiArai | 0:5b88d5760320 | 1346 | |
| kenjiArai | 0:5b88d5760320 | 1347 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) |
| kenjiArai | 0:5b88d5760320 | 1348 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1349 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) |
| kenjiArai | 0:5b88d5760320 | 1350 | #endif |
| kenjiArai | 0:5b88d5760320 | 1351 | if( ( buf[0] & 0x80 ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1352 | return( ssl_parse_client_hello_v2( ssl ) ); |
| kenjiArai | 0:5b88d5760320 | 1353 | #endif |
| kenjiArai | 0:5b88d5760320 | 1354 | |
| kenjiArai | 0:5b88d5760320 | 1355 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) ); |
| kenjiArai | 0:5b88d5760320 | 1356 | |
| kenjiArai | 0:5b88d5760320 | 1357 | /* |
| kenjiArai | 0:5b88d5760320 | 1358 | * SSLv3/TLS Client Hello |
| kenjiArai | 0:5b88d5760320 | 1359 | * |
| kenjiArai | 0:5b88d5760320 | 1360 | * Record layer: |
| kenjiArai | 0:5b88d5760320 | 1361 | * 0 . 0 message type |
| kenjiArai | 0:5b88d5760320 | 1362 | * 1 . 2 protocol version |
| kenjiArai | 0:5b88d5760320 | 1363 | * 3 . 11 DTLS: epoch + record sequence number |
| kenjiArai | 0:5b88d5760320 | 1364 | * 3 . 4 message length |
| kenjiArai | 0:5b88d5760320 | 1365 | */ |
| kenjiArai | 0:5b88d5760320 | 1366 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", |
| kenjiArai | 0:5b88d5760320 | 1367 | buf[0] ) ); |
| kenjiArai | 0:5b88d5760320 | 1368 | |
| kenjiArai | 0:5b88d5760320 | 1369 | if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 1370 | { |
| kenjiArai | 0:5b88d5760320 | 1371 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1372 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1373 | } |
| kenjiArai | 0:5b88d5760320 | 1374 | |
| kenjiArai | 0:5b88d5760320 | 1375 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", |
| kenjiArai | 0:5b88d5760320 | 1376 | ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 1377 | |
| kenjiArai | 0:5b88d5760320 | 1378 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", |
| kenjiArai | 0:5b88d5760320 | 1379 | buf[1], buf[2] ) ); |
| kenjiArai | 0:5b88d5760320 | 1380 | |
| kenjiArai | 0:5b88d5760320 | 1381 | mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); |
| kenjiArai | 0:5b88d5760320 | 1382 | |
| kenjiArai | 0:5b88d5760320 | 1383 | /* According to RFC 5246 Appendix E.1, the version here is typically |
| kenjiArai | 0:5b88d5760320 | 1384 | * "{03,00}, the lowest version number supported by the client, [or] the |
| kenjiArai | 0:5b88d5760320 | 1385 | * value of ClientHello.client_version", so the only meaningful check here |
| kenjiArai | 0:5b88d5760320 | 1386 | * is the major version shouldn't be less than 3 */ |
| kenjiArai | 0:5b88d5760320 | 1387 | if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 1388 | { |
| kenjiArai | 0:5b88d5760320 | 1389 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1390 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1391 | } |
| kenjiArai | 0:5b88d5760320 | 1392 | |
| kenjiArai | 0:5b88d5760320 | 1393 | /* For DTLS if this is the initial handshake, remember the client sequence |
| kenjiArai | 0:5b88d5760320 | 1394 | * number to use it in our next message (RFC 6347 4.2.1) */ |
| kenjiArai | 0:5b88d5760320 | 1395 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1396 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM |
| kenjiArai | 0:5b88d5760320 | 1397 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1398 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| kenjiArai | 0:5b88d5760320 | 1399 | #endif |
| kenjiArai | 0:5b88d5760320 | 1400 | ) |
| kenjiArai | 0:5b88d5760320 | 1401 | { |
| kenjiArai | 0:5b88d5760320 | 1402 | /* Epoch should be 0 for initial handshakes */ |
| kenjiArai | 0:5b88d5760320 | 1403 | if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1404 | { |
| kenjiArai | 0:5b88d5760320 | 1405 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1406 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1407 | } |
| kenjiArai | 0:5b88d5760320 | 1408 | |
| kenjiArai | 0:5b88d5760320 | 1409 | memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 ); |
| kenjiArai | 0:5b88d5760320 | 1410 | |
| kenjiArai | 0:5b88d5760320 | 1411 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| kenjiArai | 0:5b88d5760320 | 1412 | if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1413 | { |
| kenjiArai | 0:5b88d5760320 | 1414 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); |
| kenjiArai | 0:5b88d5760320 | 1415 | ssl->next_record_offset = 0; |
| kenjiArai | 0:5b88d5760320 | 1416 | ssl->in_left = 0; |
| kenjiArai | 0:5b88d5760320 | 1417 | goto read_record_header; |
| kenjiArai | 0:5b88d5760320 | 1418 | } |
| kenjiArai | 0:5b88d5760320 | 1419 | |
| kenjiArai | 0:5b88d5760320 | 1420 | /* No MAC to check yet, so we can update right now */ |
| kenjiArai | 0:5b88d5760320 | 1421 | mbedtls_ssl_dtls_replay_update( ssl ); |
| kenjiArai | 0:5b88d5760320 | 1422 | #endif |
| kenjiArai | 0:5b88d5760320 | 1423 | } |
| kenjiArai | 0:5b88d5760320 | 1424 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| kenjiArai | 0:5b88d5760320 | 1425 | |
| kenjiArai | 0:5b88d5760320 | 1426 | msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; |
| kenjiArai | 0:5b88d5760320 | 1427 | |
| kenjiArai | 0:5b88d5760320 | 1428 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1429 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 1430 | { |
| kenjiArai | 0:5b88d5760320 | 1431 | /* Set by mbedtls_ssl_read_record() */ |
| kenjiArai | 0:5b88d5760320 | 1432 | msg_len = ssl->in_hslen; |
| kenjiArai | 0:5b88d5760320 | 1433 | } |
| kenjiArai | 0:5b88d5760320 | 1434 | else |
| kenjiArai | 0:5b88d5760320 | 1435 | #endif |
| kenjiArai | 0:5b88d5760320 | 1436 | { |
| kenjiArai | 0:5b88d5760320 | 1437 | if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN ) |
| kenjiArai | 0:5b88d5760320 | 1438 | { |
| kenjiArai | 0:5b88d5760320 | 1439 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1440 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1441 | } |
| kenjiArai | 0:5b88d5760320 | 1442 | |
| kenjiArai | 0:5b88d5760320 | 1443 | if( ( ret = mbedtls_ssl_fetch_input( ssl, |
| kenjiArai | 0:5b88d5760320 | 1444 | mbedtls_ssl_in_hdr_len( ssl ) + msg_len ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1445 | { |
| kenjiArai | 0:5b88d5760320 | 1446 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| kenjiArai | 0:5b88d5760320 | 1447 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1448 | } |
| kenjiArai | 0:5b88d5760320 | 1449 | |
| kenjiArai | 0:5b88d5760320 | 1450 | /* Done reading this record, get ready for the next one */ |
| kenjiArai | 0:5b88d5760320 | 1451 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1452 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 1453 | ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl ); |
| kenjiArai | 0:5b88d5760320 | 1454 | else |
| kenjiArai | 0:5b88d5760320 | 1455 | #endif |
| kenjiArai | 0:5b88d5760320 | 1456 | ssl->in_left = 0; |
| kenjiArai | 0:5b88d5760320 | 1457 | } |
| kenjiArai | 0:5b88d5760320 | 1458 | |
| kenjiArai | 0:5b88d5760320 | 1459 | buf = ssl->in_msg; |
| kenjiArai | 0:5b88d5760320 | 1460 | |
| kenjiArai | 0:5b88d5760320 | 1461 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); |
| kenjiArai | 0:5b88d5760320 | 1462 | |
| kenjiArai | 0:5b88d5760320 | 1463 | ssl->handshake->update_checksum( ssl, buf, msg_len ); |
| kenjiArai | 0:5b88d5760320 | 1464 | |
| kenjiArai | 0:5b88d5760320 | 1465 | /* |
| kenjiArai | 0:5b88d5760320 | 1466 | * Handshake layer: |
| kenjiArai | 0:5b88d5760320 | 1467 | * 0 . 0 handshake type |
| kenjiArai | 0:5b88d5760320 | 1468 | * 1 . 3 handshake length |
| kenjiArai | 0:5b88d5760320 | 1469 | * 4 . 5 DTLS only: message seqence number |
| kenjiArai | 0:5b88d5760320 | 1470 | * 6 . 8 DTLS only: fragment offset |
| kenjiArai | 0:5b88d5760320 | 1471 | * 9 . 11 DTLS only: fragment length |
| kenjiArai | 0:5b88d5760320 | 1472 | */ |
| kenjiArai | 0:5b88d5760320 | 1473 | if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) |
| kenjiArai | 0:5b88d5760320 | 1474 | { |
| kenjiArai | 0:5b88d5760320 | 1475 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1476 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1477 | } |
| kenjiArai | 0:5b88d5760320 | 1478 | |
| kenjiArai | 0:5b88d5760320 | 1479 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); |
| kenjiArai | 0:5b88d5760320 | 1480 | |
| kenjiArai | 0:5b88d5760320 | 1481 | if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| kenjiArai | 0:5b88d5760320 | 1482 | { |
| kenjiArai | 0:5b88d5760320 | 1483 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1484 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1485 | } |
| kenjiArai | 0:5b88d5760320 | 1486 | |
| kenjiArai | 0:5b88d5760320 | 1487 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", |
| kenjiArai | 0:5b88d5760320 | 1488 | ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); |
| kenjiArai | 0:5b88d5760320 | 1489 | |
| kenjiArai | 0:5b88d5760320 | 1490 | /* We don't support fragmentation of ClientHello (yet?) */ |
| kenjiArai | 0:5b88d5760320 | 1491 | if( buf[1] != 0 || |
| kenjiArai | 0:5b88d5760320 | 1492 | msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) |
| kenjiArai | 0:5b88d5760320 | 1493 | { |
| kenjiArai | 0:5b88d5760320 | 1494 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1495 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1496 | } |
| kenjiArai | 0:5b88d5760320 | 1497 | |
| kenjiArai | 0:5b88d5760320 | 1498 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1499 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 1500 | { |
| kenjiArai | 0:5b88d5760320 | 1501 | /* |
| kenjiArai | 0:5b88d5760320 | 1502 | * Copy the client's handshake message_seq on initial handshakes, |
| kenjiArai | 0:5b88d5760320 | 1503 | * check sequence number on renego. |
| kenjiArai | 0:5b88d5760320 | 1504 | */ |
| kenjiArai | 0:5b88d5760320 | 1505 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1506 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 1507 | { |
| kenjiArai | 0:5b88d5760320 | 1508 | /* This couldn't be done in ssl_prepare_handshake_record() */ |
| kenjiArai | 0:5b88d5760320 | 1509 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | |
| kenjiArai | 0:5b88d5760320 | 1510 | ssl->in_msg[5]; |
| kenjiArai | 0:5b88d5760320 | 1511 | |
| kenjiArai | 0:5b88d5760320 | 1512 | if( cli_msg_seq != ssl->handshake->in_msg_seq ) |
| kenjiArai | 0:5b88d5760320 | 1513 | { |
| kenjiArai | 0:5b88d5760320 | 1514 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " |
| kenjiArai | 0:5b88d5760320 | 1515 | "%d (expected %d)", cli_msg_seq, |
| kenjiArai | 0:5b88d5760320 | 1516 | ssl->handshake->in_msg_seq ) ); |
| kenjiArai | 0:5b88d5760320 | 1517 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1518 | } |
| kenjiArai | 0:5b88d5760320 | 1519 | |
| kenjiArai | 0:5b88d5760320 | 1520 | ssl->handshake->in_msg_seq++; |
| kenjiArai | 0:5b88d5760320 | 1521 | } |
| kenjiArai | 0:5b88d5760320 | 1522 | else |
| kenjiArai | 0:5b88d5760320 | 1523 | #endif |
| kenjiArai | 0:5b88d5760320 | 1524 | { |
| kenjiArai | 0:5b88d5760320 | 1525 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | |
| kenjiArai | 0:5b88d5760320 | 1526 | ssl->in_msg[5]; |
| kenjiArai | 0:5b88d5760320 | 1527 | ssl->handshake->out_msg_seq = cli_msg_seq; |
| kenjiArai | 0:5b88d5760320 | 1528 | ssl->handshake->in_msg_seq = cli_msg_seq + 1; |
| kenjiArai | 0:5b88d5760320 | 1529 | } |
| kenjiArai | 0:5b88d5760320 | 1530 | |
| kenjiArai | 0:5b88d5760320 | 1531 | /* |
| kenjiArai | 0:5b88d5760320 | 1532 | * For now we don't support fragmentation, so make sure |
| kenjiArai | 0:5b88d5760320 | 1533 | * fragment_offset == 0 and fragment_length == length |
| kenjiArai | 0:5b88d5760320 | 1534 | */ |
| kenjiArai | 0:5b88d5760320 | 1535 | if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || |
| kenjiArai | 0:5b88d5760320 | 1536 | memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1537 | { |
| kenjiArai | 0:5b88d5760320 | 1538 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); |
| kenjiArai | 0:5b88d5760320 | 1539 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| kenjiArai | 0:5b88d5760320 | 1540 | } |
| kenjiArai | 0:5b88d5760320 | 1541 | } |
| kenjiArai | 0:5b88d5760320 | 1542 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| kenjiArai | 0:5b88d5760320 | 1543 | |
| kenjiArai | 0:5b88d5760320 | 1544 | buf += mbedtls_ssl_hs_hdr_len( ssl ); |
| kenjiArai | 0:5b88d5760320 | 1545 | msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); |
| kenjiArai | 0:5b88d5760320 | 1546 | |
| kenjiArai | 0:5b88d5760320 | 1547 | /* |
| kenjiArai | 0:5b88d5760320 | 1548 | * ClientHello layer: |
| kenjiArai | 0:5b88d5760320 | 1549 | * 0 . 1 protocol version |
| kenjiArai | 0:5b88d5760320 | 1550 | * 2 . 33 random bytes (starting with 4 bytes of Unix time) |
| kenjiArai | 0:5b88d5760320 | 1551 | * 34 . 35 session id length (1 byte) |
| kenjiArai | 0:5b88d5760320 | 1552 | * 35 . 34+x session id |
| kenjiArai | 0:5b88d5760320 | 1553 | * 35+x . 35+x DTLS only: cookie length (1 byte) |
| kenjiArai | 0:5b88d5760320 | 1554 | * 36+x . .. DTLS only: cookie |
| kenjiArai | 0:5b88d5760320 | 1555 | * .. . .. ciphersuite list length (2 bytes) |
| kenjiArai | 0:5b88d5760320 | 1556 | * .. . .. ciphersuite list |
| kenjiArai | 0:5b88d5760320 | 1557 | * .. . .. compression alg. list length (1 byte) |
| kenjiArai | 0:5b88d5760320 | 1558 | * .. . .. compression alg. list |
| kenjiArai | 0:5b88d5760320 | 1559 | * .. . .. extensions length (2 bytes, optional) |
| kenjiArai | 0:5b88d5760320 | 1560 | * .. . .. extensions (optional) |
| kenjiArai | 0:5b88d5760320 | 1561 | */ |
| kenjiArai | 0:5b88d5760320 | 1562 | |
| kenjiArai | 0:5b88d5760320 | 1563 | /* |
| kenjiArai | 0:5b88d5760320 | 1564 | * Minimal length (with everything empty and extensions omitted) is |
| kenjiArai | 0:5b88d5760320 | 1565 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
| kenjiArai | 0:5b88d5760320 | 1566 | * read at least up to session id length without worrying. |
| kenjiArai | 0:5b88d5760320 | 1567 | */ |
| kenjiArai | 0:5b88d5760320 | 1568 | if( msg_len < 38 ) |
| kenjiArai | 0:5b88d5760320 | 1569 | { |
| kenjiArai | 0:5b88d5760320 | 1570 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1571 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1572 | } |
| kenjiArai | 0:5b88d5760320 | 1573 | |
| kenjiArai | 0:5b88d5760320 | 1574 | /* |
| kenjiArai | 0:5b88d5760320 | 1575 | * Check and save the protocol version |
| kenjiArai | 0:5b88d5760320 | 1576 | */ |
| kenjiArai | 0:5b88d5760320 | 1577 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); |
| kenjiArai | 0:5b88d5760320 | 1578 | |
| kenjiArai | 0:5b88d5760320 | 1579 | mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, |
| kenjiArai | 0:5b88d5760320 | 1580 | ssl->conf->transport, buf ); |
| kenjiArai | 0:5b88d5760320 | 1581 | |
| kenjiArai | 0:5b88d5760320 | 1582 | ssl->handshake->max_major_ver = ssl->major_ver; |
| kenjiArai | 0:5b88d5760320 | 1583 | ssl->handshake->max_minor_ver = ssl->minor_ver; |
| kenjiArai | 0:5b88d5760320 | 1584 | |
| kenjiArai | 0:5b88d5760320 | 1585 | if( ssl->major_ver < ssl->conf->min_major_ver || |
| kenjiArai | 0:5b88d5760320 | 1586 | ssl->minor_ver < ssl->conf->min_minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 1587 | { |
| kenjiArai | 0:5b88d5760320 | 1588 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" |
| kenjiArai | 0:5b88d5760320 | 1589 | " [%d:%d] < [%d:%d]", |
| kenjiArai | 0:5b88d5760320 | 1590 | ssl->major_ver, ssl->minor_ver, |
| kenjiArai | 0:5b88d5760320 | 1591 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); |
| kenjiArai | 0:5b88d5760320 | 1592 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1593 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
| kenjiArai | 0:5b88d5760320 | 1594 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
| kenjiArai | 0:5b88d5760320 | 1595 | } |
| kenjiArai | 0:5b88d5760320 | 1596 | |
| kenjiArai | 0:5b88d5760320 | 1597 | if( ssl->major_ver > ssl->conf->max_major_ver ) |
| kenjiArai | 0:5b88d5760320 | 1598 | { |
| kenjiArai | 0:5b88d5760320 | 1599 | ssl->major_ver = ssl->conf->max_major_ver; |
| kenjiArai | 0:5b88d5760320 | 1600 | ssl->minor_ver = ssl->conf->max_minor_ver; |
| kenjiArai | 0:5b88d5760320 | 1601 | } |
| kenjiArai | 0:5b88d5760320 | 1602 | else if( ssl->minor_ver > ssl->conf->max_minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 1603 | ssl->minor_ver = ssl->conf->max_minor_ver; |
| kenjiArai | 0:5b88d5760320 | 1604 | |
| kenjiArai | 0:5b88d5760320 | 1605 | /* |
| kenjiArai | 0:5b88d5760320 | 1606 | * Save client random (inc. Unix time) |
| kenjiArai | 0:5b88d5760320 | 1607 | */ |
| kenjiArai | 0:5b88d5760320 | 1608 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); |
| kenjiArai | 0:5b88d5760320 | 1609 | |
| kenjiArai | 0:5b88d5760320 | 1610 | memcpy( ssl->handshake->randbytes, buf + 2, 32 ); |
| kenjiArai | 0:5b88d5760320 | 1611 | |
| kenjiArai | 0:5b88d5760320 | 1612 | /* |
| kenjiArai | 0:5b88d5760320 | 1613 | * Check the session ID length and save session ID |
| kenjiArai | 0:5b88d5760320 | 1614 | */ |
| kenjiArai | 0:5b88d5760320 | 1615 | sess_len = buf[34]; |
| kenjiArai | 0:5b88d5760320 | 1616 | |
| kenjiArai | 0:5b88d5760320 | 1617 | if( sess_len > sizeof( ssl->session_negotiate->id ) || |
| kenjiArai | 0:5b88d5760320 | 1618 | sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ |
| kenjiArai | 0:5b88d5760320 | 1619 | { |
| kenjiArai | 0:5b88d5760320 | 1620 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1621 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1622 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1623 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1624 | } |
| kenjiArai | 0:5b88d5760320 | 1625 | |
| kenjiArai | 0:5b88d5760320 | 1626 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); |
| kenjiArai | 0:5b88d5760320 | 1627 | |
| kenjiArai | 0:5b88d5760320 | 1628 | ssl->session_negotiate->id_len = sess_len; |
| kenjiArai | 0:5b88d5760320 | 1629 | memset( ssl->session_negotiate->id, 0, |
| kenjiArai | 0:5b88d5760320 | 1630 | sizeof( ssl->session_negotiate->id ) ); |
| kenjiArai | 0:5b88d5760320 | 1631 | memcpy( ssl->session_negotiate->id, buf + 35, |
| kenjiArai | 0:5b88d5760320 | 1632 | ssl->session_negotiate->id_len ); |
| kenjiArai | 0:5b88d5760320 | 1633 | |
| kenjiArai | 0:5b88d5760320 | 1634 | /* |
| kenjiArai | 0:5b88d5760320 | 1635 | * Check the cookie length and content |
| kenjiArai | 0:5b88d5760320 | 1636 | */ |
| kenjiArai | 0:5b88d5760320 | 1637 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1638 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 1639 | { |
| kenjiArai | 0:5b88d5760320 | 1640 | cookie_offset = 35 + sess_len; |
| kenjiArai | 0:5b88d5760320 | 1641 | cookie_len = buf[cookie_offset]; |
| kenjiArai | 0:5b88d5760320 | 1642 | |
| kenjiArai | 0:5b88d5760320 | 1643 | if( cookie_offset + 1 + cookie_len + 2 > msg_len ) |
| kenjiArai | 0:5b88d5760320 | 1644 | { |
| kenjiArai | 0:5b88d5760320 | 1645 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1646 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1647 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
| kenjiArai | 0:5b88d5760320 | 1648 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1649 | } |
| kenjiArai | 0:5b88d5760320 | 1650 | |
| kenjiArai | 0:5b88d5760320 | 1651 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", |
| kenjiArai | 0:5b88d5760320 | 1652 | buf + cookie_offset + 1, cookie_len ); |
| kenjiArai | 0:5b88d5760320 | 1653 | |
| kenjiArai | 0:5b88d5760320 | 1654 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| kenjiArai | 0:5b88d5760320 | 1655 | if( ssl->conf->f_cookie_check != NULL |
| kenjiArai | 0:5b88d5760320 | 1656 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1657 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| kenjiArai | 0:5b88d5760320 | 1658 | #endif |
| kenjiArai | 0:5b88d5760320 | 1659 | ) |
| kenjiArai | 0:5b88d5760320 | 1660 | { |
| kenjiArai | 0:5b88d5760320 | 1661 | if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, |
| kenjiArai | 0:5b88d5760320 | 1662 | buf + cookie_offset + 1, cookie_len, |
| kenjiArai | 0:5b88d5760320 | 1663 | ssl->cli_id, ssl->cli_id_len ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1664 | { |
| kenjiArai | 0:5b88d5760320 | 1665 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); |
| kenjiArai | 0:5b88d5760320 | 1666 | ssl->handshake->verify_cookie_len = 1; |
| kenjiArai | 0:5b88d5760320 | 1667 | } |
| kenjiArai | 0:5b88d5760320 | 1668 | else |
| kenjiArai | 0:5b88d5760320 | 1669 | { |
| kenjiArai | 0:5b88d5760320 | 1670 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); |
| kenjiArai | 0:5b88d5760320 | 1671 | ssl->handshake->verify_cookie_len = 0; |
| kenjiArai | 0:5b88d5760320 | 1672 | } |
| kenjiArai | 0:5b88d5760320 | 1673 | } |
| kenjiArai | 0:5b88d5760320 | 1674 | else |
| kenjiArai | 0:5b88d5760320 | 1675 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| kenjiArai | 0:5b88d5760320 | 1676 | { |
| kenjiArai | 0:5b88d5760320 | 1677 | /* We know we didn't send a cookie, so it should be empty */ |
| kenjiArai | 0:5b88d5760320 | 1678 | if( cookie_len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1679 | { |
| kenjiArai | 0:5b88d5760320 | 1680 | /* This may be an attacker's probe, so don't send an alert */ |
| kenjiArai | 0:5b88d5760320 | 1681 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1682 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1683 | } |
| kenjiArai | 0:5b88d5760320 | 1684 | |
| kenjiArai | 0:5b88d5760320 | 1685 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); |
| kenjiArai | 0:5b88d5760320 | 1686 | } |
| kenjiArai | 0:5b88d5760320 | 1687 | |
| kenjiArai | 0:5b88d5760320 | 1688 | /* |
| kenjiArai | 0:5b88d5760320 | 1689 | * Check the ciphersuitelist length (will be parsed later) |
| kenjiArai | 0:5b88d5760320 | 1690 | */ |
| kenjiArai | 0:5b88d5760320 | 1691 | ciph_offset = cookie_offset + 1 + cookie_len; |
| kenjiArai | 0:5b88d5760320 | 1692 | } |
| kenjiArai | 0:5b88d5760320 | 1693 | else |
| kenjiArai | 0:5b88d5760320 | 1694 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| kenjiArai | 0:5b88d5760320 | 1695 | ciph_offset = 35 + sess_len; |
| kenjiArai | 0:5b88d5760320 | 1696 | |
| kenjiArai | 0:5b88d5760320 | 1697 | ciph_len = ( buf[ciph_offset + 0] << 8 ) |
| kenjiArai | 0:5b88d5760320 | 1698 | | ( buf[ciph_offset + 1] ); |
| kenjiArai | 0:5b88d5760320 | 1699 | |
| kenjiArai | 0:5b88d5760320 | 1700 | if( ciph_len < 2 || |
| kenjiArai | 0:5b88d5760320 | 1701 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ |
| kenjiArai | 0:5b88d5760320 | 1702 | ( ciph_len % 2 ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1703 | { |
| kenjiArai | 0:5b88d5760320 | 1704 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1705 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1706 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1707 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1708 | } |
| kenjiArai | 0:5b88d5760320 | 1709 | |
| kenjiArai | 0:5b88d5760320 | 1710 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
| kenjiArai | 0:5b88d5760320 | 1711 | buf + ciph_offset + 2, ciph_len ); |
| kenjiArai | 0:5b88d5760320 | 1712 | |
| kenjiArai | 0:5b88d5760320 | 1713 | /* |
| kenjiArai | 0:5b88d5760320 | 1714 | * Check the compression algorithms length and pick one |
| kenjiArai | 0:5b88d5760320 | 1715 | */ |
| kenjiArai | 0:5b88d5760320 | 1716 | comp_offset = ciph_offset + 2 + ciph_len; |
| kenjiArai | 0:5b88d5760320 | 1717 | |
| kenjiArai | 0:5b88d5760320 | 1718 | comp_len = buf[comp_offset]; |
| kenjiArai | 0:5b88d5760320 | 1719 | |
| kenjiArai | 0:5b88d5760320 | 1720 | if( comp_len < 1 || |
| kenjiArai | 0:5b88d5760320 | 1721 | comp_len > 16 || |
| kenjiArai | 0:5b88d5760320 | 1722 | comp_len + comp_offset + 1 > msg_len ) |
| kenjiArai | 0:5b88d5760320 | 1723 | { |
| kenjiArai | 0:5b88d5760320 | 1724 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1725 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1726 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1727 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1728 | } |
| kenjiArai | 0:5b88d5760320 | 1729 | |
| kenjiArai | 0:5b88d5760320 | 1730 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", |
| kenjiArai | 0:5b88d5760320 | 1731 | buf + comp_offset + 1, comp_len ); |
| kenjiArai | 0:5b88d5760320 | 1732 | |
| kenjiArai | 0:5b88d5760320 | 1733 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; |
| kenjiArai | 0:5b88d5760320 | 1734 | #if defined(MBEDTLS_ZLIB_SUPPORT) |
| kenjiArai | 0:5b88d5760320 | 1735 | for( i = 0; i < comp_len; ++i ) |
| kenjiArai | 0:5b88d5760320 | 1736 | { |
| kenjiArai | 0:5b88d5760320 | 1737 | if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) |
| kenjiArai | 0:5b88d5760320 | 1738 | { |
| kenjiArai | 0:5b88d5760320 | 1739 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; |
| kenjiArai | 0:5b88d5760320 | 1740 | break; |
| kenjiArai | 0:5b88d5760320 | 1741 | } |
| kenjiArai | 0:5b88d5760320 | 1742 | } |
| kenjiArai | 0:5b88d5760320 | 1743 | #endif |
| kenjiArai | 0:5b88d5760320 | 1744 | |
| kenjiArai | 0:5b88d5760320 | 1745 | /* See comments in ssl_write_client_hello() */ |
| kenjiArai | 0:5b88d5760320 | 1746 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 1747 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 1748 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; |
| kenjiArai | 0:5b88d5760320 | 1749 | #endif |
| kenjiArai | 0:5b88d5760320 | 1750 | |
| kenjiArai | 0:5b88d5760320 | 1751 | /* Do not parse the extensions if the protocol is SSLv3 */ |
| kenjiArai | 0:5b88d5760320 | 1752 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
| kenjiArai | 0:5b88d5760320 | 1753 | if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) |
| kenjiArai | 0:5b88d5760320 | 1754 | { |
| kenjiArai | 0:5b88d5760320 | 1755 | #endif |
| kenjiArai | 0:5b88d5760320 | 1756 | /* |
| kenjiArai | 0:5b88d5760320 | 1757 | * Check the extension length |
| kenjiArai | 0:5b88d5760320 | 1758 | */ |
| kenjiArai | 0:5b88d5760320 | 1759 | ext_offset = comp_offset + 1 + comp_len; |
| kenjiArai | 0:5b88d5760320 | 1760 | if( msg_len > ext_offset ) |
| kenjiArai | 0:5b88d5760320 | 1761 | { |
| kenjiArai | 0:5b88d5760320 | 1762 | if( msg_len < ext_offset + 2 ) |
| kenjiArai | 0:5b88d5760320 | 1763 | { |
| kenjiArai | 0:5b88d5760320 | 1764 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1765 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1766 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1767 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1768 | } |
| kenjiArai | 0:5b88d5760320 | 1769 | |
| kenjiArai | 0:5b88d5760320 | 1770 | ext_len = ( buf[ext_offset + 0] << 8 ) |
| kenjiArai | 0:5b88d5760320 | 1771 | | ( buf[ext_offset + 1] ); |
| kenjiArai | 0:5b88d5760320 | 1772 | |
| kenjiArai | 0:5b88d5760320 | 1773 | if( ( ext_len > 0 && ext_len < 4 ) || |
| kenjiArai | 0:5b88d5760320 | 1774 | msg_len != ext_offset + 2 + ext_len ) |
| kenjiArai | 0:5b88d5760320 | 1775 | { |
| kenjiArai | 0:5b88d5760320 | 1776 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1777 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1778 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1779 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1780 | } |
| kenjiArai | 0:5b88d5760320 | 1781 | } |
| kenjiArai | 0:5b88d5760320 | 1782 | else |
| kenjiArai | 0:5b88d5760320 | 1783 | ext_len = 0; |
| kenjiArai | 0:5b88d5760320 | 1784 | |
| kenjiArai | 0:5b88d5760320 | 1785 | ext = buf + ext_offset + 2; |
| kenjiArai | 0:5b88d5760320 | 1786 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); |
| kenjiArai | 0:5b88d5760320 | 1787 | |
| kenjiArai | 0:5b88d5760320 | 1788 | while( ext_len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1789 | { |
| kenjiArai | 0:5b88d5760320 | 1790 | unsigned int ext_id; |
| kenjiArai | 0:5b88d5760320 | 1791 | unsigned int ext_size; |
| kenjiArai | 0:5b88d5760320 | 1792 | if ( ext_len < 4 ) { |
| kenjiArai | 0:5b88d5760320 | 1793 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1794 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1795 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1796 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1797 | } |
| kenjiArai | 0:5b88d5760320 | 1798 | ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); |
| kenjiArai | 0:5b88d5760320 | 1799 | ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); |
| kenjiArai | 0:5b88d5760320 | 1800 | |
| kenjiArai | 0:5b88d5760320 | 1801 | if( ext_size + 4 > ext_len ) |
| kenjiArai | 0:5b88d5760320 | 1802 | { |
| kenjiArai | 0:5b88d5760320 | 1803 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1804 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1805 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1806 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1807 | } |
| kenjiArai | 0:5b88d5760320 | 1808 | switch( ext_id ) |
| kenjiArai | 0:5b88d5760320 | 1809 | { |
| kenjiArai | 0:5b88d5760320 | 1810 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| kenjiArai | 0:5b88d5760320 | 1811 | case MBEDTLS_TLS_EXT_SERVERNAME: |
| kenjiArai | 0:5b88d5760320 | 1812 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1813 | if( ssl->conf->f_sni == NULL ) |
| kenjiArai | 0:5b88d5760320 | 1814 | break; |
| kenjiArai | 0:5b88d5760320 | 1815 | |
| kenjiArai | 0:5b88d5760320 | 1816 | ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1817 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1818 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1819 | break; |
| kenjiArai | 0:5b88d5760320 | 1820 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| kenjiArai | 0:5b88d5760320 | 1821 | |
| kenjiArai | 0:5b88d5760320 | 1822 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| kenjiArai | 0:5b88d5760320 | 1823 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1824 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 1825 | renegotiation_info_seen = 1; |
| kenjiArai | 0:5b88d5760320 | 1826 | #endif |
| kenjiArai | 0:5b88d5760320 | 1827 | |
| kenjiArai | 0:5b88d5760320 | 1828 | ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1829 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1830 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1831 | break; |
| kenjiArai | 0:5b88d5760320 | 1832 | |
| kenjiArai | 0:5b88d5760320 | 1833 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 1834 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 1835 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| kenjiArai | 0:5b88d5760320 | 1836 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1837 | |
| kenjiArai | 0:5b88d5760320 | 1838 | ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1839 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1840 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1841 | |
| kenjiArai | 0:5b88d5760320 | 1842 | sig_hash_alg_ext_present = 1; |
| kenjiArai | 0:5b88d5760320 | 1843 | break; |
| kenjiArai | 0:5b88d5760320 | 1844 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| kenjiArai | 0:5b88d5760320 | 1845 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 1846 | |
| kenjiArai | 0:5b88d5760320 | 1847 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| kenjiArai | 0:5b88d5760320 | 1848 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 1849 | case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: |
| kenjiArai | 0:5b88d5760320 | 1850 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1851 | |
| kenjiArai | 0:5b88d5760320 | 1852 | ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1853 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1854 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1855 | break; |
| kenjiArai | 0:5b88d5760320 | 1856 | |
| kenjiArai | 0:5b88d5760320 | 1857 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| kenjiArai | 0:5b88d5760320 | 1858 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1859 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
| kenjiArai | 0:5b88d5760320 | 1860 | |
| kenjiArai | 0:5b88d5760320 | 1861 | ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1862 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1863 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1864 | break; |
| kenjiArai | 0:5b88d5760320 | 1865 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| kenjiArai | 0:5b88d5760320 | 1866 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 1867 | |
| kenjiArai | 0:5b88d5760320 | 1868 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 1869 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| kenjiArai | 0:5b88d5760320 | 1870 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1871 | |
| kenjiArai | 0:5b88d5760320 | 1872 | ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1873 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1874 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1875 | break; |
| kenjiArai | 0:5b88d5760320 | 1876 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 1877 | |
| kenjiArai | 0:5b88d5760320 | 1878 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| kenjiArai | 0:5b88d5760320 | 1879 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| kenjiArai | 0:5b88d5760320 | 1880 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1881 | |
| kenjiArai | 0:5b88d5760320 | 1882 | ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1883 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1884 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1885 | break; |
| kenjiArai | 0:5b88d5760320 | 1886 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| kenjiArai | 0:5b88d5760320 | 1887 | |
| kenjiArai | 0:5b88d5760320 | 1888 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| kenjiArai | 0:5b88d5760320 | 1889 | case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: |
| kenjiArai | 0:5b88d5760320 | 1890 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1891 | |
| kenjiArai | 0:5b88d5760320 | 1892 | ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1893 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1894 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1895 | break; |
| kenjiArai | 0:5b88d5760320 | 1896 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| kenjiArai | 0:5b88d5760320 | 1897 | |
| kenjiArai | 0:5b88d5760320 | 1898 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| kenjiArai | 0:5b88d5760320 | 1899 | case MBEDTLS_TLS_EXT_CID: |
| kenjiArai | 0:5b88d5760320 | 1900 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1901 | |
| kenjiArai | 0:5b88d5760320 | 1902 | ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1903 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1904 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1905 | break; |
| kenjiArai | 0:5b88d5760320 | 1906 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| kenjiArai | 0:5b88d5760320 | 1907 | |
| kenjiArai | 0:5b88d5760320 | 1908 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| kenjiArai | 0:5b88d5760320 | 1909 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| kenjiArai | 0:5b88d5760320 | 1910 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1911 | |
| kenjiArai | 0:5b88d5760320 | 1912 | ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1913 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1914 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1915 | break; |
| kenjiArai | 0:5b88d5760320 | 1916 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| kenjiArai | 0:5b88d5760320 | 1917 | |
| kenjiArai | 0:5b88d5760320 | 1918 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| kenjiArai | 0:5b88d5760320 | 1919 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| kenjiArai | 0:5b88d5760320 | 1920 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1921 | |
| kenjiArai | 0:5b88d5760320 | 1922 | ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1923 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1924 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1925 | break; |
| kenjiArai | 0:5b88d5760320 | 1926 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| kenjiArai | 0:5b88d5760320 | 1927 | |
| kenjiArai | 0:5b88d5760320 | 1928 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 1929 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| kenjiArai | 0:5b88d5760320 | 1930 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1931 | |
| kenjiArai | 0:5b88d5760320 | 1932 | ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1933 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1934 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1935 | break; |
| kenjiArai | 0:5b88d5760320 | 1936 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| kenjiArai | 0:5b88d5760320 | 1937 | |
| kenjiArai | 0:5b88d5760320 | 1938 | #if defined(MBEDTLS_SSL_ALPN) |
| kenjiArai | 0:5b88d5760320 | 1939 | case MBEDTLS_TLS_EXT_ALPN: |
| kenjiArai | 0:5b88d5760320 | 1940 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 1941 | |
| kenjiArai | 0:5b88d5760320 | 1942 | ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); |
| kenjiArai | 0:5b88d5760320 | 1943 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 1944 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 1945 | break; |
| kenjiArai | 0:5b88d5760320 | 1946 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| kenjiArai | 0:5b88d5760320 | 1947 | |
| kenjiArai | 0:5b88d5760320 | 1948 | default: |
| kenjiArai | 0:5b88d5760320 | 1949 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", |
| kenjiArai | 0:5b88d5760320 | 1950 | ext_id ) ); |
| kenjiArai | 0:5b88d5760320 | 1951 | } |
| kenjiArai | 0:5b88d5760320 | 1952 | |
| kenjiArai | 0:5b88d5760320 | 1953 | ext_len -= 4 + ext_size; |
| kenjiArai | 0:5b88d5760320 | 1954 | ext += 4 + ext_size; |
| kenjiArai | 0:5b88d5760320 | 1955 | |
| kenjiArai | 0:5b88d5760320 | 1956 | if( ext_len > 0 && ext_len < 4 ) |
| kenjiArai | 0:5b88d5760320 | 1957 | { |
| kenjiArai | 0:5b88d5760320 | 1958 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| kenjiArai | 0:5b88d5760320 | 1959 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1960 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 1961 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1962 | } |
| kenjiArai | 0:5b88d5760320 | 1963 | } |
| kenjiArai | 0:5b88d5760320 | 1964 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
| kenjiArai | 0:5b88d5760320 | 1965 | } |
| kenjiArai | 0:5b88d5760320 | 1966 | #endif |
| kenjiArai | 0:5b88d5760320 | 1967 | |
| kenjiArai | 0:5b88d5760320 | 1968 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV) |
| kenjiArai | 0:5b88d5760320 | 1969 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) |
| kenjiArai | 0:5b88d5760320 | 1970 | { |
| kenjiArai | 0:5b88d5760320 | 1971 | if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && |
| kenjiArai | 0:5b88d5760320 | 1972 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) |
| kenjiArai | 0:5b88d5760320 | 1973 | { |
| kenjiArai | 0:5b88d5760320 | 1974 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); |
| kenjiArai | 0:5b88d5760320 | 1975 | |
| kenjiArai | 0:5b88d5760320 | 1976 | if( ssl->minor_ver < ssl->conf->max_minor_ver ) |
| kenjiArai | 0:5b88d5760320 | 1977 | { |
| kenjiArai | 0:5b88d5760320 | 1978 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); |
| kenjiArai | 0:5b88d5760320 | 1979 | |
| kenjiArai | 0:5b88d5760320 | 1980 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 1981 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); |
| kenjiArai | 0:5b88d5760320 | 1982 | |
| kenjiArai | 0:5b88d5760320 | 1983 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 1984 | } |
| kenjiArai | 0:5b88d5760320 | 1985 | |
| kenjiArai | 0:5b88d5760320 | 1986 | break; |
| kenjiArai | 0:5b88d5760320 | 1987 | } |
| kenjiArai | 0:5b88d5760320 | 1988 | } |
| kenjiArai | 0:5b88d5760320 | 1989 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ |
| kenjiArai | 0:5b88d5760320 | 1990 | |
| kenjiArai | 0:5b88d5760320 | 1991 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 1992 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 1993 | |
| kenjiArai | 0:5b88d5760320 | 1994 | /* |
| kenjiArai | 0:5b88d5760320 | 1995 | * Try to fall back to default hash SHA1 if the client |
| kenjiArai | 0:5b88d5760320 | 1996 | * hasn't provided any preferred signature-hash combinations. |
| kenjiArai | 0:5b88d5760320 | 1997 | */ |
| kenjiArai | 0:5b88d5760320 | 1998 | if( sig_hash_alg_ext_present == 0 ) |
| kenjiArai | 0:5b88d5760320 | 1999 | { |
| kenjiArai | 0:5b88d5760320 | 2000 | mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1; |
| kenjiArai | 0:5b88d5760320 | 2001 | |
| kenjiArai | 0:5b88d5760320 | 2002 | if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2003 | md_default = MBEDTLS_MD_NONE; |
| kenjiArai | 0:5b88d5760320 | 2004 | |
| kenjiArai | 0:5b88d5760320 | 2005 | mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default ); |
| kenjiArai | 0:5b88d5760320 | 2006 | } |
| kenjiArai | 0:5b88d5760320 | 2007 | |
| kenjiArai | 0:5b88d5760320 | 2008 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| kenjiArai | 0:5b88d5760320 | 2009 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 2010 | |
| kenjiArai | 0:5b88d5760320 | 2011 | /* |
| kenjiArai | 0:5b88d5760320 | 2012 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| kenjiArai | 0:5b88d5760320 | 2013 | */ |
| kenjiArai | 0:5b88d5760320 | 2014 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) |
| kenjiArai | 0:5b88d5760320 | 2015 | { |
| kenjiArai | 0:5b88d5760320 | 2016 | if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) |
| kenjiArai | 0:5b88d5760320 | 2017 | { |
| kenjiArai | 0:5b88d5760320 | 2018 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
| kenjiArai | 0:5b88d5760320 | 2019 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 2020 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 2021 | { |
| kenjiArai | 0:5b88d5760320 | 2022 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " |
| kenjiArai | 0:5b88d5760320 | 2023 | "during renegotiation" ) ); |
| kenjiArai | 0:5b88d5760320 | 2024 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 2025 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 2026 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 2027 | } |
| kenjiArai | 0:5b88d5760320 | 2028 | #endif |
| kenjiArai | 0:5b88d5760320 | 2029 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| kenjiArai | 0:5b88d5760320 | 2030 | break; |
| kenjiArai | 0:5b88d5760320 | 2031 | } |
| kenjiArai | 0:5b88d5760320 | 2032 | } |
| kenjiArai | 0:5b88d5760320 | 2033 | |
| kenjiArai | 0:5b88d5760320 | 2034 | /* |
| kenjiArai | 0:5b88d5760320 | 2035 | * Renegotiation security checks |
| kenjiArai | 0:5b88d5760320 | 2036 | */ |
| kenjiArai | 0:5b88d5760320 | 2037 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| kenjiArai | 0:5b88d5760320 | 2038 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 2039 | { |
| kenjiArai | 0:5b88d5760320 | 2040 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
| kenjiArai | 0:5b88d5760320 | 2041 | handshake_failure = 1; |
| kenjiArai | 0:5b88d5760320 | 2042 | } |
| kenjiArai | 0:5b88d5760320 | 2043 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 2044 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| kenjiArai | 0:5b88d5760320 | 2045 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| kenjiArai | 0:5b88d5760320 | 2046 | renegotiation_info_seen == 0 ) |
| kenjiArai | 0:5b88d5760320 | 2047 | { |
| kenjiArai | 0:5b88d5760320 | 2048 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); |
| kenjiArai | 0:5b88d5760320 | 2049 | handshake_failure = 1; |
| kenjiArai | 0:5b88d5760320 | 2050 | } |
| kenjiArai | 0:5b88d5760320 | 2051 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| kenjiArai | 0:5b88d5760320 | 2052 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| kenjiArai | 0:5b88d5760320 | 2053 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) |
| kenjiArai | 0:5b88d5760320 | 2054 | { |
| kenjiArai | 0:5b88d5760320 | 2055 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); |
| kenjiArai | 0:5b88d5760320 | 2056 | handshake_failure = 1; |
| kenjiArai | 0:5b88d5760320 | 2057 | } |
| kenjiArai | 0:5b88d5760320 | 2058 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| kenjiArai | 0:5b88d5760320 | 2059 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| kenjiArai | 0:5b88d5760320 | 2060 | renegotiation_info_seen == 1 ) |
| kenjiArai | 0:5b88d5760320 | 2061 | { |
| kenjiArai | 0:5b88d5760320 | 2062 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); |
| kenjiArai | 0:5b88d5760320 | 2063 | handshake_failure = 1; |
| kenjiArai | 0:5b88d5760320 | 2064 | } |
| kenjiArai | 0:5b88d5760320 | 2065 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| kenjiArai | 0:5b88d5760320 | 2066 | |
| kenjiArai | 0:5b88d5760320 | 2067 | if( handshake_failure == 1 ) |
| kenjiArai | 0:5b88d5760320 | 2068 | { |
| kenjiArai | 0:5b88d5760320 | 2069 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 2070 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 2071 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| kenjiArai | 0:5b88d5760320 | 2072 | } |
| kenjiArai | 0:5b88d5760320 | 2073 | |
| kenjiArai | 0:5b88d5760320 | 2074 | /* |
| kenjiArai | 0:5b88d5760320 | 2075 | * Search for a matching ciphersuite |
| kenjiArai | 0:5b88d5760320 | 2076 | * (At the end because we need information from the EC-based extensions |
| kenjiArai | 0:5b88d5760320 | 2077 | * and certificate from the SNI callback triggered by the SNI extension.) |
| kenjiArai | 0:5b88d5760320 | 2078 | */ |
| kenjiArai | 0:5b88d5760320 | 2079 | got_common_suite = 0; |
| kenjiArai | 0:5b88d5760320 | 2080 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; |
| kenjiArai | 0:5b88d5760320 | 2081 | ciphersuite_info = NULL; |
| kenjiArai | 0:5b88d5760320 | 2082 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
| kenjiArai | 0:5b88d5760320 | 2083 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) |
| kenjiArai | 0:5b88d5760320 | 2084 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| kenjiArai | 0:5b88d5760320 | 2085 | #else |
| kenjiArai | 0:5b88d5760320 | 2086 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| kenjiArai | 0:5b88d5760320 | 2087 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) |
| kenjiArai | 0:5b88d5760320 | 2088 | #endif |
| kenjiArai | 0:5b88d5760320 | 2089 | { |
| kenjiArai | 0:5b88d5760320 | 2090 | if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || |
| kenjiArai | 0:5b88d5760320 | 2091 | p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) |
| kenjiArai | 0:5b88d5760320 | 2092 | continue; |
| kenjiArai | 0:5b88d5760320 | 2093 | |
| kenjiArai | 0:5b88d5760320 | 2094 | got_common_suite = 1; |
| kenjiArai | 0:5b88d5760320 | 2095 | |
| kenjiArai | 0:5b88d5760320 | 2096 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
| kenjiArai | 0:5b88d5760320 | 2097 | &ciphersuite_info ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2098 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2099 | |
| kenjiArai | 0:5b88d5760320 | 2100 | if( ciphersuite_info != NULL ) |
| kenjiArai | 0:5b88d5760320 | 2101 | goto have_ciphersuite; |
| kenjiArai | 0:5b88d5760320 | 2102 | } |
| kenjiArai | 0:5b88d5760320 | 2103 | |
| kenjiArai | 0:5b88d5760320 | 2104 | if( got_common_suite ) |
| kenjiArai | 0:5b88d5760320 | 2105 | { |
| kenjiArai | 0:5b88d5760320 | 2106 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
| kenjiArai | 0:5b88d5760320 | 2107 | "but none of them usable" ) ); |
| kenjiArai | 0:5b88d5760320 | 2108 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 2109 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 2110 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); |
| kenjiArai | 0:5b88d5760320 | 2111 | } |
| kenjiArai | 0:5b88d5760320 | 2112 | else |
| kenjiArai | 0:5b88d5760320 | 2113 | { |
| kenjiArai | 0:5b88d5760320 | 2114 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
| kenjiArai | 0:5b88d5760320 | 2115 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 2116 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| kenjiArai | 0:5b88d5760320 | 2117 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); |
| kenjiArai | 0:5b88d5760320 | 2118 | } |
| kenjiArai | 0:5b88d5760320 | 2119 | |
| kenjiArai | 0:5b88d5760320 | 2120 | have_ciphersuite: |
| kenjiArai | 0:5b88d5760320 | 2121 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
| kenjiArai | 0:5b88d5760320 | 2122 | |
| kenjiArai | 0:5b88d5760320 | 2123 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| kenjiArai | 0:5b88d5760320 | 2124 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 2125 | |
| kenjiArai | 0:5b88d5760320 | 2126 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 2127 | |
| kenjiArai | 0:5b88d5760320 | 2128 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 2129 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 2130 | mbedtls_ssl_recv_flight_completed( ssl ); |
| kenjiArai | 0:5b88d5760320 | 2131 | #endif |
| kenjiArai | 0:5b88d5760320 | 2132 | |
| kenjiArai | 0:5b88d5760320 | 2133 | /* Debugging-only output for testsuite */ |
| kenjiArai | 0:5b88d5760320 | 2134 | #if defined(MBEDTLS_DEBUG_C) && \ |
| kenjiArai | 0:5b88d5760320 | 2135 | defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| kenjiArai | 0:5b88d5760320 | 2136 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 2137 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 2138 | { |
| kenjiArai | 0:5b88d5760320 | 2139 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); |
| kenjiArai | 0:5b88d5760320 | 2140 | if( sig_alg != MBEDTLS_PK_NONE ) |
| kenjiArai | 0:5b88d5760320 | 2141 | { |
| kenjiArai | 0:5b88d5760320 | 2142 | mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, |
| kenjiArai | 0:5b88d5760320 | 2143 | sig_alg ); |
| kenjiArai | 0:5b88d5760320 | 2144 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", |
| kenjiArai | 0:5b88d5760320 | 2145 | mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); |
| kenjiArai | 0:5b88d5760320 | 2146 | } |
| kenjiArai | 0:5b88d5760320 | 2147 | else |
| kenjiArai | 0:5b88d5760320 | 2148 | { |
| kenjiArai | 0:5b88d5760320 | 2149 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " |
| kenjiArai | 0:5b88d5760320 | 2150 | "%d - should not happen", sig_alg ) ); |
| kenjiArai | 0:5b88d5760320 | 2151 | } |
| kenjiArai | 0:5b88d5760320 | 2152 | } |
| kenjiArai | 0:5b88d5760320 | 2153 | #endif |
| kenjiArai | 0:5b88d5760320 | 2154 | |
| kenjiArai | 0:5b88d5760320 | 2155 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); |
| kenjiArai | 0:5b88d5760320 | 2156 | |
| kenjiArai | 0:5b88d5760320 | 2157 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 2158 | } |
| kenjiArai | 0:5b88d5760320 | 2159 | |
| kenjiArai | 0:5b88d5760320 | 2160 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| kenjiArai | 0:5b88d5760320 | 2161 | static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2162 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2163 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2164 | { |
| kenjiArai | 0:5b88d5760320 | 2165 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2166 | |
| kenjiArai | 0:5b88d5760320 | 2167 | if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) |
| kenjiArai | 0:5b88d5760320 | 2168 | { |
| kenjiArai | 0:5b88d5760320 | 2169 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2170 | return; |
| kenjiArai | 0:5b88d5760320 | 2171 | } |
| kenjiArai | 0:5b88d5760320 | 2172 | |
| kenjiArai | 0:5b88d5760320 | 2173 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2174 | |
| kenjiArai | 0:5b88d5760320 | 2175 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2176 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2177 | |
| kenjiArai | 0:5b88d5760320 | 2178 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2179 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2180 | |
| kenjiArai | 0:5b88d5760320 | 2181 | *olen = 4; |
| kenjiArai | 0:5b88d5760320 | 2182 | } |
| kenjiArai | 0:5b88d5760320 | 2183 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| kenjiArai | 0:5b88d5760320 | 2184 | |
| kenjiArai | 0:5b88d5760320 | 2185 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| kenjiArai | 0:5b88d5760320 | 2186 | static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2187 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2188 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2189 | { |
| kenjiArai | 0:5b88d5760320 | 2190 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2191 | size_t ext_len; |
| kenjiArai | 0:5b88d5760320 | 2192 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| kenjiArai | 0:5b88d5760320 | 2193 | |
| kenjiArai | 0:5b88d5760320 | 2194 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2195 | |
| kenjiArai | 0:5b88d5760320 | 2196 | /* Skip writing the extension if we don't want to use it or if |
| kenjiArai | 0:5b88d5760320 | 2197 | * the client hasn't offered it. */ |
| kenjiArai | 0:5b88d5760320 | 2198 | if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED ) |
| kenjiArai | 0:5b88d5760320 | 2199 | return; |
| kenjiArai | 0:5b88d5760320 | 2200 | |
| kenjiArai | 0:5b88d5760320 | 2201 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| kenjiArai | 0:5b88d5760320 | 2202 | * which is at most 255, so the increment cannot overflow. */ |
| kenjiArai | 0:5b88d5760320 | 2203 | if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) ) |
| kenjiArai | 0:5b88d5760320 | 2204 | { |
| kenjiArai | 0:5b88d5760320 | 2205 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); |
| kenjiArai | 0:5b88d5760320 | 2206 | return; |
| kenjiArai | 0:5b88d5760320 | 2207 | } |
| kenjiArai | 0:5b88d5760320 | 2208 | |
| kenjiArai | 0:5b88d5760320 | 2209 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2210 | |
| kenjiArai | 0:5b88d5760320 | 2211 | /* |
| kenjiArai | 0:5b88d5760320 | 2212 | * Quoting draft-ietf-tls-dtls-connection-id-05 |
| kenjiArai | 0:5b88d5760320 | 2213 | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 |
| kenjiArai | 0:5b88d5760320 | 2214 | * |
| kenjiArai | 0:5b88d5760320 | 2215 | * struct { |
| kenjiArai | 0:5b88d5760320 | 2216 | * opaque cid<0..2^8-1>; |
| kenjiArai | 0:5b88d5760320 | 2217 | * } ConnectionId; |
| kenjiArai | 0:5b88d5760320 | 2218 | */ |
| kenjiArai | 0:5b88d5760320 | 2219 | |
| kenjiArai | 0:5b88d5760320 | 2220 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2221 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2222 | ext_len = (size_t) ssl->own_cid_len + 1; |
| kenjiArai | 0:5b88d5760320 | 2223 | *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2224 | *p++ = (unsigned char)( ( ext_len ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2225 | |
| kenjiArai | 0:5b88d5760320 | 2226 | *p++ = (uint8_t) ssl->own_cid_len; |
| kenjiArai | 0:5b88d5760320 | 2227 | memcpy( p, ssl->own_cid, ssl->own_cid_len ); |
| kenjiArai | 0:5b88d5760320 | 2228 | |
| kenjiArai | 0:5b88d5760320 | 2229 | *olen = ssl->own_cid_len + 5; |
| kenjiArai | 0:5b88d5760320 | 2230 | } |
| kenjiArai | 0:5b88d5760320 | 2231 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| kenjiArai | 0:5b88d5760320 | 2232 | |
| kenjiArai | 0:5b88d5760320 | 2233 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| kenjiArai | 0:5b88d5760320 | 2234 | static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2235 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2236 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2237 | { |
| kenjiArai | 0:5b88d5760320 | 2238 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2239 | const mbedtls_ssl_ciphersuite_t *suite = NULL; |
| kenjiArai | 0:5b88d5760320 | 2240 | const mbedtls_cipher_info_t *cipher = NULL; |
| kenjiArai | 0:5b88d5760320 | 2241 | |
| kenjiArai | 0:5b88d5760320 | 2242 | if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
| kenjiArai | 0:5b88d5760320 | 2243 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) |
| kenjiArai | 0:5b88d5760320 | 2244 | { |
| kenjiArai | 0:5b88d5760320 | 2245 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2246 | return; |
| kenjiArai | 0:5b88d5760320 | 2247 | } |
| kenjiArai | 0:5b88d5760320 | 2248 | |
| kenjiArai | 0:5b88d5760320 | 2249 | /* |
| kenjiArai | 0:5b88d5760320 | 2250 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
| kenjiArai | 0:5b88d5760320 | 2251 | * from a client and then selects a stream or Authenticated Encryption |
| kenjiArai | 0:5b88d5760320 | 2252 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
| kenjiArai | 0:5b88d5760320 | 2253 | * encrypt-then-MAC response extension back to the client." |
| kenjiArai | 0:5b88d5760320 | 2254 | */ |
| kenjiArai | 0:5b88d5760320 | 2255 | if( ( suite = mbedtls_ssl_ciphersuite_from_id( |
| kenjiArai | 0:5b88d5760320 | 2256 | ssl->session_negotiate->ciphersuite ) ) == NULL || |
| kenjiArai | 0:5b88d5760320 | 2257 | ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || |
| kenjiArai | 0:5b88d5760320 | 2258 | cipher->mode != MBEDTLS_MODE_CBC ) |
| kenjiArai | 0:5b88d5760320 | 2259 | { |
| kenjiArai | 0:5b88d5760320 | 2260 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2261 | return; |
| kenjiArai | 0:5b88d5760320 | 2262 | } |
| kenjiArai | 0:5b88d5760320 | 2263 | |
| kenjiArai | 0:5b88d5760320 | 2264 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2265 | |
| kenjiArai | 0:5b88d5760320 | 2266 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2267 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2268 | |
| kenjiArai | 0:5b88d5760320 | 2269 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2270 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2271 | |
| kenjiArai | 0:5b88d5760320 | 2272 | *olen = 4; |
| kenjiArai | 0:5b88d5760320 | 2273 | } |
| kenjiArai | 0:5b88d5760320 | 2274 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| kenjiArai | 0:5b88d5760320 | 2275 | |
| kenjiArai | 0:5b88d5760320 | 2276 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| kenjiArai | 0:5b88d5760320 | 2277 | static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2278 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2279 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2280 | { |
| kenjiArai | 0:5b88d5760320 | 2281 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2282 | |
| kenjiArai | 0:5b88d5760320 | 2283 | if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
| kenjiArai | 0:5b88d5760320 | 2284 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) |
| kenjiArai | 0:5b88d5760320 | 2285 | { |
| kenjiArai | 0:5b88d5760320 | 2286 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2287 | return; |
| kenjiArai | 0:5b88d5760320 | 2288 | } |
| kenjiArai | 0:5b88d5760320 | 2289 | |
| kenjiArai | 0:5b88d5760320 | 2290 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " |
| kenjiArai | 0:5b88d5760320 | 2291 | "extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2292 | |
| kenjiArai | 0:5b88d5760320 | 2293 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2294 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2295 | |
| kenjiArai | 0:5b88d5760320 | 2296 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2297 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2298 | |
| kenjiArai | 0:5b88d5760320 | 2299 | *olen = 4; |
| kenjiArai | 0:5b88d5760320 | 2300 | } |
| kenjiArai | 0:5b88d5760320 | 2301 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| kenjiArai | 0:5b88d5760320 | 2302 | |
| kenjiArai | 0:5b88d5760320 | 2303 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 2304 | static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2305 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2306 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2307 | { |
| kenjiArai | 0:5b88d5760320 | 2308 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2309 | |
| kenjiArai | 0:5b88d5760320 | 2310 | if( ssl->handshake->new_session_ticket == 0 ) |
| kenjiArai | 0:5b88d5760320 | 2311 | { |
| kenjiArai | 0:5b88d5760320 | 2312 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2313 | return; |
| kenjiArai | 0:5b88d5760320 | 2314 | } |
| kenjiArai | 0:5b88d5760320 | 2315 | |
| kenjiArai | 0:5b88d5760320 | 2316 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2317 | |
| kenjiArai | 0:5b88d5760320 | 2318 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2319 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2320 | |
| kenjiArai | 0:5b88d5760320 | 2321 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2322 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2323 | |
| kenjiArai | 0:5b88d5760320 | 2324 | *olen = 4; |
| kenjiArai | 0:5b88d5760320 | 2325 | } |
| kenjiArai | 0:5b88d5760320 | 2326 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| kenjiArai | 0:5b88d5760320 | 2327 | |
| kenjiArai | 0:5b88d5760320 | 2328 | static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2329 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2330 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2331 | { |
| kenjiArai | 0:5b88d5760320 | 2332 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2333 | |
| kenjiArai | 0:5b88d5760320 | 2334 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) |
| kenjiArai | 0:5b88d5760320 | 2335 | { |
| kenjiArai | 0:5b88d5760320 | 2336 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2337 | return; |
| kenjiArai | 0:5b88d5760320 | 2338 | } |
| kenjiArai | 0:5b88d5760320 | 2339 | |
| kenjiArai | 0:5b88d5760320 | 2340 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2341 | |
| kenjiArai | 0:5b88d5760320 | 2342 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2343 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2344 | |
| kenjiArai | 0:5b88d5760320 | 2345 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 2346 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 2347 | { |
| kenjiArai | 0:5b88d5760320 | 2348 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2349 | *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; |
| kenjiArai | 0:5b88d5760320 | 2350 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
| kenjiArai | 0:5b88d5760320 | 2351 | |
| kenjiArai | 0:5b88d5760320 | 2352 | memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); |
| kenjiArai | 0:5b88d5760320 | 2353 | p += ssl->verify_data_len; |
| kenjiArai | 0:5b88d5760320 | 2354 | memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); |
| kenjiArai | 0:5b88d5760320 | 2355 | p += ssl->verify_data_len; |
| kenjiArai | 0:5b88d5760320 | 2356 | } |
| kenjiArai | 0:5b88d5760320 | 2357 | else |
| kenjiArai | 0:5b88d5760320 | 2358 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| kenjiArai | 0:5b88d5760320 | 2359 | { |
| kenjiArai | 0:5b88d5760320 | 2360 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2361 | *p++ = 0x01; |
| kenjiArai | 0:5b88d5760320 | 2362 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2363 | } |
| kenjiArai | 0:5b88d5760320 | 2364 | |
| kenjiArai | 0:5b88d5760320 | 2365 | *olen = p - buf; |
| kenjiArai | 0:5b88d5760320 | 2366 | } |
| kenjiArai | 0:5b88d5760320 | 2367 | |
| kenjiArai | 0:5b88d5760320 | 2368 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| kenjiArai | 0:5b88d5760320 | 2369 | static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2370 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2371 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2372 | { |
| kenjiArai | 0:5b88d5760320 | 2373 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2374 | |
| kenjiArai | 0:5b88d5760320 | 2375 | if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) |
| kenjiArai | 0:5b88d5760320 | 2376 | { |
| kenjiArai | 0:5b88d5760320 | 2377 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2378 | return; |
| kenjiArai | 0:5b88d5760320 | 2379 | } |
| kenjiArai | 0:5b88d5760320 | 2380 | |
| kenjiArai | 0:5b88d5760320 | 2381 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2382 | |
| kenjiArai | 0:5b88d5760320 | 2383 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2384 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2385 | |
| kenjiArai | 0:5b88d5760320 | 2386 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2387 | *p++ = 1; |
| kenjiArai | 0:5b88d5760320 | 2388 | |
| kenjiArai | 0:5b88d5760320 | 2389 | *p++ = ssl->session_negotiate->mfl_code; |
| kenjiArai | 0:5b88d5760320 | 2390 | |
| kenjiArai | 0:5b88d5760320 | 2391 | *olen = 5; |
| kenjiArai | 0:5b88d5760320 | 2392 | } |
| kenjiArai | 0:5b88d5760320 | 2393 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| kenjiArai | 0:5b88d5760320 | 2394 | |
| kenjiArai | 0:5b88d5760320 | 2395 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| kenjiArai | 0:5b88d5760320 | 2396 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 2397 | static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2398 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2399 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2400 | { |
| kenjiArai | 0:5b88d5760320 | 2401 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2402 | ((void) ssl); |
| kenjiArai | 0:5b88d5760320 | 2403 | |
| kenjiArai | 0:5b88d5760320 | 2404 | if( ( ssl->handshake->cli_exts & |
| kenjiArai | 0:5b88d5760320 | 2405 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 2406 | { |
| kenjiArai | 0:5b88d5760320 | 2407 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2408 | return; |
| kenjiArai | 0:5b88d5760320 | 2409 | } |
| kenjiArai | 0:5b88d5760320 | 2410 | |
| kenjiArai | 0:5b88d5760320 | 2411 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2412 | |
| kenjiArai | 0:5b88d5760320 | 2413 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2414 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2415 | |
| kenjiArai | 0:5b88d5760320 | 2416 | *p++ = 0x00; |
| kenjiArai | 0:5b88d5760320 | 2417 | *p++ = 2; |
| kenjiArai | 0:5b88d5760320 | 2418 | |
| kenjiArai | 0:5b88d5760320 | 2419 | *p++ = 1; |
| kenjiArai | 0:5b88d5760320 | 2420 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| kenjiArai | 0:5b88d5760320 | 2421 | |
| kenjiArai | 0:5b88d5760320 | 2422 | *olen = 6; |
| kenjiArai | 0:5b88d5760320 | 2423 | } |
| kenjiArai | 0:5b88d5760320 | 2424 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 2425 | |
| kenjiArai | 0:5b88d5760320 | 2426 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 2427 | static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2428 | unsigned char *buf, |
| kenjiArai | 0:5b88d5760320 | 2429 | size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2430 | { |
| kenjiArai | 0:5b88d5760320 | 2431 | int ret; |
| kenjiArai | 0:5b88d5760320 | 2432 | unsigned char *p = buf; |
| kenjiArai | 0:5b88d5760320 | 2433 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| kenjiArai | 0:5b88d5760320 | 2434 | size_t kkpp_len; |
| kenjiArai | 0:5b88d5760320 | 2435 | |
| kenjiArai | 0:5b88d5760320 | 2436 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2437 | |
| kenjiArai | 0:5b88d5760320 | 2438 | /* Skip costly computation if not needed */ |
| kenjiArai | 0:5b88d5760320 | 2439 | if( ssl->handshake->ciphersuite_info->key_exchange != |
| kenjiArai | 0:5b88d5760320 | 2440 | MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| kenjiArai | 0:5b88d5760320 | 2441 | return; |
| kenjiArai | 0:5b88d5760320 | 2442 | |
| kenjiArai | 0:5b88d5760320 | 2443 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2444 | |
| kenjiArai | 0:5b88d5760320 | 2445 | if( end - p < 4 ) |
| kenjiArai | 0:5b88d5760320 | 2446 | { |
| kenjiArai | 0:5b88d5760320 | 2447 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); |
| kenjiArai | 0:5b88d5760320 | 2448 | return; |
| kenjiArai | 0:5b88d5760320 | 2449 | } |
| kenjiArai | 0:5b88d5760320 | 2450 | |
| kenjiArai | 0:5b88d5760320 | 2451 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2452 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2453 | |
| kenjiArai | 0:5b88d5760320 | 2454 | ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, |
| kenjiArai | 0:5b88d5760320 | 2455 | p + 2, end - p - 2, &kkpp_len, |
| kenjiArai | 0:5b88d5760320 | 2456 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| kenjiArai | 0:5b88d5760320 | 2457 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2458 | { |
| kenjiArai | 0:5b88d5760320 | 2459 | MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); |
| kenjiArai | 0:5b88d5760320 | 2460 | return; |
| kenjiArai | 0:5b88d5760320 | 2461 | } |
| kenjiArai | 0:5b88d5760320 | 2462 | |
| kenjiArai | 0:5b88d5760320 | 2463 | *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2464 | *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2465 | |
| kenjiArai | 0:5b88d5760320 | 2466 | *olen = kkpp_len + 4; |
| kenjiArai | 0:5b88d5760320 | 2467 | } |
| kenjiArai | 0:5b88d5760320 | 2468 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 2469 | |
| kenjiArai | 0:5b88d5760320 | 2470 | #if defined(MBEDTLS_SSL_ALPN ) |
| kenjiArai | 0:5b88d5760320 | 2471 | static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 2472 | unsigned char *buf, size_t *olen ) |
| kenjiArai | 0:5b88d5760320 | 2473 | { |
| kenjiArai | 0:5b88d5760320 | 2474 | if( ssl->alpn_chosen == NULL ) |
| kenjiArai | 0:5b88d5760320 | 2475 | { |
| kenjiArai | 0:5b88d5760320 | 2476 | *olen = 0; |
| kenjiArai | 0:5b88d5760320 | 2477 | return; |
| kenjiArai | 0:5b88d5760320 | 2478 | } |
| kenjiArai | 0:5b88d5760320 | 2479 | |
| kenjiArai | 0:5b88d5760320 | 2480 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); |
| kenjiArai | 0:5b88d5760320 | 2481 | |
| kenjiArai | 0:5b88d5760320 | 2482 | /* |
| kenjiArai | 0:5b88d5760320 | 2483 | * 0 . 1 ext identifier |
| kenjiArai | 0:5b88d5760320 | 2484 | * 2 . 3 ext length |
| kenjiArai | 0:5b88d5760320 | 2485 | * 4 . 5 protocol list length |
| kenjiArai | 0:5b88d5760320 | 2486 | * 6 . 6 protocol name length |
| kenjiArai | 0:5b88d5760320 | 2487 | * 7 . 7+n protocol name |
| kenjiArai | 0:5b88d5760320 | 2488 | */ |
| kenjiArai | 0:5b88d5760320 | 2489 | buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2490 | buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2491 | |
| kenjiArai | 0:5b88d5760320 | 2492 | *olen = 7 + strlen( ssl->alpn_chosen ); |
| kenjiArai | 0:5b88d5760320 | 2493 | |
| kenjiArai | 0:5b88d5760320 | 2494 | buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2495 | buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2496 | |
| kenjiArai | 0:5b88d5760320 | 2497 | buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2498 | buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2499 | |
| kenjiArai | 0:5b88d5760320 | 2500 | buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2501 | |
| kenjiArai | 0:5b88d5760320 | 2502 | memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); |
| kenjiArai | 0:5b88d5760320 | 2503 | } |
| kenjiArai | 0:5b88d5760320 | 2504 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ |
| kenjiArai | 0:5b88d5760320 | 2505 | |
| kenjiArai | 0:5b88d5760320 | 2506 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| kenjiArai | 0:5b88d5760320 | 2507 | static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 2508 | { |
| kenjiArai | 0:5b88d5760320 | 2509 | int ret; |
| kenjiArai | 0:5b88d5760320 | 2510 | unsigned char *p = ssl->out_msg + 4; |
| kenjiArai | 0:5b88d5760320 | 2511 | unsigned char *cookie_len_byte; |
| kenjiArai | 0:5b88d5760320 | 2512 | |
| kenjiArai | 0:5b88d5760320 | 2513 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); |
| kenjiArai | 0:5b88d5760320 | 2514 | |
| kenjiArai | 0:5b88d5760320 | 2515 | /* |
| kenjiArai | 0:5b88d5760320 | 2516 | * struct { |
| kenjiArai | 0:5b88d5760320 | 2517 | * ProtocolVersion server_version; |
| kenjiArai | 0:5b88d5760320 | 2518 | * opaque cookie<0..2^8-1>; |
| kenjiArai | 0:5b88d5760320 | 2519 | * } HelloVerifyRequest; |
| kenjiArai | 0:5b88d5760320 | 2520 | */ |
| kenjiArai | 0:5b88d5760320 | 2521 | |
| kenjiArai | 0:5b88d5760320 | 2522 | /* The RFC is not clear on this point, but sending the actual negotiated |
| kenjiArai | 0:5b88d5760320 | 2523 | * version looks like the most interoperable thing to do. */ |
| kenjiArai | 0:5b88d5760320 | 2524 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| kenjiArai | 0:5b88d5760320 | 2525 | ssl->conf->transport, p ); |
| kenjiArai | 0:5b88d5760320 | 2526 | MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); |
| kenjiArai | 0:5b88d5760320 | 2527 | p += 2; |
| kenjiArai | 0:5b88d5760320 | 2528 | |
| kenjiArai | 0:5b88d5760320 | 2529 | /* If we get here, f_cookie_check is not null */ |
| kenjiArai | 0:5b88d5760320 | 2530 | if( ssl->conf->f_cookie_write == NULL ) |
| kenjiArai | 0:5b88d5760320 | 2531 | { |
| kenjiArai | 0:5b88d5760320 | 2532 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); |
| kenjiArai | 0:5b88d5760320 | 2533 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 2534 | } |
| kenjiArai | 0:5b88d5760320 | 2535 | |
| kenjiArai | 0:5b88d5760320 | 2536 | /* Skip length byte until we know the length */ |
| kenjiArai | 0:5b88d5760320 | 2537 | cookie_len_byte = p++; |
| kenjiArai | 0:5b88d5760320 | 2538 | |
| kenjiArai | 0:5b88d5760320 | 2539 | if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, |
| kenjiArai | 0:5b88d5760320 | 2540 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, |
| kenjiArai | 0:5b88d5760320 | 2541 | ssl->cli_id, ssl->cli_id_len ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2542 | { |
| kenjiArai | 0:5b88d5760320 | 2543 | MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); |
| kenjiArai | 0:5b88d5760320 | 2544 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2545 | } |
| kenjiArai | 0:5b88d5760320 | 2546 | |
| kenjiArai | 0:5b88d5760320 | 2547 | *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); |
| kenjiArai | 0:5b88d5760320 | 2548 | |
| kenjiArai | 0:5b88d5760320 | 2549 | MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); |
| kenjiArai | 0:5b88d5760320 | 2550 | |
| kenjiArai | 0:5b88d5760320 | 2551 | ssl->out_msglen = p - ssl->out_msg; |
| kenjiArai | 0:5b88d5760320 | 2552 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| kenjiArai | 0:5b88d5760320 | 2553 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| kenjiArai | 0:5b88d5760320 | 2554 | |
| kenjiArai | 0:5b88d5760320 | 2555 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; |
| kenjiArai | 0:5b88d5760320 | 2556 | |
| kenjiArai | 0:5b88d5760320 | 2557 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2558 | { |
| kenjiArai | 0:5b88d5760320 | 2559 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| kenjiArai | 0:5b88d5760320 | 2560 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2561 | } |
| kenjiArai | 0:5b88d5760320 | 2562 | |
| kenjiArai | 0:5b88d5760320 | 2563 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 2564 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| kenjiArai | 0:5b88d5760320 | 2565 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2566 | { |
| kenjiArai | 0:5b88d5760320 | 2567 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); |
| kenjiArai | 0:5b88d5760320 | 2568 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2569 | } |
| kenjiArai | 0:5b88d5760320 | 2570 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| kenjiArai | 0:5b88d5760320 | 2571 | |
| kenjiArai | 0:5b88d5760320 | 2572 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); |
| kenjiArai | 0:5b88d5760320 | 2573 | |
| kenjiArai | 0:5b88d5760320 | 2574 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 2575 | } |
| kenjiArai | 0:5b88d5760320 | 2576 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| kenjiArai | 0:5b88d5760320 | 2577 | |
| kenjiArai | 0:5b88d5760320 | 2578 | static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 2579 | { |
| kenjiArai | 0:5b88d5760320 | 2580 | #if defined(MBEDTLS_HAVE_TIME) |
| kenjiArai | 0:5b88d5760320 | 2581 | mbedtls_time_t t; |
| kenjiArai | 0:5b88d5760320 | 2582 | #endif |
| kenjiArai | 0:5b88d5760320 | 2583 | int ret; |
| kenjiArai | 0:5b88d5760320 | 2584 | size_t olen, ext_len = 0, n; |
| kenjiArai | 0:5b88d5760320 | 2585 | unsigned char *buf, *p; |
| kenjiArai | 0:5b88d5760320 | 2586 | |
| kenjiArai | 0:5b88d5760320 | 2587 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); |
| kenjiArai | 0:5b88d5760320 | 2588 | |
| kenjiArai | 0:5b88d5760320 | 2589 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| kenjiArai | 0:5b88d5760320 | 2590 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| kenjiArai | 0:5b88d5760320 | 2591 | ssl->handshake->verify_cookie_len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2592 | { |
| kenjiArai | 0:5b88d5760320 | 2593 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); |
| kenjiArai | 0:5b88d5760320 | 2594 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
| kenjiArai | 0:5b88d5760320 | 2595 | |
| kenjiArai | 0:5b88d5760320 | 2596 | return( ssl_write_hello_verify_request( ssl ) ); |
| kenjiArai | 0:5b88d5760320 | 2597 | } |
| kenjiArai | 0:5b88d5760320 | 2598 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| kenjiArai | 0:5b88d5760320 | 2599 | |
| kenjiArai | 0:5b88d5760320 | 2600 | if( ssl->conf->f_rng == NULL ) |
| kenjiArai | 0:5b88d5760320 | 2601 | { |
| kenjiArai | 0:5b88d5760320 | 2602 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); |
| kenjiArai | 0:5b88d5760320 | 2603 | return( MBEDTLS_ERR_SSL_NO_RNG ); |
| kenjiArai | 0:5b88d5760320 | 2604 | } |
| kenjiArai | 0:5b88d5760320 | 2605 | |
| kenjiArai | 0:5b88d5760320 | 2606 | /* |
| kenjiArai | 0:5b88d5760320 | 2607 | * 0 . 0 handshake type |
| kenjiArai | 0:5b88d5760320 | 2608 | * 1 . 3 handshake length |
| kenjiArai | 0:5b88d5760320 | 2609 | * 4 . 5 protocol version |
| kenjiArai | 0:5b88d5760320 | 2610 | * 6 . 9 UNIX time() |
| kenjiArai | 0:5b88d5760320 | 2611 | * 10 . 37 random bytes |
| kenjiArai | 0:5b88d5760320 | 2612 | */ |
| kenjiArai | 0:5b88d5760320 | 2613 | buf = ssl->out_msg; |
| kenjiArai | 0:5b88d5760320 | 2614 | p = buf + 4; |
| kenjiArai | 0:5b88d5760320 | 2615 | |
| kenjiArai | 0:5b88d5760320 | 2616 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| kenjiArai | 0:5b88d5760320 | 2617 | ssl->conf->transport, p ); |
| kenjiArai | 0:5b88d5760320 | 2618 | p += 2; |
| kenjiArai | 0:5b88d5760320 | 2619 | |
| kenjiArai | 0:5b88d5760320 | 2620 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", |
| kenjiArai | 0:5b88d5760320 | 2621 | buf[4], buf[5] ) ); |
| kenjiArai | 0:5b88d5760320 | 2622 | |
| kenjiArai | 0:5b88d5760320 | 2623 | #if defined(MBEDTLS_HAVE_TIME) |
| kenjiArai | 0:5b88d5760320 | 2624 | t = mbedtls_time( NULL ); |
| kenjiArai | 0:5b88d5760320 | 2625 | *p++ = (unsigned char)( t >> 24 ); |
| kenjiArai | 0:5b88d5760320 | 2626 | *p++ = (unsigned char)( t >> 16 ); |
| kenjiArai | 0:5b88d5760320 | 2627 | *p++ = (unsigned char)( t >> 8 ); |
| kenjiArai | 0:5b88d5760320 | 2628 | *p++ = (unsigned char)( t ); |
| kenjiArai | 0:5b88d5760320 | 2629 | |
| kenjiArai | 0:5b88d5760320 | 2630 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); |
| kenjiArai | 0:5b88d5760320 | 2631 | #else |
| kenjiArai | 0:5b88d5760320 | 2632 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2633 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2634 | |
| kenjiArai | 0:5b88d5760320 | 2635 | p += 4; |
| kenjiArai | 0:5b88d5760320 | 2636 | #endif /* MBEDTLS_HAVE_TIME */ |
| kenjiArai | 0:5b88d5760320 | 2637 | |
| kenjiArai | 0:5b88d5760320 | 2638 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2639 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2640 | |
| kenjiArai | 0:5b88d5760320 | 2641 | p += 28; |
| kenjiArai | 0:5b88d5760320 | 2642 | |
| kenjiArai | 0:5b88d5760320 | 2643 | memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); |
| kenjiArai | 0:5b88d5760320 | 2644 | |
| kenjiArai | 0:5b88d5760320 | 2645 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); |
| kenjiArai | 0:5b88d5760320 | 2646 | |
| kenjiArai | 0:5b88d5760320 | 2647 | /* |
| kenjiArai | 0:5b88d5760320 | 2648 | * Resume is 0 by default, see ssl_handshake_init(). |
| kenjiArai | 0:5b88d5760320 | 2649 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). |
| kenjiArai | 0:5b88d5760320 | 2650 | * If not, try looking up session ID in our cache. |
| kenjiArai | 0:5b88d5760320 | 2651 | */ |
| kenjiArai | 0:5b88d5760320 | 2652 | if( ssl->handshake->resume == 0 && |
| kenjiArai | 0:5b88d5760320 | 2653 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| kenjiArai | 0:5b88d5760320 | 2654 | ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && |
| kenjiArai | 0:5b88d5760320 | 2655 | #endif |
| kenjiArai | 0:5b88d5760320 | 2656 | ssl->session_negotiate->id_len != 0 && |
| kenjiArai | 0:5b88d5760320 | 2657 | ssl->conf->f_get_cache != NULL && |
| kenjiArai | 0:5b88d5760320 | 2658 | ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 2659 | { |
| kenjiArai | 0:5b88d5760320 | 2660 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); |
| kenjiArai | 0:5b88d5760320 | 2661 | ssl->handshake->resume = 1; |
| kenjiArai | 0:5b88d5760320 | 2662 | } |
| kenjiArai | 0:5b88d5760320 | 2663 | |
| kenjiArai | 0:5b88d5760320 | 2664 | if( ssl->handshake->resume == 0 ) |
| kenjiArai | 0:5b88d5760320 | 2665 | { |
| kenjiArai | 0:5b88d5760320 | 2666 | /* |
| kenjiArai | 0:5b88d5760320 | 2667 | * New session, create a new session id, |
| kenjiArai | 0:5b88d5760320 | 2668 | * unless we're about to issue a session ticket |
| kenjiArai | 0:5b88d5760320 | 2669 | */ |
| kenjiArai | 0:5b88d5760320 | 2670 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 2671 | |
| kenjiArai | 0:5b88d5760320 | 2672 | #if defined(MBEDTLS_HAVE_TIME) |
| kenjiArai | 0:5b88d5760320 | 2673 | ssl->session_negotiate->start = mbedtls_time( NULL ); |
| kenjiArai | 0:5b88d5760320 | 2674 | #endif |
| kenjiArai | 0:5b88d5760320 | 2675 | |
| kenjiArai | 0:5b88d5760320 | 2676 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 2677 | if( ssl->handshake->new_session_ticket != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2678 | { |
| kenjiArai | 0:5b88d5760320 | 2679 | ssl->session_negotiate->id_len = n = 0; |
| kenjiArai | 0:5b88d5760320 | 2680 | memset( ssl->session_negotiate->id, 0, 32 ); |
| kenjiArai | 0:5b88d5760320 | 2681 | } |
| kenjiArai | 0:5b88d5760320 | 2682 | else |
| kenjiArai | 0:5b88d5760320 | 2683 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| kenjiArai | 0:5b88d5760320 | 2684 | { |
| kenjiArai | 0:5b88d5760320 | 2685 | ssl->session_negotiate->id_len = n = 32; |
| kenjiArai | 0:5b88d5760320 | 2686 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, |
| kenjiArai | 0:5b88d5760320 | 2687 | n ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2688 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2689 | } |
| kenjiArai | 0:5b88d5760320 | 2690 | } |
| kenjiArai | 0:5b88d5760320 | 2691 | else |
| kenjiArai | 0:5b88d5760320 | 2692 | { |
| kenjiArai | 0:5b88d5760320 | 2693 | /* |
| kenjiArai | 0:5b88d5760320 | 2694 | * Resuming a session |
| kenjiArai | 0:5b88d5760320 | 2695 | */ |
| kenjiArai | 0:5b88d5760320 | 2696 | n = ssl->session_negotiate->id_len; |
| kenjiArai | 0:5b88d5760320 | 2697 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| kenjiArai | 0:5b88d5760320 | 2698 | |
| kenjiArai | 0:5b88d5760320 | 2699 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2700 | { |
| kenjiArai | 0:5b88d5760320 | 2701 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
| kenjiArai | 0:5b88d5760320 | 2702 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2703 | } |
| kenjiArai | 0:5b88d5760320 | 2704 | } |
| kenjiArai | 0:5b88d5760320 | 2705 | |
| kenjiArai | 0:5b88d5760320 | 2706 | /* |
| kenjiArai | 0:5b88d5760320 | 2707 | * 38 . 38 session id length |
| kenjiArai | 0:5b88d5760320 | 2708 | * 39 . 38+n session id |
| kenjiArai | 0:5b88d5760320 | 2709 | * 39+n . 40+n chosen ciphersuite |
| kenjiArai | 0:5b88d5760320 | 2710 | * 41+n . 41+n chosen compression alg. |
| kenjiArai | 0:5b88d5760320 | 2711 | * 42+n . 43+n extensions length |
| kenjiArai | 0:5b88d5760320 | 2712 | * 44+n . 43+n+m extensions |
| kenjiArai | 0:5b88d5760320 | 2713 | */ |
| kenjiArai | 0:5b88d5760320 | 2714 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
| kenjiArai | 0:5b88d5760320 | 2715 | memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); |
| kenjiArai | 0:5b88d5760320 | 2716 | p += ssl->session_negotiate->id_len; |
| kenjiArai | 0:5b88d5760320 | 2717 | |
| kenjiArai | 0:5b88d5760320 | 2718 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); |
| kenjiArai | 0:5b88d5760320 | 2719 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); |
| kenjiArai | 0:5b88d5760320 | 2720 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", |
| kenjiArai | 0:5b88d5760320 | 2721 | ssl->handshake->resume ? "a" : "no" ) ); |
| kenjiArai | 0:5b88d5760320 | 2722 | |
| kenjiArai | 0:5b88d5760320 | 2723 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); |
| kenjiArai | 0:5b88d5760320 | 2724 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); |
| kenjiArai | 0:5b88d5760320 | 2725 | *p++ = (unsigned char)( ssl->session_negotiate->compression ); |
| kenjiArai | 0:5b88d5760320 | 2726 | |
| kenjiArai | 0:5b88d5760320 | 2727 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", |
| kenjiArai | 0:5b88d5760320 | 2728 | mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); |
| kenjiArai | 0:5b88d5760320 | 2729 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", |
| kenjiArai | 0:5b88d5760320 | 2730 | ssl->session_negotiate->compression ) ); |
| kenjiArai | 0:5b88d5760320 | 2731 | |
| kenjiArai | 0:5b88d5760320 | 2732 | /* Do not write the extensions if the protocol is SSLv3 */ |
| kenjiArai | 0:5b88d5760320 | 2733 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
| kenjiArai | 0:5b88d5760320 | 2734 | if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) |
| kenjiArai | 0:5b88d5760320 | 2735 | { |
| kenjiArai | 0:5b88d5760320 | 2736 | #endif |
| kenjiArai | 0:5b88d5760320 | 2737 | |
| kenjiArai | 0:5b88d5760320 | 2738 | /* |
| kenjiArai | 0:5b88d5760320 | 2739 | * First write extensions, then the total length |
| kenjiArai | 0:5b88d5760320 | 2740 | */ |
| kenjiArai | 0:5b88d5760320 | 2741 | ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2742 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2743 | |
| kenjiArai | 0:5b88d5760320 | 2744 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| kenjiArai | 0:5b88d5760320 | 2745 | ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2746 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2747 | #endif |
| kenjiArai | 0:5b88d5760320 | 2748 | |
| kenjiArai | 0:5b88d5760320 | 2749 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| kenjiArai | 0:5b88d5760320 | 2750 | ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2751 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2752 | #endif |
| kenjiArai | 0:5b88d5760320 | 2753 | |
| kenjiArai | 0:5b88d5760320 | 2754 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| kenjiArai | 0:5b88d5760320 | 2755 | ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2756 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2757 | #endif |
| kenjiArai | 0:5b88d5760320 | 2758 | |
| kenjiArai | 0:5b88d5760320 | 2759 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| kenjiArai | 0:5b88d5760320 | 2760 | ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2761 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2762 | #endif |
| kenjiArai | 0:5b88d5760320 | 2763 | |
| kenjiArai | 0:5b88d5760320 | 2764 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| kenjiArai | 0:5b88d5760320 | 2765 | ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2766 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2767 | #endif |
| kenjiArai | 0:5b88d5760320 | 2768 | |
| kenjiArai | 0:5b88d5760320 | 2769 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 2770 | ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2771 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2772 | #endif |
| kenjiArai | 0:5b88d5760320 | 2773 | |
| kenjiArai | 0:5b88d5760320 | 2774 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| kenjiArai | 0:5b88d5760320 | 2775 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 2776 | if ( mbedtls_ssl_ciphersuite_uses_ec( |
| kenjiArai | 0:5b88d5760320 | 2777 | mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) ) |
| kenjiArai | 0:5b88d5760320 | 2778 | { |
| kenjiArai | 0:5b88d5760320 | 2779 | ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2780 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2781 | } |
| kenjiArai | 0:5b88d5760320 | 2782 | #endif |
| kenjiArai | 0:5b88d5760320 | 2783 | |
| kenjiArai | 0:5b88d5760320 | 2784 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 2785 | ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2786 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2787 | #endif |
| kenjiArai | 0:5b88d5760320 | 2788 | |
| kenjiArai | 0:5b88d5760320 | 2789 | #if defined(MBEDTLS_SSL_ALPN) |
| kenjiArai | 0:5b88d5760320 | 2790 | ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); |
| kenjiArai | 0:5b88d5760320 | 2791 | ext_len += olen; |
| kenjiArai | 0:5b88d5760320 | 2792 | #endif |
| kenjiArai | 0:5b88d5760320 | 2793 | |
| kenjiArai | 0:5b88d5760320 | 2794 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); |
| kenjiArai | 0:5b88d5760320 | 2795 | |
| kenjiArai | 0:5b88d5760320 | 2796 | if( ext_len > 0 ) |
| kenjiArai | 0:5b88d5760320 | 2797 | { |
| kenjiArai | 0:5b88d5760320 | 2798 | *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2799 | *p++ = (unsigned char)( ( ext_len ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 2800 | p += ext_len; |
| kenjiArai | 0:5b88d5760320 | 2801 | } |
| kenjiArai | 0:5b88d5760320 | 2802 | |
| kenjiArai | 0:5b88d5760320 | 2803 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
| kenjiArai | 0:5b88d5760320 | 2804 | } |
| kenjiArai | 0:5b88d5760320 | 2805 | #endif |
| kenjiArai | 0:5b88d5760320 | 2806 | |
| kenjiArai | 0:5b88d5760320 | 2807 | ssl->out_msglen = p - buf; |
| kenjiArai | 0:5b88d5760320 | 2808 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| kenjiArai | 0:5b88d5760320 | 2809 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; |
| kenjiArai | 0:5b88d5760320 | 2810 | |
| kenjiArai | 0:5b88d5760320 | 2811 | ret = mbedtls_ssl_write_handshake_msg( ssl ); |
| kenjiArai | 0:5b88d5760320 | 2812 | |
| kenjiArai | 0:5b88d5760320 | 2813 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
| kenjiArai | 0:5b88d5760320 | 2814 | |
| kenjiArai | 0:5b88d5760320 | 2815 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 2816 | } |
| kenjiArai | 0:5b88d5760320 | 2817 | |
| kenjiArai | 0:5b88d5760320 | 2818 | #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 2819 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 2820 | { |
| kenjiArai | 0:5b88d5760320 | 2821 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| kenjiArai | 0:5b88d5760320 | 2822 | ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 2823 | |
| kenjiArai | 0:5b88d5760320 | 2824 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
| kenjiArai | 0:5b88d5760320 | 2825 | |
| kenjiArai | 0:5b88d5760320 | 2826 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 2827 | { |
| kenjiArai | 0:5b88d5760320 | 2828 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
| kenjiArai | 0:5b88d5760320 | 2829 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 2830 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 2831 | } |
| kenjiArai | 0:5b88d5760320 | 2832 | |
| kenjiArai | 0:5b88d5760320 | 2833 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 2834 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 2835 | } |
| kenjiArai | 0:5b88d5760320 | 2836 | #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 2837 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 2838 | { |
| kenjiArai | 0:5b88d5760320 | 2839 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| kenjiArai | 0:5b88d5760320 | 2840 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| kenjiArai | 0:5b88d5760320 | 2841 | ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 2842 | size_t dn_size, total_dn_size; /* excluding length bytes */ |
| kenjiArai | 0:5b88d5760320 | 2843 | size_t ct_len, sa_len; /* including length bytes */ |
| kenjiArai | 0:5b88d5760320 | 2844 | unsigned char *buf, *p; |
| kenjiArai | 0:5b88d5760320 | 2845 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| kenjiArai | 0:5b88d5760320 | 2846 | const mbedtls_x509_crt *crt; |
| kenjiArai | 0:5b88d5760320 | 2847 | int authmode; |
| kenjiArai | 0:5b88d5760320 | 2848 | |
| kenjiArai | 0:5b88d5760320 | 2849 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
| kenjiArai | 0:5b88d5760320 | 2850 | |
| kenjiArai | 0:5b88d5760320 | 2851 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 2852 | |
| kenjiArai | 0:5b88d5760320 | 2853 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| kenjiArai | 0:5b88d5760320 | 2854 | if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) |
| kenjiArai | 0:5b88d5760320 | 2855 | authmode = ssl->handshake->sni_authmode; |
| kenjiArai | 0:5b88d5760320 | 2856 | else |
| kenjiArai | 0:5b88d5760320 | 2857 | #endif |
| kenjiArai | 0:5b88d5760320 | 2858 | authmode = ssl->conf->authmode; |
| kenjiArai | 0:5b88d5760320 | 2859 | |
| kenjiArai | 0:5b88d5760320 | 2860 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || |
| kenjiArai | 0:5b88d5760320 | 2861 | authmode == MBEDTLS_SSL_VERIFY_NONE ) |
| kenjiArai | 0:5b88d5760320 | 2862 | { |
| kenjiArai | 0:5b88d5760320 | 2863 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
| kenjiArai | 0:5b88d5760320 | 2864 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 2865 | } |
| kenjiArai | 0:5b88d5760320 | 2866 | |
| kenjiArai | 0:5b88d5760320 | 2867 | /* |
| kenjiArai | 0:5b88d5760320 | 2868 | * 0 . 0 handshake type |
| kenjiArai | 0:5b88d5760320 | 2869 | * 1 . 3 handshake length |
| kenjiArai | 0:5b88d5760320 | 2870 | * 4 . 4 cert type count |
| kenjiArai | 0:5b88d5760320 | 2871 | * 5 .. m-1 cert types |
| kenjiArai | 0:5b88d5760320 | 2872 | * m .. m+1 sig alg length (TLS 1.2 only) |
| kenjiArai | 0:5b88d5760320 | 2873 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
| kenjiArai | 0:5b88d5760320 | 2874 | * n .. n+1 length of all DNs |
| kenjiArai | 0:5b88d5760320 | 2875 | * n+2 .. n+3 length of DN 1 |
| kenjiArai | 0:5b88d5760320 | 2876 | * n+4 .. ... Distinguished Name #1 |
| kenjiArai | 0:5b88d5760320 | 2877 | * ... .. ... length of DN 2, etc. |
| kenjiArai | 0:5b88d5760320 | 2878 | */ |
| kenjiArai | 0:5b88d5760320 | 2879 | buf = ssl->out_msg; |
| kenjiArai | 0:5b88d5760320 | 2880 | p = buf + 4; |
| kenjiArai | 0:5b88d5760320 | 2881 | |
| kenjiArai | 0:5b88d5760320 | 2882 | /* |
| kenjiArai | 0:5b88d5760320 | 2883 | * Supported certificate types |
| kenjiArai | 0:5b88d5760320 | 2884 | * |
| kenjiArai | 0:5b88d5760320 | 2885 | * ClientCertificateType certificate_types<1..2^8-1>; |
| kenjiArai | 0:5b88d5760320 | 2886 | * enum { (255) } ClientCertificateType; |
| kenjiArai | 0:5b88d5760320 | 2887 | */ |
| kenjiArai | 0:5b88d5760320 | 2888 | ct_len = 0; |
| kenjiArai | 0:5b88d5760320 | 2889 | |
| kenjiArai | 0:5b88d5760320 | 2890 | #if defined(MBEDTLS_RSA_C) |
| kenjiArai | 0:5b88d5760320 | 2891 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; |
| kenjiArai | 0:5b88d5760320 | 2892 | #endif |
| kenjiArai | 0:5b88d5760320 | 2893 | #if defined(MBEDTLS_ECDSA_C) |
| kenjiArai | 0:5b88d5760320 | 2894 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; |
| kenjiArai | 0:5b88d5760320 | 2895 | #endif |
| kenjiArai | 0:5b88d5760320 | 2896 | |
| kenjiArai | 0:5b88d5760320 | 2897 | p[0] = (unsigned char) ct_len++; |
| kenjiArai | 0:5b88d5760320 | 2898 | p += ct_len; |
| kenjiArai | 0:5b88d5760320 | 2899 | |
| kenjiArai | 0:5b88d5760320 | 2900 | sa_len = 0; |
| kenjiArai | 0:5b88d5760320 | 2901 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 2902 | /* |
| kenjiArai | 0:5b88d5760320 | 2903 | * Add signature_algorithms for verify (TLS 1.2) |
| kenjiArai | 0:5b88d5760320 | 2904 | * |
| kenjiArai | 0:5b88d5760320 | 2905 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
| kenjiArai | 0:5b88d5760320 | 2906 | * |
| kenjiArai | 0:5b88d5760320 | 2907 | * struct { |
| kenjiArai | 0:5b88d5760320 | 2908 | * HashAlgorithm hash; |
| kenjiArai | 0:5b88d5760320 | 2909 | * SignatureAlgorithm signature; |
| kenjiArai | 0:5b88d5760320 | 2910 | * } SignatureAndHashAlgorithm; |
| kenjiArai | 0:5b88d5760320 | 2911 | * |
| kenjiArai | 0:5b88d5760320 | 2912 | * enum { (255) } HashAlgorithm; |
| kenjiArai | 0:5b88d5760320 | 2913 | * enum { (255) } SignatureAlgorithm; |
| kenjiArai | 0:5b88d5760320 | 2914 | */ |
| kenjiArai | 0:5b88d5760320 | 2915 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 2916 | { |
| kenjiArai | 0:5b88d5760320 | 2917 | const int *cur; |
| kenjiArai | 0:5b88d5760320 | 2918 | |
| kenjiArai | 0:5b88d5760320 | 2919 | /* |
| kenjiArai | 0:5b88d5760320 | 2920 | * Supported signature algorithms |
| kenjiArai | 0:5b88d5760320 | 2921 | */ |
| kenjiArai | 0:5b88d5760320 | 2922 | for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) |
| kenjiArai | 0:5b88d5760320 | 2923 | { |
| kenjiArai | 0:5b88d5760320 | 2924 | unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur ); |
| kenjiArai | 0:5b88d5760320 | 2925 | |
| kenjiArai | 0:5b88d5760320 | 2926 | if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) |
| kenjiArai | 0:5b88d5760320 | 2927 | continue; |
| kenjiArai | 0:5b88d5760320 | 2928 | |
| kenjiArai | 0:5b88d5760320 | 2929 | #if defined(MBEDTLS_RSA_C) |
| kenjiArai | 0:5b88d5760320 | 2930 | p[2 + sa_len++] = hash; |
| kenjiArai | 0:5b88d5760320 | 2931 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; |
| kenjiArai | 0:5b88d5760320 | 2932 | #endif |
| kenjiArai | 0:5b88d5760320 | 2933 | #if defined(MBEDTLS_ECDSA_C) |
| kenjiArai | 0:5b88d5760320 | 2934 | p[2 + sa_len++] = hash; |
| kenjiArai | 0:5b88d5760320 | 2935 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; |
| kenjiArai | 0:5b88d5760320 | 2936 | #endif |
| kenjiArai | 0:5b88d5760320 | 2937 | } |
| kenjiArai | 0:5b88d5760320 | 2938 | |
| kenjiArai | 0:5b88d5760320 | 2939 | p[0] = (unsigned char)( sa_len >> 8 ); |
| kenjiArai | 0:5b88d5760320 | 2940 | p[1] = (unsigned char)( sa_len ); |
| kenjiArai | 0:5b88d5760320 | 2941 | sa_len += 2; |
| kenjiArai | 0:5b88d5760320 | 2942 | p += sa_len; |
| kenjiArai | 0:5b88d5760320 | 2943 | } |
| kenjiArai | 0:5b88d5760320 | 2944 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| kenjiArai | 0:5b88d5760320 | 2945 | |
| kenjiArai | 0:5b88d5760320 | 2946 | /* |
| kenjiArai | 0:5b88d5760320 | 2947 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 2948 | * opaque DistinguishedName<1..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 2949 | */ |
| kenjiArai | 0:5b88d5760320 | 2950 | p += 2; |
| kenjiArai | 0:5b88d5760320 | 2951 | |
| kenjiArai | 0:5b88d5760320 | 2952 | total_dn_size = 0; |
| kenjiArai | 0:5b88d5760320 | 2953 | |
| kenjiArai | 0:5b88d5760320 | 2954 | if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) |
| kenjiArai | 0:5b88d5760320 | 2955 | { |
| kenjiArai | 0:5b88d5760320 | 2956 | /* NOTE: If trusted certificates are provisioned |
| kenjiArai | 0:5b88d5760320 | 2957 | * via a CA callback (configured through |
| kenjiArai | 0:5b88d5760320 | 2958 | * `mbedtls_ssl_conf_ca_cb()`, then the |
| kenjiArai | 0:5b88d5760320 | 2959 | * CertificateRequest is currently left empty. */ |
| kenjiArai | 0:5b88d5760320 | 2960 | |
| kenjiArai | 0:5b88d5760320 | 2961 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| kenjiArai | 0:5b88d5760320 | 2962 | if( ssl->handshake->sni_ca_chain != NULL ) |
| kenjiArai | 0:5b88d5760320 | 2963 | crt = ssl->handshake->sni_ca_chain; |
| kenjiArai | 0:5b88d5760320 | 2964 | else |
| kenjiArai | 0:5b88d5760320 | 2965 | #endif |
| kenjiArai | 0:5b88d5760320 | 2966 | crt = ssl->conf->ca_chain; |
| kenjiArai | 0:5b88d5760320 | 2967 | |
| kenjiArai | 0:5b88d5760320 | 2968 | while( crt != NULL && crt->version != 0 ) |
| kenjiArai | 0:5b88d5760320 | 2969 | { |
| kenjiArai | 0:5b88d5760320 | 2970 | dn_size = crt->subject_raw.len; |
| kenjiArai | 0:5b88d5760320 | 2971 | |
| kenjiArai | 0:5b88d5760320 | 2972 | if( end < p || |
| kenjiArai | 0:5b88d5760320 | 2973 | (size_t)( end - p ) < dn_size || |
| kenjiArai | 0:5b88d5760320 | 2974 | (size_t)( end - p ) < 2 + dn_size ) |
| kenjiArai | 0:5b88d5760320 | 2975 | { |
| kenjiArai | 0:5b88d5760320 | 2976 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); |
| kenjiArai | 0:5b88d5760320 | 2977 | break; |
| kenjiArai | 0:5b88d5760320 | 2978 | } |
| kenjiArai | 0:5b88d5760320 | 2979 | |
| kenjiArai | 0:5b88d5760320 | 2980 | *p++ = (unsigned char)( dn_size >> 8 ); |
| kenjiArai | 0:5b88d5760320 | 2981 | *p++ = (unsigned char)( dn_size ); |
| kenjiArai | 0:5b88d5760320 | 2982 | memcpy( p, crt->subject_raw.p, dn_size ); |
| kenjiArai | 0:5b88d5760320 | 2983 | p += dn_size; |
| kenjiArai | 0:5b88d5760320 | 2984 | |
| kenjiArai | 0:5b88d5760320 | 2985 | MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); |
| kenjiArai | 0:5b88d5760320 | 2986 | |
| kenjiArai | 0:5b88d5760320 | 2987 | total_dn_size += 2 + dn_size; |
| kenjiArai | 0:5b88d5760320 | 2988 | crt = crt->next; |
| kenjiArai | 0:5b88d5760320 | 2989 | } |
| kenjiArai | 0:5b88d5760320 | 2990 | } |
| kenjiArai | 0:5b88d5760320 | 2991 | |
| kenjiArai | 0:5b88d5760320 | 2992 | ssl->out_msglen = p - buf; |
| kenjiArai | 0:5b88d5760320 | 2993 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| kenjiArai | 0:5b88d5760320 | 2994 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; |
| kenjiArai | 0:5b88d5760320 | 2995 | ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); |
| kenjiArai | 0:5b88d5760320 | 2996 | ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); |
| kenjiArai | 0:5b88d5760320 | 2997 | |
| kenjiArai | 0:5b88d5760320 | 2998 | ret = mbedtls_ssl_write_handshake_msg( ssl ); |
| kenjiArai | 0:5b88d5760320 | 2999 | |
| kenjiArai | 0:5b88d5760320 | 3000 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); |
| kenjiArai | 0:5b88d5760320 | 3001 | |
| kenjiArai | 0:5b88d5760320 | 3002 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3003 | } |
| kenjiArai | 0:5b88d5760320 | 3004 | #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3005 | |
| kenjiArai | 0:5b88d5760320 | 3006 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3007 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3008 | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 3009 | { |
| kenjiArai | 0:5b88d5760320 | 3010 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3011 | |
| kenjiArai | 0:5b88d5760320 | 3012 | if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) |
| kenjiArai | 0:5b88d5760320 | 3013 | { |
| kenjiArai | 0:5b88d5760320 | 3014 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); |
| kenjiArai | 0:5b88d5760320 | 3015 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
| kenjiArai | 0:5b88d5760320 | 3016 | } |
| kenjiArai | 0:5b88d5760320 | 3017 | |
| kenjiArai | 0:5b88d5760320 | 3018 | if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3019 | mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), |
| kenjiArai | 0:5b88d5760320 | 3020 | MBEDTLS_ECDH_OURS ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3021 | { |
| kenjiArai | 0:5b88d5760320 | 3022 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 3023 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3024 | } |
| kenjiArai | 0:5b88d5760320 | 3025 | |
| kenjiArai | 0:5b88d5760320 | 3026 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3027 | } |
| kenjiArai | 0:5b88d5760320 | 3028 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| kenjiArai | 0:5b88d5760320 | 3029 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3030 | |
| kenjiArai | 0:5b88d5760320 | 3031 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \ |
| kenjiArai | 0:5b88d5760320 | 3032 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3033 | static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 3034 | size_t *signature_len ) |
| kenjiArai | 0:5b88d5760320 | 3035 | { |
| kenjiArai | 0:5b88d5760320 | 3036 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| kenjiArai | 0:5b88d5760320 | 3037 | * signature length which will be added in ssl_write_server_key_exchange |
| kenjiArai | 0:5b88d5760320 | 3038 | * after the call to ssl_prepare_server_key_exchange. |
| kenjiArai | 0:5b88d5760320 | 3039 | * ssl_write_server_key_exchange also takes care of incrementing |
| kenjiArai | 0:5b88d5760320 | 3040 | * ssl->out_msglen. */ |
| kenjiArai | 0:5b88d5760320 | 3041 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; |
| kenjiArai | 0:5b88d5760320 | 3042 | size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN |
| kenjiArai | 0:5b88d5760320 | 3043 | - sig_start ); |
| kenjiArai | 0:5b88d5760320 | 3044 | int ret = ssl->conf->f_async_resume( ssl, |
| kenjiArai | 0:5b88d5760320 | 3045 | sig_start, signature_len, sig_max_len ); |
| kenjiArai | 0:5b88d5760320 | 3046 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 3047 | { |
| kenjiArai | 0:5b88d5760320 | 3048 | ssl->handshake->async_in_progress = 0; |
| kenjiArai | 0:5b88d5760320 | 3049 | mbedtls_ssl_set_async_operation_data( ssl, NULL ); |
| kenjiArai | 0:5b88d5760320 | 3050 | } |
| kenjiArai | 0:5b88d5760320 | 3051 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret ); |
| kenjiArai | 0:5b88d5760320 | 3052 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3053 | } |
| kenjiArai | 0:5b88d5760320 | 3054 | #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && |
| kenjiArai | 0:5b88d5760320 | 3055 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| kenjiArai | 0:5b88d5760320 | 3056 | |
| kenjiArai | 0:5b88d5760320 | 3057 | /* Prepare the ServerKeyExchange message, up to and including |
| kenjiArai | 0:5b88d5760320 | 3058 | * calculating the signature if any, but excluding formatting the |
| kenjiArai | 0:5b88d5760320 | 3059 | * signature and sending the message. */ |
| kenjiArai | 0:5b88d5760320 | 3060 | static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 3061 | size_t *signature_len ) |
| kenjiArai | 0:5b88d5760320 | 3062 | { |
| kenjiArai | 0:5b88d5760320 | 3063 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| kenjiArai | 0:5b88d5760320 | 3064 | ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 3065 | |
| kenjiArai | 0:5b88d5760320 | 3066 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3067 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3068 | unsigned char *dig_signed = NULL; |
| kenjiArai | 0:5b88d5760320 | 3069 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3070 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3071 | |
| kenjiArai | 0:5b88d5760320 | 3072 | (void) ciphersuite_info; /* unused in some configurations */ |
| kenjiArai | 0:5b88d5760320 | 3073 | #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3074 | (void) signature_len; |
| kenjiArai | 0:5b88d5760320 | 3075 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3076 | |
| kenjiArai | 0:5b88d5760320 | 3077 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ |
| kenjiArai | 0:5b88d5760320 | 3078 | |
| kenjiArai | 0:5b88d5760320 | 3079 | /* |
| kenjiArai | 0:5b88d5760320 | 3080 | * |
| kenjiArai | 0:5b88d5760320 | 3081 | * Part 1: Provide key exchange parameters for chosen ciphersuite. |
| kenjiArai | 0:5b88d5760320 | 3082 | * |
| kenjiArai | 0:5b88d5760320 | 3083 | */ |
| kenjiArai | 0:5b88d5760320 | 3084 | |
| kenjiArai | 0:5b88d5760320 | 3085 | /* |
| kenjiArai | 0:5b88d5760320 | 3086 | * - ECJPAKE key exchanges |
| kenjiArai | 0:5b88d5760320 | 3087 | */ |
| kenjiArai | 0:5b88d5760320 | 3088 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3089 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| kenjiArai | 0:5b88d5760320 | 3090 | { |
| kenjiArai | 0:5b88d5760320 | 3091 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3092 | size_t len = 0; |
| kenjiArai | 0:5b88d5760320 | 3093 | |
| kenjiArai | 0:5b88d5760320 | 3094 | ret = mbedtls_ecjpake_write_round_two( |
| kenjiArai | 0:5b88d5760320 | 3095 | &ssl->handshake->ecjpake_ctx, |
| kenjiArai | 0:5b88d5760320 | 3096 | ssl->out_msg + ssl->out_msglen, |
| kenjiArai | 0:5b88d5760320 | 3097 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, |
| kenjiArai | 0:5b88d5760320 | 3098 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| kenjiArai | 0:5b88d5760320 | 3099 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3100 | { |
| kenjiArai | 0:5b88d5760320 | 3101 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); |
| kenjiArai | 0:5b88d5760320 | 3102 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3103 | } |
| kenjiArai | 0:5b88d5760320 | 3104 | |
| kenjiArai | 0:5b88d5760320 | 3105 | ssl->out_msglen += len; |
| kenjiArai | 0:5b88d5760320 | 3106 | } |
| kenjiArai | 0:5b88d5760320 | 3107 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3108 | |
| kenjiArai | 0:5b88d5760320 | 3109 | /* |
| kenjiArai | 0:5b88d5760320 | 3110 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support |
| kenjiArai | 0:5b88d5760320 | 3111 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, |
| kenjiArai | 0:5b88d5760320 | 3112 | * we use empty support identity hints here. |
| kenjiArai | 0:5b88d5760320 | 3113 | **/ |
| kenjiArai | 0:5b88d5760320 | 3114 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3115 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3116 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| kenjiArai | 0:5b88d5760320 | 3117 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| kenjiArai | 0:5b88d5760320 | 3118 | { |
| kenjiArai | 0:5b88d5760320 | 3119 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| kenjiArai | 0:5b88d5760320 | 3120 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| kenjiArai | 0:5b88d5760320 | 3121 | } |
| kenjiArai | 0:5b88d5760320 | 3122 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || |
| kenjiArai | 0:5b88d5760320 | 3123 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3124 | |
| kenjiArai | 0:5b88d5760320 | 3125 | /* |
| kenjiArai | 0:5b88d5760320 | 3126 | * - DHE key exchanges |
| kenjiArai | 0:5b88d5760320 | 3127 | */ |
| kenjiArai | 0:5b88d5760320 | 3128 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3129 | if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 3130 | { |
| kenjiArai | 0:5b88d5760320 | 3131 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3132 | size_t len = 0; |
| kenjiArai | 0:5b88d5760320 | 3133 | |
| kenjiArai | 0:5b88d5760320 | 3134 | if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) |
| kenjiArai | 0:5b88d5760320 | 3135 | { |
| kenjiArai | 0:5b88d5760320 | 3136 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); |
| kenjiArai | 0:5b88d5760320 | 3137 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| kenjiArai | 0:5b88d5760320 | 3138 | } |
| kenjiArai | 0:5b88d5760320 | 3139 | |
| kenjiArai | 0:5b88d5760320 | 3140 | /* |
| kenjiArai | 0:5b88d5760320 | 3141 | * Ephemeral DH parameters: |
| kenjiArai | 0:5b88d5760320 | 3142 | * |
| kenjiArai | 0:5b88d5760320 | 3143 | * struct { |
| kenjiArai | 0:5b88d5760320 | 3144 | * opaque dh_p<1..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 3145 | * opaque dh_g<1..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 3146 | * opaque dh_Ys<1..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 3147 | * } ServerDHParams; |
| kenjiArai | 0:5b88d5760320 | 3148 | */ |
| kenjiArai | 0:5b88d5760320 | 3149 | if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, |
| kenjiArai | 0:5b88d5760320 | 3150 | &ssl->conf->dhm_P, |
| kenjiArai | 0:5b88d5760320 | 3151 | &ssl->conf->dhm_G ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3152 | { |
| kenjiArai | 0:5b88d5760320 | 3153 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); |
| kenjiArai | 0:5b88d5760320 | 3154 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3155 | } |
| kenjiArai | 0:5b88d5760320 | 3156 | |
| kenjiArai | 0:5b88d5760320 | 3157 | if( ( ret = mbedtls_dhm_make_params( |
| kenjiArai | 0:5b88d5760320 | 3158 | &ssl->handshake->dhm_ctx, |
| kenjiArai | 0:5b88d5760320 | 3159 | (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), |
| kenjiArai | 0:5b88d5760320 | 3160 | ssl->out_msg + ssl->out_msglen, &len, |
| kenjiArai | 0:5b88d5760320 | 3161 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3162 | { |
| kenjiArai | 0:5b88d5760320 | 3163 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); |
| kenjiArai | 0:5b88d5760320 | 3164 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3165 | } |
| kenjiArai | 0:5b88d5760320 | 3166 | |
| kenjiArai | 0:5b88d5760320 | 3167 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3168 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| kenjiArai | 0:5b88d5760320 | 3169 | #endif |
| kenjiArai | 0:5b88d5760320 | 3170 | |
| kenjiArai | 0:5b88d5760320 | 3171 | ssl->out_msglen += len; |
| kenjiArai | 0:5b88d5760320 | 3172 | |
| kenjiArai | 0:5b88d5760320 | 3173 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); |
| kenjiArai | 0:5b88d5760320 | 3174 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); |
| kenjiArai | 0:5b88d5760320 | 3175 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); |
| kenjiArai | 0:5b88d5760320 | 3176 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); |
| kenjiArai | 0:5b88d5760320 | 3177 | } |
| kenjiArai | 0:5b88d5760320 | 3178 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3179 | |
| kenjiArai | 0:5b88d5760320 | 3180 | /* |
| kenjiArai | 0:5b88d5760320 | 3181 | * - ECDHE key exchanges |
| kenjiArai | 0:5b88d5760320 | 3182 | */ |
| kenjiArai | 0:5b88d5760320 | 3183 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3184 | if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 3185 | { |
| kenjiArai | 0:5b88d5760320 | 3186 | /* |
| kenjiArai | 0:5b88d5760320 | 3187 | * Ephemeral ECDH parameters: |
| kenjiArai | 0:5b88d5760320 | 3188 | * |
| kenjiArai | 0:5b88d5760320 | 3189 | * struct { |
| kenjiArai | 0:5b88d5760320 | 3190 | * ECParameters curve_params; |
| kenjiArai | 0:5b88d5760320 | 3191 | * ECPoint public; |
| kenjiArai | 0:5b88d5760320 | 3192 | * } ServerECDHParams; |
| kenjiArai | 0:5b88d5760320 | 3193 | */ |
| kenjiArai | 0:5b88d5760320 | 3194 | const mbedtls_ecp_curve_info **curve = NULL; |
| kenjiArai | 0:5b88d5760320 | 3195 | const mbedtls_ecp_group_id *gid; |
| kenjiArai | 0:5b88d5760320 | 3196 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3197 | size_t len = 0; |
| kenjiArai | 0:5b88d5760320 | 3198 | |
| kenjiArai | 0:5b88d5760320 | 3199 | /* Match our preference list against the offered curves */ |
| kenjiArai | 0:5b88d5760320 | 3200 | for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) |
| kenjiArai | 0:5b88d5760320 | 3201 | for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) |
| kenjiArai | 0:5b88d5760320 | 3202 | if( (*curve)->grp_id == *gid ) |
| kenjiArai | 0:5b88d5760320 | 3203 | goto curve_matching_done; |
| kenjiArai | 0:5b88d5760320 | 3204 | |
| kenjiArai | 0:5b88d5760320 | 3205 | curve_matching_done: |
| kenjiArai | 0:5b88d5760320 | 3206 | if( curve == NULL || *curve == NULL ) |
| kenjiArai | 0:5b88d5760320 | 3207 | { |
| kenjiArai | 0:5b88d5760320 | 3208 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); |
| kenjiArai | 0:5b88d5760320 | 3209 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); |
| kenjiArai | 0:5b88d5760320 | 3210 | } |
| kenjiArai | 0:5b88d5760320 | 3211 | |
| kenjiArai | 0:5b88d5760320 | 3212 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); |
| kenjiArai | 0:5b88d5760320 | 3213 | |
| kenjiArai | 0:5b88d5760320 | 3214 | if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3215 | (*curve)->grp_id ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3216 | { |
| kenjiArai | 0:5b88d5760320 | 3217 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); |
| kenjiArai | 0:5b88d5760320 | 3218 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3219 | } |
| kenjiArai | 0:5b88d5760320 | 3220 | |
| kenjiArai | 0:5b88d5760320 | 3221 | if( ( ret = mbedtls_ecdh_make_params( |
| kenjiArai | 0:5b88d5760320 | 3222 | &ssl->handshake->ecdh_ctx, &len, |
| kenjiArai | 0:5b88d5760320 | 3223 | ssl->out_msg + ssl->out_msglen, |
| kenjiArai | 0:5b88d5760320 | 3224 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, |
| kenjiArai | 0:5b88d5760320 | 3225 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3226 | { |
| kenjiArai | 0:5b88d5760320 | 3227 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); |
| kenjiArai | 0:5b88d5760320 | 3228 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3229 | } |
| kenjiArai | 0:5b88d5760320 | 3230 | |
| kenjiArai | 0:5b88d5760320 | 3231 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3232 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| kenjiArai | 0:5b88d5760320 | 3233 | #endif |
| kenjiArai | 0:5b88d5760320 | 3234 | |
| kenjiArai | 0:5b88d5760320 | 3235 | ssl->out_msglen += len; |
| kenjiArai | 0:5b88d5760320 | 3236 | |
| kenjiArai | 0:5b88d5760320 | 3237 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3238 | MBEDTLS_DEBUG_ECDH_Q ); |
| kenjiArai | 0:5b88d5760320 | 3239 | } |
| kenjiArai | 0:5b88d5760320 | 3240 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3241 | |
| kenjiArai | 0:5b88d5760320 | 3242 | /* |
| kenjiArai | 0:5b88d5760320 | 3243 | * |
| kenjiArai | 0:5b88d5760320 | 3244 | * Part 2: For key exchanges involving the server signing the |
| kenjiArai | 0:5b88d5760320 | 3245 | * exchange parameters, compute and add the signature here. |
| kenjiArai | 0:5b88d5760320 | 3246 | * |
| kenjiArai | 0:5b88d5760320 | 3247 | */ |
| kenjiArai | 0:5b88d5760320 | 3248 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3249 | if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 3250 | { |
| kenjiArai | 0:5b88d5760320 | 3251 | size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; |
| kenjiArai | 0:5b88d5760320 | 3252 | size_t hashlen = 0; |
| kenjiArai | 0:5b88d5760320 | 3253 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| kenjiArai | 0:5b88d5760320 | 3254 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3255 | |
| kenjiArai | 0:5b88d5760320 | 3256 | /* |
| kenjiArai | 0:5b88d5760320 | 3257 | * 2.1: Choose hash algorithm: |
| kenjiArai | 0:5b88d5760320 | 3258 | * A: For TLS 1.2, obey signature-hash-algorithm extension |
| kenjiArai | 0:5b88d5760320 | 3259 | * to choose appropriate hash. |
| kenjiArai | 0:5b88d5760320 | 3260 | * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 |
| kenjiArai | 0:5b88d5760320 | 3261 | * (RFC 4492, Sec. 5.4) |
| kenjiArai | 0:5b88d5760320 | 3262 | * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) |
| kenjiArai | 0:5b88d5760320 | 3263 | */ |
| kenjiArai | 0:5b88d5760320 | 3264 | |
| kenjiArai | 0:5b88d5760320 | 3265 | mbedtls_md_type_t md_alg; |
| kenjiArai | 0:5b88d5760320 | 3266 | |
| kenjiArai | 0:5b88d5760320 | 3267 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 3268 | mbedtls_pk_type_t sig_alg = |
| kenjiArai | 0:5b88d5760320 | 3269 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
| kenjiArai | 0:5b88d5760320 | 3270 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 3271 | { |
| kenjiArai | 0:5b88d5760320 | 3272 | /* A: For TLS 1.2, obey signature-hash-algorithm extension |
| kenjiArai | 0:5b88d5760320 | 3273 | * (RFC 5246, Sec. 7.4.1.4.1). */ |
| kenjiArai | 0:5b88d5760320 | 3274 | if( sig_alg == MBEDTLS_PK_NONE || |
| kenjiArai | 0:5b88d5760320 | 3275 | ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, |
| kenjiArai | 0:5b88d5760320 | 3276 | sig_alg ) ) == MBEDTLS_MD_NONE ) |
| kenjiArai | 0:5b88d5760320 | 3277 | { |
| kenjiArai | 0:5b88d5760320 | 3278 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 3279 | /* (... because we choose a cipher suite |
| kenjiArai | 0:5b88d5760320 | 3280 | * only if there is a matching hash.) */ |
| kenjiArai | 0:5b88d5760320 | 3281 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 3282 | } |
| kenjiArai | 0:5b88d5760320 | 3283 | } |
| kenjiArai | 0:5b88d5760320 | 3284 | else |
| kenjiArai | 0:5b88d5760320 | 3285 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| kenjiArai | 0:5b88d5760320 | 3286 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| kenjiArai | 0:5b88d5760320 | 3287 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| kenjiArai | 0:5b88d5760320 | 3288 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) |
| kenjiArai | 0:5b88d5760320 | 3289 | { |
| kenjiArai | 0:5b88d5760320 | 3290 | /* B: Default hash SHA1 */ |
| kenjiArai | 0:5b88d5760320 | 3291 | md_alg = MBEDTLS_MD_SHA1; |
| kenjiArai | 0:5b88d5760320 | 3292 | } |
| kenjiArai | 0:5b88d5760320 | 3293 | else |
| kenjiArai | 0:5b88d5760320 | 3294 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
| kenjiArai | 0:5b88d5760320 | 3295 | MBEDTLS_SSL_PROTO_TLS1_1 */ |
| kenjiArai | 0:5b88d5760320 | 3296 | { |
| kenjiArai | 0:5b88d5760320 | 3297 | /* C: MD5 + SHA1 */ |
| kenjiArai | 0:5b88d5760320 | 3298 | md_alg = MBEDTLS_MD_NONE; |
| kenjiArai | 0:5b88d5760320 | 3299 | } |
| kenjiArai | 0:5b88d5760320 | 3300 | |
| kenjiArai | 0:5b88d5760320 | 3301 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); |
| kenjiArai | 0:5b88d5760320 | 3302 | |
| kenjiArai | 0:5b88d5760320 | 3303 | /* |
| kenjiArai | 0:5b88d5760320 | 3304 | * 2.2: Compute the hash to be signed |
| kenjiArai | 0:5b88d5760320 | 3305 | */ |
| kenjiArai | 0:5b88d5760320 | 3306 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| kenjiArai | 0:5b88d5760320 | 3307 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| kenjiArai | 0:5b88d5760320 | 3308 | if( md_alg == MBEDTLS_MD_NONE ) |
| kenjiArai | 0:5b88d5760320 | 3309 | { |
| kenjiArai | 0:5b88d5760320 | 3310 | hashlen = 36; |
| kenjiArai | 0:5b88d5760320 | 3311 | ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, |
| kenjiArai | 0:5b88d5760320 | 3312 | dig_signed, |
| kenjiArai | 0:5b88d5760320 | 3313 | dig_signed_len ); |
| kenjiArai | 0:5b88d5760320 | 3314 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3315 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3316 | } |
| kenjiArai | 0:5b88d5760320 | 3317 | else |
| kenjiArai | 0:5b88d5760320 | 3318 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
| kenjiArai | 0:5b88d5760320 | 3319 | MBEDTLS_SSL_PROTO_TLS1_1 */ |
| kenjiArai | 0:5b88d5760320 | 3320 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
| kenjiArai | 0:5b88d5760320 | 3321 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 3322 | if( md_alg != MBEDTLS_MD_NONE ) |
| kenjiArai | 0:5b88d5760320 | 3323 | { |
| kenjiArai | 0:5b88d5760320 | 3324 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, |
| kenjiArai | 0:5b88d5760320 | 3325 | dig_signed, |
| kenjiArai | 0:5b88d5760320 | 3326 | dig_signed_len, |
| kenjiArai | 0:5b88d5760320 | 3327 | md_alg ); |
| kenjiArai | 0:5b88d5760320 | 3328 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3329 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3330 | } |
| kenjiArai | 0:5b88d5760320 | 3331 | else |
| kenjiArai | 0:5b88d5760320 | 3332 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ |
| kenjiArai | 0:5b88d5760320 | 3333 | MBEDTLS_SSL_PROTO_TLS1_2 */ |
| kenjiArai | 0:5b88d5760320 | 3334 | { |
| kenjiArai | 0:5b88d5760320 | 3335 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 3336 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 3337 | } |
| kenjiArai | 0:5b88d5760320 | 3338 | |
| kenjiArai | 0:5b88d5760320 | 3339 | MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); |
| kenjiArai | 0:5b88d5760320 | 3340 | |
| kenjiArai | 0:5b88d5760320 | 3341 | /* |
| kenjiArai | 0:5b88d5760320 | 3342 | * 2.3: Compute and add the signature |
| kenjiArai | 0:5b88d5760320 | 3343 | */ |
| kenjiArai | 0:5b88d5760320 | 3344 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 3345 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 3346 | { |
| kenjiArai | 0:5b88d5760320 | 3347 | /* |
| kenjiArai | 0:5b88d5760320 | 3348 | * For TLS 1.2, we need to specify signature and hash algorithm |
| kenjiArai | 0:5b88d5760320 | 3349 | * explicitly through a prefix to the signature. |
| kenjiArai | 0:5b88d5760320 | 3350 | * |
| kenjiArai | 0:5b88d5760320 | 3351 | * struct { |
| kenjiArai | 0:5b88d5760320 | 3352 | * HashAlgorithm hash; |
| kenjiArai | 0:5b88d5760320 | 3353 | * SignatureAlgorithm signature; |
| kenjiArai | 0:5b88d5760320 | 3354 | * } SignatureAndHashAlgorithm; |
| kenjiArai | 0:5b88d5760320 | 3355 | * |
| kenjiArai | 0:5b88d5760320 | 3356 | * struct { |
| kenjiArai | 0:5b88d5760320 | 3357 | * SignatureAndHashAlgorithm algorithm; |
| kenjiArai | 0:5b88d5760320 | 3358 | * opaque signature<0..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 3359 | * } DigitallySigned; |
| kenjiArai | 0:5b88d5760320 | 3360 | * |
| kenjiArai | 0:5b88d5760320 | 3361 | */ |
| kenjiArai | 0:5b88d5760320 | 3362 | |
| kenjiArai | 0:5b88d5760320 | 3363 | ssl->out_msg[ssl->out_msglen++] = |
| kenjiArai | 0:5b88d5760320 | 3364 | mbedtls_ssl_hash_from_md_alg( md_alg ); |
| kenjiArai | 0:5b88d5760320 | 3365 | ssl->out_msg[ssl->out_msglen++] = |
| kenjiArai | 0:5b88d5760320 | 3366 | mbedtls_ssl_sig_from_pk_alg( sig_alg ); |
| kenjiArai | 0:5b88d5760320 | 3367 | } |
| kenjiArai | 0:5b88d5760320 | 3368 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| kenjiArai | 0:5b88d5760320 | 3369 | |
| kenjiArai | 0:5b88d5760320 | 3370 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3371 | if( ssl->conf->f_async_sign_start != NULL ) |
| kenjiArai | 0:5b88d5760320 | 3372 | { |
| kenjiArai | 0:5b88d5760320 | 3373 | ret = ssl->conf->f_async_sign_start( ssl, |
| kenjiArai | 0:5b88d5760320 | 3374 | mbedtls_ssl_own_cert( ssl ), |
| kenjiArai | 0:5b88d5760320 | 3375 | md_alg, hash, hashlen ); |
| kenjiArai | 0:5b88d5760320 | 3376 | switch( ret ) |
| kenjiArai | 0:5b88d5760320 | 3377 | { |
| kenjiArai | 0:5b88d5760320 | 3378 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| kenjiArai | 0:5b88d5760320 | 3379 | /* act as if f_async_sign was null */ |
| kenjiArai | 0:5b88d5760320 | 3380 | break; |
| kenjiArai | 0:5b88d5760320 | 3381 | case 0: |
| kenjiArai | 0:5b88d5760320 | 3382 | ssl->handshake->async_in_progress = 1; |
| kenjiArai | 0:5b88d5760320 | 3383 | return( ssl_resume_server_key_exchange( ssl, signature_len ) ); |
| kenjiArai | 0:5b88d5760320 | 3384 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| kenjiArai | 0:5b88d5760320 | 3385 | ssl->handshake->async_in_progress = 1; |
| kenjiArai | 0:5b88d5760320 | 3386 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); |
| kenjiArai | 0:5b88d5760320 | 3387 | default: |
| kenjiArai | 0:5b88d5760320 | 3388 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret ); |
| kenjiArai | 0:5b88d5760320 | 3389 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3390 | } |
| kenjiArai | 0:5b88d5760320 | 3391 | } |
| kenjiArai | 0:5b88d5760320 | 3392 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| kenjiArai | 0:5b88d5760320 | 3393 | |
| kenjiArai | 0:5b88d5760320 | 3394 | if( mbedtls_ssl_own_key( ssl ) == NULL ) |
| kenjiArai | 0:5b88d5760320 | 3395 | { |
| kenjiArai | 0:5b88d5760320 | 3396 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); |
| kenjiArai | 0:5b88d5760320 | 3397 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| kenjiArai | 0:5b88d5760320 | 3398 | } |
| kenjiArai | 0:5b88d5760320 | 3399 | |
| kenjiArai | 0:5b88d5760320 | 3400 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| kenjiArai | 0:5b88d5760320 | 3401 | * signature length which will be added in ssl_write_server_key_exchange |
| kenjiArai | 0:5b88d5760320 | 3402 | * after the call to ssl_prepare_server_key_exchange. |
| kenjiArai | 0:5b88d5760320 | 3403 | * ssl_write_server_key_exchange also takes care of incrementing |
| kenjiArai | 0:5b88d5760320 | 3404 | * ssl->out_msglen. */ |
| kenjiArai | 0:5b88d5760320 | 3405 | if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), |
| kenjiArai | 0:5b88d5760320 | 3406 | md_alg, hash, hashlen, |
| kenjiArai | 0:5b88d5760320 | 3407 | ssl->out_msg + ssl->out_msglen + 2, |
| kenjiArai | 0:5b88d5760320 | 3408 | signature_len, |
| kenjiArai | 0:5b88d5760320 | 3409 | ssl->conf->f_rng, |
| kenjiArai | 0:5b88d5760320 | 3410 | ssl->conf->p_rng ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3411 | { |
| kenjiArai | 0:5b88d5760320 | 3412 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); |
| kenjiArai | 0:5b88d5760320 | 3413 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3414 | } |
| kenjiArai | 0:5b88d5760320 | 3415 | } |
| kenjiArai | 0:5b88d5760320 | 3416 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3417 | |
| kenjiArai | 0:5b88d5760320 | 3418 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3419 | } |
| kenjiArai | 0:5b88d5760320 | 3420 | |
| kenjiArai | 0:5b88d5760320 | 3421 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites |
| kenjiArai | 0:5b88d5760320 | 3422 | * that do not include a ServerKeyExchange message, do nothing. Either |
| kenjiArai | 0:5b88d5760320 | 3423 | * way, if successful, move on to the next step in the SSL state |
| kenjiArai | 0:5b88d5760320 | 3424 | * machine. */ |
| kenjiArai | 0:5b88d5760320 | 3425 | static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 3426 | { |
| kenjiArai | 0:5b88d5760320 | 3427 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3428 | size_t signature_len = 0; |
| kenjiArai | 0:5b88d5760320 | 3429 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3430 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| kenjiArai | 0:5b88d5760320 | 3431 | ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 3432 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3433 | |
| kenjiArai | 0:5b88d5760320 | 3434 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 3435 | |
| kenjiArai | 0:5b88d5760320 | 3436 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3437 | /* Extract static ECDH parameters and abort if ServerKeyExchange |
| kenjiArai | 0:5b88d5760320 | 3438 | * is not needed. */ |
| kenjiArai | 0:5b88d5760320 | 3439 | if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 3440 | { |
| kenjiArai | 0:5b88d5760320 | 3441 | /* For suites involving ECDH, extract DH parameters |
| kenjiArai | 0:5b88d5760320 | 3442 | * from certificate at this point. */ |
| kenjiArai | 0:5b88d5760320 | 3443 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3444 | if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 3445 | { |
| kenjiArai | 0:5b88d5760320 | 3446 | ssl_get_ecdh_params_from_cert( ssl ); |
| kenjiArai | 0:5b88d5760320 | 3447 | } |
| kenjiArai | 0:5b88d5760320 | 3448 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3449 | |
| kenjiArai | 0:5b88d5760320 | 3450 | /* Key exchanges not involving ephemeral keys don't use |
| kenjiArai | 0:5b88d5760320 | 3451 | * ServerKeyExchange, so end here. */ |
| kenjiArai | 0:5b88d5760320 | 3452 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 3453 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 3454 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3455 | } |
| kenjiArai | 0:5b88d5760320 | 3456 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3457 | |
| kenjiArai | 0:5b88d5760320 | 3458 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \ |
| kenjiArai | 0:5b88d5760320 | 3459 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3460 | /* If we have already prepared the message and there is an ongoing |
| kenjiArai | 0:5b88d5760320 | 3461 | * signature operation, resume signing. */ |
| kenjiArai | 0:5b88d5760320 | 3462 | if( ssl->handshake->async_in_progress != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3463 | { |
| kenjiArai | 0:5b88d5760320 | 3464 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) ); |
| kenjiArai | 0:5b88d5760320 | 3465 | ret = ssl_resume_server_key_exchange( ssl, &signature_len ); |
| kenjiArai | 0:5b88d5760320 | 3466 | } |
| kenjiArai | 0:5b88d5760320 | 3467 | else |
| kenjiArai | 0:5b88d5760320 | 3468 | #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && |
| kenjiArai | 0:5b88d5760320 | 3469 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| kenjiArai | 0:5b88d5760320 | 3470 | { |
| kenjiArai | 0:5b88d5760320 | 3471 | /* ServerKeyExchange is needed. Prepare the message. */ |
| kenjiArai | 0:5b88d5760320 | 3472 | ret = ssl_prepare_server_key_exchange( ssl, &signature_len ); |
| kenjiArai | 0:5b88d5760320 | 3473 | } |
| kenjiArai | 0:5b88d5760320 | 3474 | |
| kenjiArai | 0:5b88d5760320 | 3475 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3476 | { |
| kenjiArai | 0:5b88d5760320 | 3477 | /* If we're starting to write a new message, set ssl->out_msglen |
| kenjiArai | 0:5b88d5760320 | 3478 | * to 0. But if we're resuming after an asynchronous message, |
| kenjiArai | 0:5b88d5760320 | 3479 | * out_msglen is the amount of data written so far and mst be |
| kenjiArai | 0:5b88d5760320 | 3480 | * preserved. */ |
| kenjiArai | 0:5b88d5760320 | 3481 | if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 3482 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) ); |
| kenjiArai | 0:5b88d5760320 | 3483 | else |
| kenjiArai | 0:5b88d5760320 | 3484 | ssl->out_msglen = 0; |
| kenjiArai | 0:5b88d5760320 | 3485 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3486 | } |
| kenjiArai | 0:5b88d5760320 | 3487 | |
| kenjiArai | 0:5b88d5760320 | 3488 | /* If there is a signature, write its length. |
| kenjiArai | 0:5b88d5760320 | 3489 | * ssl_prepare_server_key_exchange already wrote the signature |
| kenjiArai | 0:5b88d5760320 | 3490 | * itself at its proper place in the output buffer. */ |
| kenjiArai | 0:5b88d5760320 | 3491 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3492 | if( signature_len != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3493 | { |
| kenjiArai | 0:5b88d5760320 | 3494 | ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 ); |
| kenjiArai | 0:5b88d5760320 | 3495 | ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len ); |
| kenjiArai | 0:5b88d5760320 | 3496 | |
| kenjiArai | 0:5b88d5760320 | 3497 | MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", |
| kenjiArai | 0:5b88d5760320 | 3498 | ssl->out_msg + ssl->out_msglen, |
| kenjiArai | 0:5b88d5760320 | 3499 | signature_len ); |
| kenjiArai | 0:5b88d5760320 | 3500 | |
| kenjiArai | 0:5b88d5760320 | 3501 | /* Skip over the already-written signature */ |
| kenjiArai | 0:5b88d5760320 | 3502 | ssl->out_msglen += signature_len; |
| kenjiArai | 0:5b88d5760320 | 3503 | } |
| kenjiArai | 0:5b88d5760320 | 3504 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3505 | |
| kenjiArai | 0:5b88d5760320 | 3506 | /* Add header and send. */ |
| kenjiArai | 0:5b88d5760320 | 3507 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| kenjiArai | 0:5b88d5760320 | 3508 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; |
| kenjiArai | 0:5b88d5760320 | 3509 | |
| kenjiArai | 0:5b88d5760320 | 3510 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 3511 | |
| kenjiArai | 0:5b88d5760320 | 3512 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3513 | { |
| kenjiArai | 0:5b88d5760320 | 3514 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| kenjiArai | 0:5b88d5760320 | 3515 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3516 | } |
| kenjiArai | 0:5b88d5760320 | 3517 | |
| kenjiArai | 0:5b88d5760320 | 3518 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 3519 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3520 | } |
| kenjiArai | 0:5b88d5760320 | 3521 | |
| kenjiArai | 0:5b88d5760320 | 3522 | static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 3523 | { |
| kenjiArai | 0:5b88d5760320 | 3524 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3525 | |
| kenjiArai | 0:5b88d5760320 | 3526 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); |
| kenjiArai | 0:5b88d5760320 | 3527 | |
| kenjiArai | 0:5b88d5760320 | 3528 | ssl->out_msglen = 4; |
| kenjiArai | 0:5b88d5760320 | 3529 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| kenjiArai | 0:5b88d5760320 | 3530 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; |
| kenjiArai | 0:5b88d5760320 | 3531 | |
| kenjiArai | 0:5b88d5760320 | 3532 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 3533 | |
| kenjiArai | 0:5b88d5760320 | 3534 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 3535 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| kenjiArai | 0:5b88d5760320 | 3536 | mbedtls_ssl_send_flight_completed( ssl ); |
| kenjiArai | 0:5b88d5760320 | 3537 | #endif |
| kenjiArai | 0:5b88d5760320 | 3538 | |
| kenjiArai | 0:5b88d5760320 | 3539 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3540 | { |
| kenjiArai | 0:5b88d5760320 | 3541 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| kenjiArai | 0:5b88d5760320 | 3542 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3543 | } |
| kenjiArai | 0:5b88d5760320 | 3544 | |
| kenjiArai | 0:5b88d5760320 | 3545 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 3546 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| kenjiArai | 0:5b88d5760320 | 3547 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3548 | { |
| kenjiArai | 0:5b88d5760320 | 3549 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); |
| kenjiArai | 0:5b88d5760320 | 3550 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3551 | } |
| kenjiArai | 0:5b88d5760320 | 3552 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| kenjiArai | 0:5b88d5760320 | 3553 | |
| kenjiArai | 0:5b88d5760320 | 3554 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); |
| kenjiArai | 0:5b88d5760320 | 3555 | |
| kenjiArai | 0:5b88d5760320 | 3556 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3557 | } |
| kenjiArai | 0:5b88d5760320 | 3558 | |
| kenjiArai | 0:5b88d5760320 | 3559 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3560 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3561 | static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, |
| kenjiArai | 0:5b88d5760320 | 3562 | const unsigned char *end ) |
| kenjiArai | 0:5b88d5760320 | 3563 | { |
| kenjiArai | 0:5b88d5760320 | 3564 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| kenjiArai | 0:5b88d5760320 | 3565 | size_t n; |
| kenjiArai | 0:5b88d5760320 | 3566 | |
| kenjiArai | 0:5b88d5760320 | 3567 | /* |
| kenjiArai | 0:5b88d5760320 | 3568 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
| kenjiArai | 0:5b88d5760320 | 3569 | */ |
| kenjiArai | 0:5b88d5760320 | 3570 | if( *p + 2 > end ) |
| kenjiArai | 0:5b88d5760320 | 3571 | { |
| kenjiArai | 0:5b88d5760320 | 3572 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3573 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3574 | } |
| kenjiArai | 0:5b88d5760320 | 3575 | |
| kenjiArai | 0:5b88d5760320 | 3576 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
| kenjiArai | 0:5b88d5760320 | 3577 | *p += 2; |
| kenjiArai | 0:5b88d5760320 | 3578 | |
| kenjiArai | 0:5b88d5760320 | 3579 | if( *p + n > end ) |
| kenjiArai | 0:5b88d5760320 | 3580 | { |
| kenjiArai | 0:5b88d5760320 | 3581 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3582 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3583 | } |
| kenjiArai | 0:5b88d5760320 | 3584 | |
| kenjiArai | 0:5b88d5760320 | 3585 | if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3586 | { |
| kenjiArai | 0:5b88d5760320 | 3587 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); |
| kenjiArai | 0:5b88d5760320 | 3588 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
| kenjiArai | 0:5b88d5760320 | 3589 | } |
| kenjiArai | 0:5b88d5760320 | 3590 | |
| kenjiArai | 0:5b88d5760320 | 3591 | *p += n; |
| kenjiArai | 0:5b88d5760320 | 3592 | |
| kenjiArai | 0:5b88d5760320 | 3593 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); |
| kenjiArai | 0:5b88d5760320 | 3594 | |
| kenjiArai | 0:5b88d5760320 | 3595 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3596 | } |
| kenjiArai | 0:5b88d5760320 | 3597 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| kenjiArai | 0:5b88d5760320 | 3598 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3599 | |
| kenjiArai | 0:5b88d5760320 | 3600 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3601 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3602 | |
| kenjiArai | 0:5b88d5760320 | 3603 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3604 | static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 3605 | unsigned char *peer_pms, |
| kenjiArai | 0:5b88d5760320 | 3606 | size_t *peer_pmslen, |
| kenjiArai | 0:5b88d5760320 | 3607 | size_t peer_pmssize ) |
| kenjiArai | 0:5b88d5760320 | 3608 | { |
| kenjiArai | 0:5b88d5760320 | 3609 | int ret = ssl->conf->f_async_resume( ssl, |
| kenjiArai | 0:5b88d5760320 | 3610 | peer_pms, peer_pmslen, peer_pmssize ); |
| kenjiArai | 0:5b88d5760320 | 3611 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 3612 | { |
| kenjiArai | 0:5b88d5760320 | 3613 | ssl->handshake->async_in_progress = 0; |
| kenjiArai | 0:5b88d5760320 | 3614 | mbedtls_ssl_set_async_operation_data( ssl, NULL ); |
| kenjiArai | 0:5b88d5760320 | 3615 | } |
| kenjiArai | 0:5b88d5760320 | 3616 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret ); |
| kenjiArai | 0:5b88d5760320 | 3617 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3618 | } |
| kenjiArai | 0:5b88d5760320 | 3619 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| kenjiArai | 0:5b88d5760320 | 3620 | |
| kenjiArai | 0:5b88d5760320 | 3621 | static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 3622 | const unsigned char *p, |
| kenjiArai | 0:5b88d5760320 | 3623 | const unsigned char *end, |
| kenjiArai | 0:5b88d5760320 | 3624 | unsigned char *peer_pms, |
| kenjiArai | 0:5b88d5760320 | 3625 | size_t *peer_pmslen, |
| kenjiArai | 0:5b88d5760320 | 3626 | size_t peer_pmssize ) |
| kenjiArai | 0:5b88d5760320 | 3627 | { |
| kenjiArai | 0:5b88d5760320 | 3628 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3629 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl ); |
| kenjiArai | 0:5b88d5760320 | 3630 | mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk; |
| kenjiArai | 0:5b88d5760320 | 3631 | size_t len = mbedtls_pk_get_len( public_key ); |
| kenjiArai | 0:5b88d5760320 | 3632 | |
| kenjiArai | 0:5b88d5760320 | 3633 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3634 | /* If we have already started decoding the message and there is an ongoing |
| kenjiArai | 0:5b88d5760320 | 3635 | * decryption operation, resume signing. */ |
| kenjiArai | 0:5b88d5760320 | 3636 | if( ssl->handshake->async_in_progress != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3637 | { |
| kenjiArai | 0:5b88d5760320 | 3638 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) ); |
| kenjiArai | 0:5b88d5760320 | 3639 | return( ssl_resume_decrypt_pms( ssl, |
| kenjiArai | 0:5b88d5760320 | 3640 | peer_pms, peer_pmslen, peer_pmssize ) ); |
| kenjiArai | 0:5b88d5760320 | 3641 | } |
| kenjiArai | 0:5b88d5760320 | 3642 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| kenjiArai | 0:5b88d5760320 | 3643 | |
| kenjiArai | 0:5b88d5760320 | 3644 | /* |
| kenjiArai | 0:5b88d5760320 | 3645 | * Prepare to decrypt the premaster using own private RSA key |
| kenjiArai | 0:5b88d5760320 | 3646 | */ |
| kenjiArai | 0:5b88d5760320 | 3647 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
| kenjiArai | 0:5b88d5760320 | 3648 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 3649 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) |
| kenjiArai | 0:5b88d5760320 | 3650 | { |
| kenjiArai | 0:5b88d5760320 | 3651 | if ( p + 2 > end ) { |
| kenjiArai | 0:5b88d5760320 | 3652 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3653 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3654 | } |
| kenjiArai | 0:5b88d5760320 | 3655 | if( *p++ != ( ( len >> 8 ) & 0xFF ) || |
| kenjiArai | 0:5b88d5760320 | 3656 | *p++ != ( ( len ) & 0xFF ) ) |
| kenjiArai | 0:5b88d5760320 | 3657 | { |
| kenjiArai | 0:5b88d5760320 | 3658 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3659 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3660 | } |
| kenjiArai | 0:5b88d5760320 | 3661 | } |
| kenjiArai | 0:5b88d5760320 | 3662 | #endif |
| kenjiArai | 0:5b88d5760320 | 3663 | |
| kenjiArai | 0:5b88d5760320 | 3664 | if( p + len != end ) |
| kenjiArai | 0:5b88d5760320 | 3665 | { |
| kenjiArai | 0:5b88d5760320 | 3666 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3667 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3668 | } |
| kenjiArai | 0:5b88d5760320 | 3669 | |
| kenjiArai | 0:5b88d5760320 | 3670 | /* |
| kenjiArai | 0:5b88d5760320 | 3671 | * Decrypt the premaster secret |
| kenjiArai | 0:5b88d5760320 | 3672 | */ |
| kenjiArai | 0:5b88d5760320 | 3673 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3674 | if( ssl->conf->f_async_decrypt_start != NULL ) |
| kenjiArai | 0:5b88d5760320 | 3675 | { |
| kenjiArai | 0:5b88d5760320 | 3676 | ret = ssl->conf->f_async_decrypt_start( ssl, |
| kenjiArai | 0:5b88d5760320 | 3677 | mbedtls_ssl_own_cert( ssl ), |
| kenjiArai | 0:5b88d5760320 | 3678 | p, len ); |
| kenjiArai | 0:5b88d5760320 | 3679 | switch( ret ) |
| kenjiArai | 0:5b88d5760320 | 3680 | { |
| kenjiArai | 0:5b88d5760320 | 3681 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| kenjiArai | 0:5b88d5760320 | 3682 | /* act as if f_async_decrypt_start was null */ |
| kenjiArai | 0:5b88d5760320 | 3683 | break; |
| kenjiArai | 0:5b88d5760320 | 3684 | case 0: |
| kenjiArai | 0:5b88d5760320 | 3685 | ssl->handshake->async_in_progress = 1; |
| kenjiArai | 0:5b88d5760320 | 3686 | return( ssl_resume_decrypt_pms( ssl, |
| kenjiArai | 0:5b88d5760320 | 3687 | peer_pms, |
| kenjiArai | 0:5b88d5760320 | 3688 | peer_pmslen, |
| kenjiArai | 0:5b88d5760320 | 3689 | peer_pmssize ) ); |
| kenjiArai | 0:5b88d5760320 | 3690 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| kenjiArai | 0:5b88d5760320 | 3691 | ssl->handshake->async_in_progress = 1; |
| kenjiArai | 0:5b88d5760320 | 3692 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); |
| kenjiArai | 0:5b88d5760320 | 3693 | default: |
| kenjiArai | 0:5b88d5760320 | 3694 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret ); |
| kenjiArai | 0:5b88d5760320 | 3695 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3696 | } |
| kenjiArai | 0:5b88d5760320 | 3697 | } |
| kenjiArai | 0:5b88d5760320 | 3698 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| kenjiArai | 0:5b88d5760320 | 3699 | |
| kenjiArai | 0:5b88d5760320 | 3700 | if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) ) |
| kenjiArai | 0:5b88d5760320 | 3701 | { |
| kenjiArai | 0:5b88d5760320 | 3702 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); |
| kenjiArai | 0:5b88d5760320 | 3703 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| kenjiArai | 0:5b88d5760320 | 3704 | } |
| kenjiArai | 0:5b88d5760320 | 3705 | |
| kenjiArai | 0:5b88d5760320 | 3706 | ret = mbedtls_pk_decrypt( private_key, p, len, |
| kenjiArai | 0:5b88d5760320 | 3707 | peer_pms, peer_pmslen, peer_pmssize, |
| kenjiArai | 0:5b88d5760320 | 3708 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| kenjiArai | 0:5b88d5760320 | 3709 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3710 | } |
| kenjiArai | 0:5b88d5760320 | 3711 | |
| kenjiArai | 0:5b88d5760320 | 3712 | static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, |
| kenjiArai | 0:5b88d5760320 | 3713 | const unsigned char *p, |
| kenjiArai | 0:5b88d5760320 | 3714 | const unsigned char *end, |
| kenjiArai | 0:5b88d5760320 | 3715 | size_t pms_offset ) |
| kenjiArai | 0:5b88d5760320 | 3716 | { |
| kenjiArai | 0:5b88d5760320 | 3717 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3718 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
| kenjiArai | 0:5b88d5760320 | 3719 | unsigned char ver[2]; |
| kenjiArai | 0:5b88d5760320 | 3720 | unsigned char fake_pms[48], peer_pms[48]; |
| kenjiArai | 0:5b88d5760320 | 3721 | unsigned char mask; |
| kenjiArai | 0:5b88d5760320 | 3722 | size_t i, peer_pmslen; |
| kenjiArai | 0:5b88d5760320 | 3723 | unsigned int diff; |
| kenjiArai | 0:5b88d5760320 | 3724 | |
| kenjiArai | 0:5b88d5760320 | 3725 | /* In case of a failure in decryption, the decryption may write less than |
| kenjiArai | 0:5b88d5760320 | 3726 | * 2 bytes of output, but we always read the first two bytes. It doesn't |
| kenjiArai | 0:5b88d5760320 | 3727 | * matter in the end because diff will be nonzero in that case due to |
| kenjiArai | 0:5b88d5760320 | 3728 | * peer_pmslen being less than 48, and we only care whether diff is 0. |
| kenjiArai | 0:5b88d5760320 | 3729 | * But do initialize peer_pms for robustness anyway. This also makes |
| kenjiArai | 0:5b88d5760320 | 3730 | * memory analyzers happy (don't access uninitialized memory, even |
| kenjiArai | 0:5b88d5760320 | 3731 | * if it's an unsigned char). */ |
| kenjiArai | 0:5b88d5760320 | 3732 | peer_pms[0] = peer_pms[1] = ~0; |
| kenjiArai | 0:5b88d5760320 | 3733 | |
| kenjiArai | 0:5b88d5760320 | 3734 | ret = ssl_decrypt_encrypted_pms( ssl, p, end, |
| kenjiArai | 0:5b88d5760320 | 3735 | peer_pms, |
| kenjiArai | 0:5b88d5760320 | 3736 | &peer_pmslen, |
| kenjiArai | 0:5b88d5760320 | 3737 | sizeof( peer_pms ) ); |
| kenjiArai | 0:5b88d5760320 | 3738 | |
| kenjiArai | 0:5b88d5760320 | 3739 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 3740 | if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| kenjiArai | 0:5b88d5760320 | 3741 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3742 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| kenjiArai | 0:5b88d5760320 | 3743 | |
| kenjiArai | 0:5b88d5760320 | 3744 | mbedtls_ssl_write_version( ssl->handshake->max_major_ver, |
| kenjiArai | 0:5b88d5760320 | 3745 | ssl->handshake->max_minor_ver, |
| kenjiArai | 0:5b88d5760320 | 3746 | ssl->conf->transport, ver ); |
| kenjiArai | 0:5b88d5760320 | 3747 | |
| kenjiArai | 0:5b88d5760320 | 3748 | /* Avoid data-dependent branches while checking for invalid |
| kenjiArai | 0:5b88d5760320 | 3749 | * padding, to protect against timing-based Bleichenbacher-type |
| kenjiArai | 0:5b88d5760320 | 3750 | * attacks. */ |
| kenjiArai | 0:5b88d5760320 | 3751 | diff = (unsigned int) ret; |
| kenjiArai | 0:5b88d5760320 | 3752 | diff |= peer_pmslen ^ 48; |
| kenjiArai | 0:5b88d5760320 | 3753 | diff |= peer_pms[0] ^ ver[0]; |
| kenjiArai | 0:5b88d5760320 | 3754 | diff |= peer_pms[1] ^ ver[1]; |
| kenjiArai | 0:5b88d5760320 | 3755 | |
| kenjiArai | 0:5b88d5760320 | 3756 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ |
| kenjiArai | 0:5b88d5760320 | 3757 | /* MSVC has a warning about unary minus on unsigned, but this is |
| kenjiArai | 0:5b88d5760320 | 3758 | * well-defined and precisely what we want to do here */ |
| kenjiArai | 0:5b88d5760320 | 3759 | #if defined(_MSC_VER) |
| kenjiArai | 0:5b88d5760320 | 3760 | #pragma warning( push ) |
| kenjiArai | 0:5b88d5760320 | 3761 | #pragma warning( disable : 4146 ) |
| kenjiArai | 0:5b88d5760320 | 3762 | #endif |
| kenjiArai | 0:5b88d5760320 | 3763 | mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); |
| kenjiArai | 0:5b88d5760320 | 3764 | #if defined(_MSC_VER) |
| kenjiArai | 0:5b88d5760320 | 3765 | #pragma warning( pop ) |
| kenjiArai | 0:5b88d5760320 | 3766 | #endif |
| kenjiArai | 0:5b88d5760320 | 3767 | |
| kenjiArai | 0:5b88d5760320 | 3768 | /* |
| kenjiArai | 0:5b88d5760320 | 3769 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
| kenjiArai | 0:5b88d5760320 | 3770 | * must not cause the connection to end immediately; instead, send a |
| kenjiArai | 0:5b88d5760320 | 3771 | * bad_record_mac later in the handshake. |
| kenjiArai | 0:5b88d5760320 | 3772 | * To protect against timing-based variants of the attack, we must |
| kenjiArai | 0:5b88d5760320 | 3773 | * not have any branch that depends on whether the decryption was |
| kenjiArai | 0:5b88d5760320 | 3774 | * successful. In particular, always generate the fake premaster secret, |
| kenjiArai | 0:5b88d5760320 | 3775 | * regardless of whether it will ultimately influence the output or not. |
| kenjiArai | 0:5b88d5760320 | 3776 | */ |
| kenjiArai | 0:5b88d5760320 | 3777 | ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); |
| kenjiArai | 0:5b88d5760320 | 3778 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3779 | { |
| kenjiArai | 0:5b88d5760320 | 3780 | /* It's ok to abort on an RNG failure, since this does not reveal |
| kenjiArai | 0:5b88d5760320 | 3781 | * anything about the RSA decryption. */ |
| kenjiArai | 0:5b88d5760320 | 3782 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3783 | } |
| kenjiArai | 0:5b88d5760320 | 3784 | |
| kenjiArai | 0:5b88d5760320 | 3785 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| kenjiArai | 0:5b88d5760320 | 3786 | if( diff != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3787 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3788 | #endif |
| kenjiArai | 0:5b88d5760320 | 3789 | |
| kenjiArai | 0:5b88d5760320 | 3790 | if( sizeof( ssl->handshake->premaster ) < pms_offset || |
| kenjiArai | 0:5b88d5760320 | 3791 | sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) |
| kenjiArai | 0:5b88d5760320 | 3792 | { |
| kenjiArai | 0:5b88d5760320 | 3793 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 3794 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 3795 | } |
| kenjiArai | 0:5b88d5760320 | 3796 | ssl->handshake->pmslen = 48; |
| kenjiArai | 0:5b88d5760320 | 3797 | |
| kenjiArai | 0:5b88d5760320 | 3798 | /* Set pms to either the true or the fake PMS, without |
| kenjiArai | 0:5b88d5760320 | 3799 | * data-dependent branches. */ |
| kenjiArai | 0:5b88d5760320 | 3800 | for( i = 0; i < ssl->handshake->pmslen; i++ ) |
| kenjiArai | 0:5b88d5760320 | 3801 | pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); |
| kenjiArai | 0:5b88d5760320 | 3802 | |
| kenjiArai | 0:5b88d5760320 | 3803 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3804 | } |
| kenjiArai | 0:5b88d5760320 | 3805 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| kenjiArai | 0:5b88d5760320 | 3806 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3807 | |
| kenjiArai | 0:5b88d5760320 | 3808 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3809 | static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, |
| kenjiArai | 0:5b88d5760320 | 3810 | const unsigned char *end ) |
| kenjiArai | 0:5b88d5760320 | 3811 | { |
| kenjiArai | 0:5b88d5760320 | 3812 | int ret = 0; |
| kenjiArai | 0:5b88d5760320 | 3813 | size_t n; |
| kenjiArai | 0:5b88d5760320 | 3814 | |
| kenjiArai | 0:5b88d5760320 | 3815 | if( ssl_conf_has_psk_or_cb( ssl->conf ) == 0 ) |
| kenjiArai | 0:5b88d5760320 | 3816 | { |
| kenjiArai | 0:5b88d5760320 | 3817 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); |
| kenjiArai | 0:5b88d5760320 | 3818 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| kenjiArai | 0:5b88d5760320 | 3819 | } |
| kenjiArai | 0:5b88d5760320 | 3820 | |
| kenjiArai | 0:5b88d5760320 | 3821 | /* |
| kenjiArai | 0:5b88d5760320 | 3822 | * Receive client pre-shared key identity name |
| kenjiArai | 0:5b88d5760320 | 3823 | */ |
| kenjiArai | 0:5b88d5760320 | 3824 | if( end - *p < 2 ) |
| kenjiArai | 0:5b88d5760320 | 3825 | { |
| kenjiArai | 0:5b88d5760320 | 3826 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3827 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3828 | } |
| kenjiArai | 0:5b88d5760320 | 3829 | |
| kenjiArai | 0:5b88d5760320 | 3830 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
| kenjiArai | 0:5b88d5760320 | 3831 | *p += 2; |
| kenjiArai | 0:5b88d5760320 | 3832 | |
| kenjiArai | 0:5b88d5760320 | 3833 | if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) |
| kenjiArai | 0:5b88d5760320 | 3834 | { |
| kenjiArai | 0:5b88d5760320 | 3835 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3836 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3837 | } |
| kenjiArai | 0:5b88d5760320 | 3838 | |
| kenjiArai | 0:5b88d5760320 | 3839 | if( ssl->conf->f_psk != NULL ) |
| kenjiArai | 0:5b88d5760320 | 3840 | { |
| kenjiArai | 0:5b88d5760320 | 3841 | if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3842 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| kenjiArai | 0:5b88d5760320 | 3843 | } |
| kenjiArai | 0:5b88d5760320 | 3844 | else |
| kenjiArai | 0:5b88d5760320 | 3845 | { |
| kenjiArai | 0:5b88d5760320 | 3846 | /* Identity is not a big secret since clients send it in the clear, |
| kenjiArai | 0:5b88d5760320 | 3847 | * but treat it carefully anyway, just in case */ |
| kenjiArai | 0:5b88d5760320 | 3848 | if( n != ssl->conf->psk_identity_len || |
| kenjiArai | 0:5b88d5760320 | 3849 | mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3850 | { |
| kenjiArai | 0:5b88d5760320 | 3851 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| kenjiArai | 0:5b88d5760320 | 3852 | } |
| kenjiArai | 0:5b88d5760320 | 3853 | } |
| kenjiArai | 0:5b88d5760320 | 3854 | |
| kenjiArai | 0:5b88d5760320 | 3855 | if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) |
| kenjiArai | 0:5b88d5760320 | 3856 | { |
| kenjiArai | 0:5b88d5760320 | 3857 | MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); |
| kenjiArai | 0:5b88d5760320 | 3858 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| kenjiArai | 0:5b88d5760320 | 3859 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); |
| kenjiArai | 0:5b88d5760320 | 3860 | return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); |
| kenjiArai | 0:5b88d5760320 | 3861 | } |
| kenjiArai | 0:5b88d5760320 | 3862 | |
| kenjiArai | 0:5b88d5760320 | 3863 | *p += n; |
| kenjiArai | 0:5b88d5760320 | 3864 | |
| kenjiArai | 0:5b88d5760320 | 3865 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 3866 | } |
| kenjiArai | 0:5b88d5760320 | 3867 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3868 | |
| kenjiArai | 0:5b88d5760320 | 3869 | static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 3870 | { |
| kenjiArai | 0:5b88d5760320 | 3871 | int ret; |
| kenjiArai | 0:5b88d5760320 | 3872 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 3873 | unsigned char *p, *end; |
| kenjiArai | 0:5b88d5760320 | 3874 | |
| kenjiArai | 0:5b88d5760320 | 3875 | ciphersuite_info = ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 3876 | |
| kenjiArai | 0:5b88d5760320 | 3877 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 3878 | |
| kenjiArai | 0:5b88d5760320 | 3879 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ |
| kenjiArai | 0:5b88d5760320 | 3880 | ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3881 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ) |
| kenjiArai | 0:5b88d5760320 | 3882 | if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| kenjiArai | 0:5b88d5760320 | 3883 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) && |
| kenjiArai | 0:5b88d5760320 | 3884 | ( ssl->handshake->async_in_progress != 0 ) ) |
| kenjiArai | 0:5b88d5760320 | 3885 | { |
| kenjiArai | 0:5b88d5760320 | 3886 | /* We've already read a record and there is an asynchronous |
| kenjiArai | 0:5b88d5760320 | 3887 | * operation in progress to decrypt it. So skip reading the |
| kenjiArai | 0:5b88d5760320 | 3888 | * record. */ |
| kenjiArai | 0:5b88d5760320 | 3889 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) ); |
| kenjiArai | 0:5b88d5760320 | 3890 | } |
| kenjiArai | 0:5b88d5760320 | 3891 | else |
| kenjiArai | 0:5b88d5760320 | 3892 | #endif |
| kenjiArai | 0:5b88d5760320 | 3893 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3894 | { |
| kenjiArai | 0:5b88d5760320 | 3895 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| kenjiArai | 0:5b88d5760320 | 3896 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3897 | } |
| kenjiArai | 0:5b88d5760320 | 3898 | |
| kenjiArai | 0:5b88d5760320 | 3899 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
| kenjiArai | 0:5b88d5760320 | 3900 | end = ssl->in_msg + ssl->in_hslen; |
| kenjiArai | 0:5b88d5760320 | 3901 | |
| kenjiArai | 0:5b88d5760320 | 3902 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
| kenjiArai | 0:5b88d5760320 | 3903 | { |
| kenjiArai | 0:5b88d5760320 | 3904 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3905 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3906 | } |
| kenjiArai | 0:5b88d5760320 | 3907 | |
| kenjiArai | 0:5b88d5760320 | 3908 | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) |
| kenjiArai | 0:5b88d5760320 | 3909 | { |
| kenjiArai | 0:5b88d5760320 | 3910 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| kenjiArai | 0:5b88d5760320 | 3911 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3912 | } |
| kenjiArai | 0:5b88d5760320 | 3913 | |
| kenjiArai | 0:5b88d5760320 | 3914 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3915 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) |
| kenjiArai | 0:5b88d5760320 | 3916 | { |
| kenjiArai | 0:5b88d5760320 | 3917 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3918 | { |
| kenjiArai | 0:5b88d5760320 | 3919 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 3920 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3921 | } |
| kenjiArai | 0:5b88d5760320 | 3922 | |
| kenjiArai | 0:5b88d5760320 | 3923 | if( p != end ) |
| kenjiArai | 0:5b88d5760320 | 3924 | { |
| kenjiArai | 0:5b88d5760320 | 3925 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 3926 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3927 | } |
| kenjiArai | 0:5b88d5760320 | 3928 | |
| kenjiArai | 0:5b88d5760320 | 3929 | if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, |
| kenjiArai | 0:5b88d5760320 | 3930 | ssl->handshake->premaster, |
| kenjiArai | 0:5b88d5760320 | 3931 | MBEDTLS_PREMASTER_SIZE, |
| kenjiArai | 0:5b88d5760320 | 3932 | &ssl->handshake->pmslen, |
| kenjiArai | 0:5b88d5760320 | 3933 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3934 | { |
| kenjiArai | 0:5b88d5760320 | 3935 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); |
| kenjiArai | 0:5b88d5760320 | 3936 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); |
| kenjiArai | 0:5b88d5760320 | 3937 | } |
| kenjiArai | 0:5b88d5760320 | 3938 | |
| kenjiArai | 0:5b88d5760320 | 3939 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); |
| kenjiArai | 0:5b88d5760320 | 3940 | } |
| kenjiArai | 0:5b88d5760320 | 3941 | else |
| kenjiArai | 0:5b88d5760320 | 3942 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3943 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3944 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3945 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| kenjiArai | 0:5b88d5760320 | 3946 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3947 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| kenjiArai | 0:5b88d5760320 | 3948 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| kenjiArai | 0:5b88d5760320 | 3949 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| kenjiArai | 0:5b88d5760320 | 3950 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
| kenjiArai | 0:5b88d5760320 | 3951 | { |
| kenjiArai | 0:5b88d5760320 | 3952 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3953 | p, end - p) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3954 | { |
| kenjiArai | 0:5b88d5760320 | 3955 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); |
| kenjiArai | 0:5b88d5760320 | 3956 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
| kenjiArai | 0:5b88d5760320 | 3957 | } |
| kenjiArai | 0:5b88d5760320 | 3958 | |
| kenjiArai | 0:5b88d5760320 | 3959 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3960 | MBEDTLS_DEBUG_ECDH_QP ); |
| kenjiArai | 0:5b88d5760320 | 3961 | |
| kenjiArai | 0:5b88d5760320 | 3962 | if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3963 | &ssl->handshake->pmslen, |
| kenjiArai | 0:5b88d5760320 | 3964 | ssl->handshake->premaster, |
| kenjiArai | 0:5b88d5760320 | 3965 | MBEDTLS_MPI_MAX_SIZE, |
| kenjiArai | 0:5b88d5760320 | 3966 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3967 | { |
| kenjiArai | 0:5b88d5760320 | 3968 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); |
| kenjiArai | 0:5b88d5760320 | 3969 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); |
| kenjiArai | 0:5b88d5760320 | 3970 | } |
| kenjiArai | 0:5b88d5760320 | 3971 | |
| kenjiArai | 0:5b88d5760320 | 3972 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 3973 | MBEDTLS_DEBUG_ECDH_Z ); |
| kenjiArai | 0:5b88d5760320 | 3974 | } |
| kenjiArai | 0:5b88d5760320 | 3975 | else |
| kenjiArai | 0:5b88d5760320 | 3976 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| kenjiArai | 0:5b88d5760320 | 3977 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| kenjiArai | 0:5b88d5760320 | 3978 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| kenjiArai | 0:5b88d5760320 | 3979 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 3980 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 3981 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) |
| kenjiArai | 0:5b88d5760320 | 3982 | { |
| kenjiArai | 0:5b88d5760320 | 3983 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 3984 | { |
| kenjiArai | 0:5b88d5760320 | 3985 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 3986 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 3987 | } |
| kenjiArai | 0:5b88d5760320 | 3988 | |
| kenjiArai | 0:5b88d5760320 | 3989 | if( p != end ) |
| kenjiArai | 0:5b88d5760320 | 3990 | { |
| kenjiArai | 0:5b88d5760320 | 3991 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 3992 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 3993 | } |
| kenjiArai | 0:5b88d5760320 | 3994 | |
| kenjiArai | 0:5b88d5760320 | 3995 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| kenjiArai | 0:5b88d5760320 | 3996 | /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically |
| kenjiArai | 0:5b88d5760320 | 3997 | * and skip the intermediate PMS. */ |
| kenjiArai | 0:5b88d5760320 | 3998 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| kenjiArai | 0:5b88d5760320 | 3999 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); |
| kenjiArai | 0:5b88d5760320 | 4000 | else |
| kenjiArai | 0:5b88d5760320 | 4001 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| kenjiArai | 0:5b88d5760320 | 4002 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| kenjiArai | 0:5b88d5760320 | 4003 | ciphersuite_info->key_exchange ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4004 | { |
| kenjiArai | 0:5b88d5760320 | 4005 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| kenjiArai | 0:5b88d5760320 | 4006 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4007 | } |
| kenjiArai | 0:5b88d5760320 | 4008 | } |
| kenjiArai | 0:5b88d5760320 | 4009 | else |
| kenjiArai | 0:5b88d5760320 | 4010 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4011 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 4012 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
| kenjiArai | 0:5b88d5760320 | 4013 | { |
| kenjiArai | 0:5b88d5760320 | 4014 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| kenjiArai | 0:5b88d5760320 | 4015 | if ( ssl->handshake->async_in_progress != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4016 | { |
| kenjiArai | 0:5b88d5760320 | 4017 | /* There is an asynchronous operation in progress to |
| kenjiArai | 0:5b88d5760320 | 4018 | * decrypt the encrypted premaster secret, so skip |
| kenjiArai | 0:5b88d5760320 | 4019 | * directly to resuming this operation. */ |
| kenjiArai | 0:5b88d5760320 | 4020 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) ); |
| kenjiArai | 0:5b88d5760320 | 4021 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms |
| kenjiArai | 0:5b88d5760320 | 4022 | * won't actually use it, but maintain p anyway for robustness. */ |
| kenjiArai | 0:5b88d5760320 | 4023 | p += ssl->conf->psk_identity_len + 2; |
| kenjiArai | 0:5b88d5760320 | 4024 | } |
| kenjiArai | 0:5b88d5760320 | 4025 | else |
| kenjiArai | 0:5b88d5760320 | 4026 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| kenjiArai | 0:5b88d5760320 | 4027 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4028 | { |
| kenjiArai | 0:5b88d5760320 | 4029 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4030 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4031 | } |
| kenjiArai | 0:5b88d5760320 | 4032 | |
| kenjiArai | 0:5b88d5760320 | 4033 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| kenjiArai | 0:5b88d5760320 | 4034 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| kenjiArai | 0:5b88d5760320 | 4035 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| kenjiArai | 0:5b88d5760320 | 4036 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| kenjiArai | 0:5b88d5760320 | 4037 | #endif |
| kenjiArai | 0:5b88d5760320 | 4038 | |
| kenjiArai | 0:5b88d5760320 | 4039 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4040 | { |
| kenjiArai | 0:5b88d5760320 | 4041 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4042 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4043 | } |
| kenjiArai | 0:5b88d5760320 | 4044 | |
| kenjiArai | 0:5b88d5760320 | 4045 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| kenjiArai | 0:5b88d5760320 | 4046 | ciphersuite_info->key_exchange ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4047 | { |
| kenjiArai | 0:5b88d5760320 | 4048 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| kenjiArai | 0:5b88d5760320 | 4049 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4050 | } |
| kenjiArai | 0:5b88d5760320 | 4051 | } |
| kenjiArai | 0:5b88d5760320 | 4052 | else |
| kenjiArai | 0:5b88d5760320 | 4053 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4054 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 4055 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) |
| kenjiArai | 0:5b88d5760320 | 4056 | { |
| kenjiArai | 0:5b88d5760320 | 4057 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4058 | { |
| kenjiArai | 0:5b88d5760320 | 4059 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4060 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4061 | } |
| kenjiArai | 0:5b88d5760320 | 4062 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4063 | { |
| kenjiArai | 0:5b88d5760320 | 4064 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4065 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4066 | } |
| kenjiArai | 0:5b88d5760320 | 4067 | |
| kenjiArai | 0:5b88d5760320 | 4068 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| kenjiArai | 0:5b88d5760320 | 4069 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| kenjiArai | 0:5b88d5760320 | 4070 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| kenjiArai | 0:5b88d5760320 | 4071 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| kenjiArai | 0:5b88d5760320 | 4072 | #endif |
| kenjiArai | 0:5b88d5760320 | 4073 | |
| kenjiArai | 0:5b88d5760320 | 4074 | if( p != end ) |
| kenjiArai | 0:5b88d5760320 | 4075 | { |
| kenjiArai | 0:5b88d5760320 | 4076 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 4077 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 4078 | } |
| kenjiArai | 0:5b88d5760320 | 4079 | |
| kenjiArai | 0:5b88d5760320 | 4080 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| kenjiArai | 0:5b88d5760320 | 4081 | ciphersuite_info->key_exchange ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4082 | { |
| kenjiArai | 0:5b88d5760320 | 4083 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| kenjiArai | 0:5b88d5760320 | 4084 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4085 | } |
| kenjiArai | 0:5b88d5760320 | 4086 | } |
| kenjiArai | 0:5b88d5760320 | 4087 | else |
| kenjiArai | 0:5b88d5760320 | 4088 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4089 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 4090 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| kenjiArai | 0:5b88d5760320 | 4091 | { |
| kenjiArai | 0:5b88d5760320 | 4092 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4093 | { |
| kenjiArai | 0:5b88d5760320 | 4094 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4095 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4096 | } |
| kenjiArai | 0:5b88d5760320 | 4097 | |
| kenjiArai | 0:5b88d5760320 | 4098 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 4099 | p, end - p ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4100 | { |
| kenjiArai | 0:5b88d5760320 | 4101 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); |
| kenjiArai | 0:5b88d5760320 | 4102 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
| kenjiArai | 0:5b88d5760320 | 4103 | } |
| kenjiArai | 0:5b88d5760320 | 4104 | |
| kenjiArai | 0:5b88d5760320 | 4105 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| kenjiArai | 0:5b88d5760320 | 4106 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| kenjiArai | 0:5b88d5760320 | 4107 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| kenjiArai | 0:5b88d5760320 | 4108 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| kenjiArai | 0:5b88d5760320 | 4109 | #endif |
| kenjiArai | 0:5b88d5760320 | 4110 | |
| kenjiArai | 0:5b88d5760320 | 4111 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| kenjiArai | 0:5b88d5760320 | 4112 | MBEDTLS_DEBUG_ECDH_QP ); |
| kenjiArai | 0:5b88d5760320 | 4113 | |
| kenjiArai | 0:5b88d5760320 | 4114 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| kenjiArai | 0:5b88d5760320 | 4115 | ciphersuite_info->key_exchange ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4116 | { |
| kenjiArai | 0:5b88d5760320 | 4117 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| kenjiArai | 0:5b88d5760320 | 4118 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4119 | } |
| kenjiArai | 0:5b88d5760320 | 4120 | } |
| kenjiArai | 0:5b88d5760320 | 4121 | else |
| kenjiArai | 0:5b88d5760320 | 4122 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4123 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 4124 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) |
| kenjiArai | 0:5b88d5760320 | 4125 | { |
| kenjiArai | 0:5b88d5760320 | 4126 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4127 | { |
| kenjiArai | 0:5b88d5760320 | 4128 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4129 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4130 | } |
| kenjiArai | 0:5b88d5760320 | 4131 | } |
| kenjiArai | 0:5b88d5760320 | 4132 | else |
| kenjiArai | 0:5b88d5760320 | 4133 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4134 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| kenjiArai | 0:5b88d5760320 | 4135 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| kenjiArai | 0:5b88d5760320 | 4136 | { |
| kenjiArai | 0:5b88d5760320 | 4137 | ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, |
| kenjiArai | 0:5b88d5760320 | 4138 | p, end - p ); |
| kenjiArai | 0:5b88d5760320 | 4139 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4140 | { |
| kenjiArai | 0:5b88d5760320 | 4141 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); |
| kenjiArai | 0:5b88d5760320 | 4142 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
| kenjiArai | 0:5b88d5760320 | 4143 | } |
| kenjiArai | 0:5b88d5760320 | 4144 | |
| kenjiArai | 0:5b88d5760320 | 4145 | ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, |
| kenjiArai | 0:5b88d5760320 | 4146 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| kenjiArai | 0:5b88d5760320 | 4147 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| kenjiArai | 0:5b88d5760320 | 4148 | if( ret != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4149 | { |
| kenjiArai | 0:5b88d5760320 | 4150 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); |
| kenjiArai | 0:5b88d5760320 | 4151 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4152 | } |
| kenjiArai | 0:5b88d5760320 | 4153 | } |
| kenjiArai | 0:5b88d5760320 | 4154 | else |
| kenjiArai | 0:5b88d5760320 | 4155 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4156 | { |
| kenjiArai | 0:5b88d5760320 | 4157 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 4158 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 4159 | } |
| kenjiArai | 0:5b88d5760320 | 4160 | |
| kenjiArai | 0:5b88d5760320 | 4161 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4162 | { |
| kenjiArai | 0:5b88d5760320 | 4163 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
| kenjiArai | 0:5b88d5760320 | 4164 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4165 | } |
| kenjiArai | 0:5b88d5760320 | 4166 | |
| kenjiArai | 0:5b88d5760320 | 4167 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 4168 | |
| kenjiArai | 0:5b88d5760320 | 4169 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); |
| kenjiArai | 0:5b88d5760320 | 4170 | |
| kenjiArai | 0:5b88d5760320 | 4171 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 4172 | } |
| kenjiArai | 0:5b88d5760320 | 4173 | |
| kenjiArai | 0:5b88d5760320 | 4174 | #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) |
| kenjiArai | 0:5b88d5760320 | 4175 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 4176 | { |
| kenjiArai | 0:5b88d5760320 | 4177 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| kenjiArai | 0:5b88d5760320 | 4178 | ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 4179 | |
| kenjiArai | 0:5b88d5760320 | 4180 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4181 | |
| kenjiArai | 0:5b88d5760320 | 4182 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 4183 | { |
| kenjiArai | 0:5b88d5760320 | 4184 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4185 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 4186 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 4187 | } |
| kenjiArai | 0:5b88d5760320 | 4188 | |
| kenjiArai | 0:5b88d5760320 | 4189 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 4190 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 4191 | } |
| kenjiArai | 0:5b88d5760320 | 4192 | #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4193 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 4194 | { |
| kenjiArai | 0:5b88d5760320 | 4195 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| kenjiArai | 0:5b88d5760320 | 4196 | size_t i, sig_len; |
| kenjiArai | 0:5b88d5760320 | 4197 | unsigned char hash[48]; |
| kenjiArai | 0:5b88d5760320 | 4198 | unsigned char *hash_start = hash; |
| kenjiArai | 0:5b88d5760320 | 4199 | size_t hashlen; |
| kenjiArai | 0:5b88d5760320 | 4200 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 4201 | mbedtls_pk_type_t pk_alg; |
| kenjiArai | 0:5b88d5760320 | 4202 | #endif |
| kenjiArai | 0:5b88d5760320 | 4203 | mbedtls_md_type_t md_alg; |
| kenjiArai | 0:5b88d5760320 | 4204 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| kenjiArai | 0:5b88d5760320 | 4205 | ssl->handshake->ciphersuite_info; |
| kenjiArai | 0:5b88d5760320 | 4206 | mbedtls_pk_context * peer_pk; |
| kenjiArai | 0:5b88d5760320 | 4207 | |
| kenjiArai | 0:5b88d5760320 | 4208 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4209 | |
| kenjiArai | 0:5b88d5760320 | 4210 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
| kenjiArai | 0:5b88d5760320 | 4211 | { |
| kenjiArai | 0:5b88d5760320 | 4212 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4213 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 4214 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 4215 | } |
| kenjiArai | 0:5b88d5760320 | 4216 | |
| kenjiArai | 0:5b88d5760320 | 4217 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| kenjiArai | 0:5b88d5760320 | 4218 | if( ssl->session_negotiate->peer_cert == NULL ) |
| kenjiArai | 0:5b88d5760320 | 4219 | { |
| kenjiArai | 0:5b88d5760320 | 4220 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4221 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 4222 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 4223 | } |
| kenjiArai | 0:5b88d5760320 | 4224 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| kenjiArai | 0:5b88d5760320 | 4225 | if( ssl->session_negotiate->peer_cert_digest == NULL ) |
| kenjiArai | 0:5b88d5760320 | 4226 | { |
| kenjiArai | 0:5b88d5760320 | 4227 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4228 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 4229 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 4230 | } |
| kenjiArai | 0:5b88d5760320 | 4231 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| kenjiArai | 0:5b88d5760320 | 4232 | |
| kenjiArai | 0:5b88d5760320 | 4233 | /* Read the message without adding it to the checksum */ |
| kenjiArai | 0:5b88d5760320 | 4234 | ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ ); |
| kenjiArai | 0:5b88d5760320 | 4235 | if( 0 != ret ) |
| kenjiArai | 0:5b88d5760320 | 4236 | { |
| kenjiArai | 0:5b88d5760320 | 4237 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret ); |
| kenjiArai | 0:5b88d5760320 | 4238 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4239 | } |
| kenjiArai | 0:5b88d5760320 | 4240 | |
| kenjiArai | 0:5b88d5760320 | 4241 | ssl->state++; |
| kenjiArai | 0:5b88d5760320 | 4242 | |
| kenjiArai | 0:5b88d5760320 | 4243 | /* Process the message contents */ |
| kenjiArai | 0:5b88d5760320 | 4244 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| kenjiArai | 0:5b88d5760320 | 4245 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) |
| kenjiArai | 0:5b88d5760320 | 4246 | { |
| kenjiArai | 0:5b88d5760320 | 4247 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| kenjiArai | 0:5b88d5760320 | 4248 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4249 | } |
| kenjiArai | 0:5b88d5760320 | 4250 | |
| kenjiArai | 0:5b88d5760320 | 4251 | i = mbedtls_ssl_hs_hdr_len( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4252 | |
| kenjiArai | 0:5b88d5760320 | 4253 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| kenjiArai | 0:5b88d5760320 | 4254 | peer_pk = &ssl->handshake->peer_pubkey; |
| kenjiArai | 0:5b88d5760320 | 4255 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| kenjiArai | 0:5b88d5760320 | 4256 | if( ssl->session_negotiate->peer_cert == NULL ) |
| kenjiArai | 0:5b88d5760320 | 4257 | { |
| kenjiArai | 0:5b88d5760320 | 4258 | /* Should never happen */ |
| kenjiArai | 0:5b88d5760320 | 4259 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 4260 | } |
| kenjiArai | 0:5b88d5760320 | 4261 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| kenjiArai | 0:5b88d5760320 | 4262 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| kenjiArai | 0:5b88d5760320 | 4263 | |
| kenjiArai | 0:5b88d5760320 | 4264 | /* |
| kenjiArai | 0:5b88d5760320 | 4265 | * struct { |
| kenjiArai | 0:5b88d5760320 | 4266 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only |
| kenjiArai | 0:5b88d5760320 | 4267 | * opaque signature<0..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 4268 | * } DigitallySigned; |
| kenjiArai | 0:5b88d5760320 | 4269 | */ |
| kenjiArai | 0:5b88d5760320 | 4270 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| kenjiArai | 0:5b88d5760320 | 4271 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| kenjiArai | 0:5b88d5760320 | 4272 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 4273 | { |
| kenjiArai | 0:5b88d5760320 | 4274 | md_alg = MBEDTLS_MD_NONE; |
| kenjiArai | 0:5b88d5760320 | 4275 | hashlen = 36; |
| kenjiArai | 0:5b88d5760320 | 4276 | |
| kenjiArai | 0:5b88d5760320 | 4277 | /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ |
| kenjiArai | 0:5b88d5760320 | 4278 | if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) ) |
| kenjiArai | 0:5b88d5760320 | 4279 | { |
| kenjiArai | 0:5b88d5760320 | 4280 | hash_start += 16; |
| kenjiArai | 0:5b88d5760320 | 4281 | hashlen -= 16; |
| kenjiArai | 0:5b88d5760320 | 4282 | md_alg = MBEDTLS_MD_SHA1; |
| kenjiArai | 0:5b88d5760320 | 4283 | } |
| kenjiArai | 0:5b88d5760320 | 4284 | } |
| kenjiArai | 0:5b88d5760320 | 4285 | else |
| kenjiArai | 0:5b88d5760320 | 4286 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || |
| kenjiArai | 0:5b88d5760320 | 4287 | MBEDTLS_SSL_PROTO_TLS1_1 */ |
| kenjiArai | 0:5b88d5760320 | 4288 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| kenjiArai | 0:5b88d5760320 | 4289 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| kenjiArai | 0:5b88d5760320 | 4290 | { |
| kenjiArai | 0:5b88d5760320 | 4291 | if( i + 2 > ssl->in_hslen ) |
| kenjiArai | 0:5b88d5760320 | 4292 | { |
| kenjiArai | 0:5b88d5760320 | 4293 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| kenjiArai | 0:5b88d5760320 | 4294 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4295 | } |
| kenjiArai | 0:5b88d5760320 | 4296 | |
| kenjiArai | 0:5b88d5760320 | 4297 | /* |
| kenjiArai | 0:5b88d5760320 | 4298 | * Hash |
| kenjiArai | 0:5b88d5760320 | 4299 | */ |
| kenjiArai | 0:5b88d5760320 | 4300 | md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); |
| kenjiArai | 0:5b88d5760320 | 4301 | |
| kenjiArai | 0:5b88d5760320 | 4302 | if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) |
| kenjiArai | 0:5b88d5760320 | 4303 | { |
| kenjiArai | 0:5b88d5760320 | 4304 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
| kenjiArai | 0:5b88d5760320 | 4305 | " for verify message" ) ); |
| kenjiArai | 0:5b88d5760320 | 4306 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4307 | } |
| kenjiArai | 0:5b88d5760320 | 4308 | |
| kenjiArai | 0:5b88d5760320 | 4309 | #if !defined(MBEDTLS_MD_SHA1) |
| kenjiArai | 0:5b88d5760320 | 4310 | if( MBEDTLS_MD_SHA1 == md_alg ) |
| kenjiArai | 0:5b88d5760320 | 4311 | hash_start += 16; |
| kenjiArai | 0:5b88d5760320 | 4312 | #endif |
| kenjiArai | 0:5b88d5760320 | 4313 | |
| kenjiArai | 0:5b88d5760320 | 4314 | /* Info from md_alg will be used instead */ |
| kenjiArai | 0:5b88d5760320 | 4315 | hashlen = 0; |
| kenjiArai | 0:5b88d5760320 | 4316 | |
| kenjiArai | 0:5b88d5760320 | 4317 | i++; |
| kenjiArai | 0:5b88d5760320 | 4318 | |
| kenjiArai | 0:5b88d5760320 | 4319 | /* |
| kenjiArai | 0:5b88d5760320 | 4320 | * Signature |
| kenjiArai | 0:5b88d5760320 | 4321 | */ |
| kenjiArai | 0:5b88d5760320 | 4322 | if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) |
| kenjiArai | 0:5b88d5760320 | 4323 | == MBEDTLS_PK_NONE ) |
| kenjiArai | 0:5b88d5760320 | 4324 | { |
| kenjiArai | 0:5b88d5760320 | 4325 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
| kenjiArai | 0:5b88d5760320 | 4326 | " for verify message" ) ); |
| kenjiArai | 0:5b88d5760320 | 4327 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4328 | } |
| kenjiArai | 0:5b88d5760320 | 4329 | |
| kenjiArai | 0:5b88d5760320 | 4330 | /* |
| kenjiArai | 0:5b88d5760320 | 4331 | * Check the certificate's key type matches the signature alg |
| kenjiArai | 0:5b88d5760320 | 4332 | */ |
| kenjiArai | 0:5b88d5760320 | 4333 | if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) |
| kenjiArai | 0:5b88d5760320 | 4334 | { |
| kenjiArai | 0:5b88d5760320 | 4335 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); |
| kenjiArai | 0:5b88d5760320 | 4336 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4337 | } |
| kenjiArai | 0:5b88d5760320 | 4338 | |
| kenjiArai | 0:5b88d5760320 | 4339 | i++; |
| kenjiArai | 0:5b88d5760320 | 4340 | } |
| kenjiArai | 0:5b88d5760320 | 4341 | else |
| kenjiArai | 0:5b88d5760320 | 4342 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| kenjiArai | 0:5b88d5760320 | 4343 | { |
| kenjiArai | 0:5b88d5760320 | 4344 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| kenjiArai | 0:5b88d5760320 | 4345 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| kenjiArai | 0:5b88d5760320 | 4346 | } |
| kenjiArai | 0:5b88d5760320 | 4347 | |
| kenjiArai | 0:5b88d5760320 | 4348 | if( i + 2 > ssl->in_hslen ) |
| kenjiArai | 0:5b88d5760320 | 4349 | { |
| kenjiArai | 0:5b88d5760320 | 4350 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| kenjiArai | 0:5b88d5760320 | 4351 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4352 | } |
| kenjiArai | 0:5b88d5760320 | 4353 | |
| kenjiArai | 0:5b88d5760320 | 4354 | sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; |
| kenjiArai | 0:5b88d5760320 | 4355 | i += 2; |
| kenjiArai | 0:5b88d5760320 | 4356 | |
| kenjiArai | 0:5b88d5760320 | 4357 | if( i + sig_len != ssl->in_hslen ) |
| kenjiArai | 0:5b88d5760320 | 4358 | { |
| kenjiArai | 0:5b88d5760320 | 4359 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| kenjiArai | 0:5b88d5760320 | 4360 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| kenjiArai | 0:5b88d5760320 | 4361 | } |
| kenjiArai | 0:5b88d5760320 | 4362 | |
| kenjiArai | 0:5b88d5760320 | 4363 | /* Calculate hash and verify signature */ |
| kenjiArai | 1:9db0e321a9f4 | 4364 | { |
| kenjiArai | 1:9db0e321a9f4 | 4365 | size_t dummy_hlen; |
| kenjiArai | 1:9db0e321a9f4 | 4366 | ssl->handshake->calc_verify( ssl, hash, &dummy_hlen ); |
| kenjiArai | 1:9db0e321a9f4 | 4367 | } |
| kenjiArai | 0:5b88d5760320 | 4368 | |
| kenjiArai | 0:5b88d5760320 | 4369 | if( ( ret = mbedtls_pk_verify( peer_pk, |
| kenjiArai | 0:5b88d5760320 | 4370 | md_alg, hash_start, hashlen, |
| kenjiArai | 0:5b88d5760320 | 4371 | ssl->in_msg + i, sig_len ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4372 | { |
| kenjiArai | 0:5b88d5760320 | 4373 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); |
| kenjiArai | 0:5b88d5760320 | 4374 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4375 | } |
| kenjiArai | 0:5b88d5760320 | 4376 | |
| kenjiArai | 0:5b88d5760320 | 4377 | mbedtls_ssl_update_handshake_status( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4378 | |
| kenjiArai | 0:5b88d5760320 | 4379 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); |
| kenjiArai | 0:5b88d5760320 | 4380 | |
| kenjiArai | 0:5b88d5760320 | 4381 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4382 | } |
| kenjiArai | 0:5b88d5760320 | 4383 | #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ |
| kenjiArai | 0:5b88d5760320 | 4384 | |
| kenjiArai | 0:5b88d5760320 | 4385 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 4386 | static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 4387 | { |
| kenjiArai | 0:5b88d5760320 | 4388 | int ret; |
| kenjiArai | 0:5b88d5760320 | 4389 | size_t tlen; |
| kenjiArai | 0:5b88d5760320 | 4390 | uint32_t lifetime; |
| kenjiArai | 0:5b88d5760320 | 4391 | |
| kenjiArai | 0:5b88d5760320 | 4392 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); |
| kenjiArai | 0:5b88d5760320 | 4393 | |
| kenjiArai | 0:5b88d5760320 | 4394 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| kenjiArai | 0:5b88d5760320 | 4395 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; |
| kenjiArai | 0:5b88d5760320 | 4396 | |
| kenjiArai | 0:5b88d5760320 | 4397 | /* |
| kenjiArai | 0:5b88d5760320 | 4398 | * struct { |
| kenjiArai | 0:5b88d5760320 | 4399 | * uint32 ticket_lifetime_hint; |
| kenjiArai | 0:5b88d5760320 | 4400 | * opaque ticket<0..2^16-1>; |
| kenjiArai | 0:5b88d5760320 | 4401 | * } NewSessionTicket; |
| kenjiArai | 0:5b88d5760320 | 4402 | * |
| kenjiArai | 0:5b88d5760320 | 4403 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
| kenjiArai | 0:5b88d5760320 | 4404 | * 8 . 9 ticket_len (n) |
| kenjiArai | 0:5b88d5760320 | 4405 | * 10 . 9+n ticket content |
| kenjiArai | 0:5b88d5760320 | 4406 | */ |
| kenjiArai | 0:5b88d5760320 | 4407 | |
| kenjiArai | 0:5b88d5760320 | 4408 | if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, |
| kenjiArai | 0:5b88d5760320 | 4409 | ssl->session_negotiate, |
| kenjiArai | 0:5b88d5760320 | 4410 | ssl->out_msg + 10, |
| kenjiArai | 0:5b88d5760320 | 4411 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, |
| kenjiArai | 0:5b88d5760320 | 4412 | &tlen, &lifetime ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4413 | { |
| kenjiArai | 0:5b88d5760320 | 4414 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); |
| kenjiArai | 0:5b88d5760320 | 4415 | tlen = 0; |
| kenjiArai | 0:5b88d5760320 | 4416 | } |
| kenjiArai | 0:5b88d5760320 | 4417 | |
| kenjiArai | 0:5b88d5760320 | 4418 | ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; |
| kenjiArai | 0:5b88d5760320 | 4419 | ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; |
| kenjiArai | 0:5b88d5760320 | 4420 | ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; |
| kenjiArai | 0:5b88d5760320 | 4421 | ssl->out_msg[7] = ( lifetime ) & 0xFF; |
| kenjiArai | 0:5b88d5760320 | 4422 | |
| kenjiArai | 0:5b88d5760320 | 4423 | ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 4424 | ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); |
| kenjiArai | 0:5b88d5760320 | 4425 | |
| kenjiArai | 0:5b88d5760320 | 4426 | ssl->out_msglen = 10 + tlen; |
| kenjiArai | 0:5b88d5760320 | 4427 | |
| kenjiArai | 0:5b88d5760320 | 4428 | /* |
| kenjiArai | 0:5b88d5760320 | 4429 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
| kenjiArai | 0:5b88d5760320 | 4430 | * ChangeCipherSpec share the same state. |
| kenjiArai | 0:5b88d5760320 | 4431 | */ |
| kenjiArai | 0:5b88d5760320 | 4432 | ssl->handshake->new_session_ticket = 0; |
| kenjiArai | 0:5b88d5760320 | 4433 | |
| kenjiArai | 0:5b88d5760320 | 4434 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4435 | { |
| kenjiArai | 0:5b88d5760320 | 4436 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| kenjiArai | 0:5b88d5760320 | 4437 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4438 | } |
| kenjiArai | 0:5b88d5760320 | 4439 | |
| kenjiArai | 0:5b88d5760320 | 4440 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); |
| kenjiArai | 0:5b88d5760320 | 4441 | |
| kenjiArai | 0:5b88d5760320 | 4442 | return( 0 ); |
| kenjiArai | 0:5b88d5760320 | 4443 | } |
| kenjiArai | 0:5b88d5760320 | 4444 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| kenjiArai | 0:5b88d5760320 | 4445 | |
| kenjiArai | 0:5b88d5760320 | 4446 | /* |
| kenjiArai | 0:5b88d5760320 | 4447 | * SSL handshake -- server side -- single step |
| kenjiArai | 0:5b88d5760320 | 4448 | */ |
| kenjiArai | 0:5b88d5760320 | 4449 | int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) |
| kenjiArai | 0:5b88d5760320 | 4450 | { |
| kenjiArai | 0:5b88d5760320 | 4451 | int ret = 0; |
| kenjiArai | 0:5b88d5760320 | 4452 | |
| kenjiArai | 0:5b88d5760320 | 4453 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) |
| kenjiArai | 0:5b88d5760320 | 4454 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| kenjiArai | 0:5b88d5760320 | 4455 | |
| kenjiArai | 0:5b88d5760320 | 4456 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); |
| kenjiArai | 0:5b88d5760320 | 4457 | |
| kenjiArai | 0:5b88d5760320 | 4458 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4459 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4460 | |
| kenjiArai | 0:5b88d5760320 | 4461 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 4462 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| kenjiArai | 0:5b88d5760320 | 4463 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
| kenjiArai | 0:5b88d5760320 | 4464 | { |
| kenjiArai | 0:5b88d5760320 | 4465 | if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4466 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4467 | } |
| kenjiArai | 0:5b88d5760320 | 4468 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| kenjiArai | 0:5b88d5760320 | 4469 | |
| kenjiArai | 0:5b88d5760320 | 4470 | switch( ssl->state ) |
| kenjiArai | 0:5b88d5760320 | 4471 | { |
| kenjiArai | 0:5b88d5760320 | 4472 | case MBEDTLS_SSL_HELLO_REQUEST: |
| kenjiArai | 0:5b88d5760320 | 4473 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| kenjiArai | 0:5b88d5760320 | 4474 | break; |
| kenjiArai | 0:5b88d5760320 | 4475 | |
| kenjiArai | 0:5b88d5760320 | 4476 | /* |
| kenjiArai | 0:5b88d5760320 | 4477 | * <== ClientHello |
| kenjiArai | 0:5b88d5760320 | 4478 | */ |
| kenjiArai | 0:5b88d5760320 | 4479 | case MBEDTLS_SSL_CLIENT_HELLO: |
| kenjiArai | 0:5b88d5760320 | 4480 | ret = ssl_parse_client_hello( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4481 | break; |
| kenjiArai | 0:5b88d5760320 | 4482 | |
| kenjiArai | 0:5b88d5760320 | 4483 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| kenjiArai | 0:5b88d5760320 | 4484 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: |
| kenjiArai | 0:5b88d5760320 | 4485 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); |
| kenjiArai | 0:5b88d5760320 | 4486 | #endif |
| kenjiArai | 0:5b88d5760320 | 4487 | |
| kenjiArai | 0:5b88d5760320 | 4488 | /* |
| kenjiArai | 0:5b88d5760320 | 4489 | * ==> ServerHello |
| kenjiArai | 0:5b88d5760320 | 4490 | * Certificate |
| kenjiArai | 0:5b88d5760320 | 4491 | * ( ServerKeyExchange ) |
| kenjiArai | 0:5b88d5760320 | 4492 | * ( CertificateRequest ) |
| kenjiArai | 0:5b88d5760320 | 4493 | * ServerHelloDone |
| kenjiArai | 0:5b88d5760320 | 4494 | */ |
| kenjiArai | 0:5b88d5760320 | 4495 | case MBEDTLS_SSL_SERVER_HELLO: |
| kenjiArai | 0:5b88d5760320 | 4496 | ret = ssl_write_server_hello( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4497 | break; |
| kenjiArai | 0:5b88d5760320 | 4498 | |
| kenjiArai | 0:5b88d5760320 | 4499 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| kenjiArai | 0:5b88d5760320 | 4500 | ret = mbedtls_ssl_write_certificate( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4501 | break; |
| kenjiArai | 0:5b88d5760320 | 4502 | |
| kenjiArai | 0:5b88d5760320 | 4503 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| kenjiArai | 0:5b88d5760320 | 4504 | ret = ssl_write_server_key_exchange( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4505 | break; |
| kenjiArai | 0:5b88d5760320 | 4506 | |
| kenjiArai | 0:5b88d5760320 | 4507 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| kenjiArai | 0:5b88d5760320 | 4508 | ret = ssl_write_certificate_request( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4509 | break; |
| kenjiArai | 0:5b88d5760320 | 4510 | |
| kenjiArai | 0:5b88d5760320 | 4511 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| kenjiArai | 0:5b88d5760320 | 4512 | ret = ssl_write_server_hello_done( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4513 | break; |
| kenjiArai | 0:5b88d5760320 | 4514 | |
| kenjiArai | 0:5b88d5760320 | 4515 | /* |
| kenjiArai | 0:5b88d5760320 | 4516 | * <== ( Certificate/Alert ) |
| kenjiArai | 0:5b88d5760320 | 4517 | * ClientKeyExchange |
| kenjiArai | 0:5b88d5760320 | 4518 | * ( CertificateVerify ) |
| kenjiArai | 0:5b88d5760320 | 4519 | * ChangeCipherSpec |
| kenjiArai | 0:5b88d5760320 | 4520 | * Finished |
| kenjiArai | 0:5b88d5760320 | 4521 | */ |
| kenjiArai | 0:5b88d5760320 | 4522 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| kenjiArai | 0:5b88d5760320 | 4523 | ret = mbedtls_ssl_parse_certificate( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4524 | break; |
| kenjiArai | 0:5b88d5760320 | 4525 | |
| kenjiArai | 0:5b88d5760320 | 4526 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| kenjiArai | 0:5b88d5760320 | 4527 | ret = ssl_parse_client_key_exchange( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4528 | break; |
| kenjiArai | 0:5b88d5760320 | 4529 | |
| kenjiArai | 0:5b88d5760320 | 4530 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| kenjiArai | 0:5b88d5760320 | 4531 | ret = ssl_parse_certificate_verify( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4532 | break; |
| kenjiArai | 0:5b88d5760320 | 4533 | |
| kenjiArai | 0:5b88d5760320 | 4534 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| kenjiArai | 0:5b88d5760320 | 4535 | ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4536 | break; |
| kenjiArai | 0:5b88d5760320 | 4537 | |
| kenjiArai | 0:5b88d5760320 | 4538 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| kenjiArai | 0:5b88d5760320 | 4539 | ret = mbedtls_ssl_parse_finished( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4540 | break; |
| kenjiArai | 0:5b88d5760320 | 4541 | |
| kenjiArai | 0:5b88d5760320 | 4542 | /* |
| kenjiArai | 0:5b88d5760320 | 4543 | * ==> ( NewSessionTicket ) |
| kenjiArai | 0:5b88d5760320 | 4544 | * ChangeCipherSpec |
| kenjiArai | 0:5b88d5760320 | 4545 | * Finished |
| kenjiArai | 0:5b88d5760320 | 4546 | */ |
| kenjiArai | 0:5b88d5760320 | 4547 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| kenjiArai | 0:5b88d5760320 | 4548 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| kenjiArai | 0:5b88d5760320 | 4549 | if( ssl->handshake->new_session_ticket != 0 ) |
| kenjiArai | 0:5b88d5760320 | 4550 | ret = ssl_write_new_session_ticket( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4551 | else |
| kenjiArai | 0:5b88d5760320 | 4552 | #endif |
| kenjiArai | 0:5b88d5760320 | 4553 | ret = mbedtls_ssl_write_change_cipher_spec( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4554 | break; |
| kenjiArai | 0:5b88d5760320 | 4555 | |
| kenjiArai | 0:5b88d5760320 | 4556 | case MBEDTLS_SSL_SERVER_FINISHED: |
| kenjiArai | 0:5b88d5760320 | 4557 | ret = mbedtls_ssl_write_finished( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4558 | break; |
| kenjiArai | 0:5b88d5760320 | 4559 | |
| kenjiArai | 0:5b88d5760320 | 4560 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| kenjiArai | 0:5b88d5760320 | 4561 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); |
| kenjiArai | 0:5b88d5760320 | 4562 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| kenjiArai | 0:5b88d5760320 | 4563 | break; |
| kenjiArai | 0:5b88d5760320 | 4564 | |
| kenjiArai | 0:5b88d5760320 | 4565 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| kenjiArai | 0:5b88d5760320 | 4566 | mbedtls_ssl_handshake_wrapup( ssl ); |
| kenjiArai | 0:5b88d5760320 | 4567 | break; |
| kenjiArai | 0:5b88d5760320 | 4568 | |
| kenjiArai | 0:5b88d5760320 | 4569 | default: |
| kenjiArai | 0:5b88d5760320 | 4570 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); |
| kenjiArai | 0:5b88d5760320 | 4571 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| kenjiArai | 0:5b88d5760320 | 4572 | } |
| kenjiArai | 0:5b88d5760320 | 4573 | |
| kenjiArai | 0:5b88d5760320 | 4574 | return( ret ); |
| kenjiArai | 0:5b88d5760320 | 4575 | } |
| kenjiArai | 0:5b88d5760320 | 4576 | #endif /* MBEDTLS_SSL_SRV_C */ |