Kenji Arai
/
mbed-os_TYBLE16
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00043 #include "mbedtls/psa_util.h" 00044 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00045 00046 #include <string.h> 00047 00048 #include <stdint.h> 00049 00050 #if defined(MBEDTLS_HAVE_TIME) 00051 #include "mbedtls/platform_time.h" 00052 #endif 00053 00054 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00055 #include "mbedtls/platform_util.h" 00056 #endif 00057 00058 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00059 static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) 00060 { 00061 if( conf->psk_identity == NULL || 00062 conf->psk_identity_len == 0 ) 00063 { 00064 return( 0 ); 00065 } 00066 00067 if( conf->psk != NULL && conf->psk_len != 0 ) 00068 return( 1 ); 00069 00070 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00071 if( conf->psk_opaque != 0 ) 00072 return( 1 ); 00073 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00074 00075 return( 0 ); 00076 } 00077 00078 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00079 static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf ) 00080 { 00081 if( conf->psk_identity == NULL || 00082 conf->psk_identity_len == 0 ) 00083 { 00084 return( 0 ); 00085 } 00086 00087 if( conf->psk != NULL && conf->psk_len != 0 ) 00088 return( 1 ); 00089 00090 return( 0 ); 00091 } 00092 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00093 00094 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 00095 00096 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00097 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00098 unsigned char *buf, 00099 size_t *olen ) 00100 { 00101 unsigned char *p = buf; 00102 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00103 size_t hostname_len; 00104 00105 *olen = 0; 00106 00107 if( ssl->hostname == NULL ) 00108 return; 00109 00110 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00111 ssl->hostname ) ); 00112 00113 hostname_len = strlen( ssl->hostname ); 00114 00115 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00116 { 00117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00118 return; 00119 } 00120 00121 /* 00122 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 00123 * 00124 * In order to provide any of the server names, clients MAY include an 00125 * extension of type "server_name" in the (extended) client hello. The 00126 * "extension_data" field of this extension SHALL contain 00127 * "ServerNameList" where: 00128 * 00129 * struct { 00130 * NameType name_type; 00131 * select (name_type) { 00132 * case host_name: HostName; 00133 * } name; 00134 * } ServerName; 00135 * 00136 * enum { 00137 * host_name(0), (255) 00138 * } NameType; 00139 * 00140 * opaque HostName<1..2^16-1>; 00141 * 00142 * struct { 00143 * ServerName server_name_list<1..2^16-1> 00144 * } ServerNameList; 00145 * 00146 */ 00147 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00149 00150 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00151 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00152 00153 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00154 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00155 00156 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00157 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00158 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00159 00160 memcpy( p, ssl->hostname, hostname_len ); 00161 00162 *olen = hostname_len + 9; 00163 } 00164 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00165 00166 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00167 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00168 unsigned char *buf, 00169 size_t *olen ) 00170 { 00171 unsigned char *p = buf; 00172 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00173 00174 *olen = 0; 00175 00176 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 00177 * initial ClientHello, in which case also adding the renegotiation 00178 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 00179 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00180 return; 00181 00182 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00183 00184 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00185 { 00186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00187 return; 00188 } 00189 00190 /* 00191 * Secure renegotiation 00192 */ 00193 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00194 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00195 00196 *p++ = 0x00; 00197 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00198 *p++ = ssl->verify_data_len & 0xFF; 00199 00200 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00201 00202 *olen = 5 + ssl->verify_data_len; 00203 } 00204 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00205 00206 /* 00207 * Only if we handle at least one key exchange that needs signatures. 00208 */ 00209 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00210 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00211 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00212 unsigned char *buf, 00213 size_t *olen ) 00214 { 00215 unsigned char *p = buf; 00216 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00217 size_t sig_alg_len = 0; 00218 const int *md; 00219 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00220 unsigned char *sig_alg_list = buf + 6; 00221 #endif 00222 00223 *olen = 0; 00224 00225 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00226 return; 00227 00228 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00229 00230 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00231 { 00232 #if defined(MBEDTLS_ECDSA_C) 00233 sig_alg_len += 2; 00234 #endif 00235 #if defined(MBEDTLS_RSA_C) 00236 sig_alg_len += 2; 00237 #endif 00238 } 00239 00240 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00241 { 00242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00243 return; 00244 } 00245 00246 /* 00247 * Prepare signature_algorithms extension (TLS 1.2) 00248 */ 00249 sig_alg_len = 0; 00250 00251 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00252 { 00253 #if defined(MBEDTLS_ECDSA_C) 00254 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00255 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00256 #endif 00257 #if defined(MBEDTLS_RSA_C) 00258 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00259 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00260 #endif 00261 } 00262 00263 /* 00264 * enum { 00265 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00266 * sha512(6), (255) 00267 * } HashAlgorithm; 00268 * 00269 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00270 * SignatureAlgorithm; 00271 * 00272 * struct { 00273 * HashAlgorithm hash; 00274 * SignatureAlgorithm signature; 00275 * } SignatureAndHashAlgorithm; 00276 * 00277 * SignatureAndHashAlgorithm 00278 * supported_signature_algorithms<2..2^16-2>; 00279 */ 00280 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00281 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00282 00283 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00284 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00285 00286 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00287 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00288 00289 *olen = 6 + sig_alg_len; 00290 } 00291 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00292 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00293 00294 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00295 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00296 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00297 unsigned char *buf, 00298 size_t *olen ) 00299 { 00300 unsigned char *p = buf; 00301 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00302 unsigned char *elliptic_curve_list = p + 6; 00303 size_t elliptic_curve_len = 0; 00304 const mbedtls_ecp_curve_info *info; 00305 #if defined(MBEDTLS_ECP_C) 00306 const mbedtls_ecp_group_id *grp_id; 00307 #else 00308 ((void) ssl); 00309 #endif 00310 00311 *olen = 0; 00312 00313 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00314 00315 #if defined(MBEDTLS_ECP_C) 00316 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00317 #else 00318 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00319 #endif 00320 { 00321 #if defined(MBEDTLS_ECP_C) 00322 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00323 #endif 00324 if( info == NULL ) 00325 { 00326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00327 return; 00328 } 00329 00330 elliptic_curve_len += 2; 00331 } 00332 00333 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00334 { 00335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00336 return; 00337 } 00338 00339 elliptic_curve_len = 0; 00340 00341 #if defined(MBEDTLS_ECP_C) 00342 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00343 #else 00344 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00345 #endif 00346 { 00347 #if defined(MBEDTLS_ECP_C) 00348 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00349 #endif 00350 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00351 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00352 } 00353 00354 if( elliptic_curve_len == 0 ) 00355 return; 00356 00357 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00358 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00359 00360 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00361 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00362 00363 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00364 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00365 00366 *olen = 6 + elliptic_curve_len; 00367 } 00368 00369 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00370 unsigned char *buf, 00371 size_t *olen ) 00372 { 00373 unsigned char *p = buf; 00374 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00375 00376 *olen = 0; 00377 00378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00379 00380 if( end < p || (size_t)( end - p ) < 6 ) 00381 { 00382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00383 return; 00384 } 00385 00386 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00387 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00388 00389 *p++ = 0x00; 00390 *p++ = 2; 00391 00392 *p++ = 1; 00393 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00394 00395 *olen = 6; 00396 } 00397 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00398 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00399 00400 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00401 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00402 unsigned char *buf, 00403 size_t *olen ) 00404 { 00405 int ret; 00406 unsigned char *p = buf; 00407 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00408 size_t kkpp_len; 00409 00410 *olen = 0; 00411 00412 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00413 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00414 return; 00415 00416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00417 00418 if( end - p < 4 ) 00419 { 00420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00421 return; 00422 } 00423 00424 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00425 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00426 00427 /* 00428 * We may need to send ClientHello multiple times for Hello verification. 00429 * We don't want to compute fresh values every time (both for performance 00430 * and consistency reasons), so cache the extension content. 00431 */ 00432 if( ssl->handshake->ecjpake_cache == NULL || 00433 ssl->handshake->ecjpake_cache_len == 0 ) 00434 { 00435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00436 00437 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00438 p + 2, end - p - 2, &kkpp_len, 00439 ssl->conf->f_rng, ssl->conf->p_rng ); 00440 if( ret != 0 ) 00441 { 00442 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00443 return; 00444 } 00445 00446 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00447 if( ssl->handshake->ecjpake_cache == NULL ) 00448 { 00449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00450 return; 00451 } 00452 00453 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00454 ssl->handshake->ecjpake_cache_len = kkpp_len; 00455 } 00456 else 00457 { 00458 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00459 00460 kkpp_len = ssl->handshake->ecjpake_cache_len; 00461 00462 if( (size_t)( end - p - 2 ) < kkpp_len ) 00463 { 00464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00465 return; 00466 } 00467 00468 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00469 } 00470 00471 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00472 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00473 00474 *olen = kkpp_len + 4; 00475 } 00476 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00477 00478 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00479 static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, 00480 unsigned char *buf, 00481 size_t *olen ) 00482 { 00483 unsigned char *p = buf; 00484 size_t ext_len; 00485 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00486 00487 /* 00488 * Quoting draft-ietf-tls-dtls-connection-id-05 00489 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 00490 * 00491 * struct { 00492 * opaque cid<0..2^8-1>; 00493 * } ConnectionId; 00494 */ 00495 00496 *olen = 0; 00497 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 00498 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) 00499 { 00500 return; 00501 } 00502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) ); 00503 00504 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX 00505 * which is at most 255, so the increment cannot overflow. */ 00506 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) ) 00507 { 00508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00509 return; 00510 } 00511 00512 /* Add extension ID + size */ 00513 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF ); 00514 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF ); 00515 ext_len = (size_t) ssl->own_cid_len + 1; 00516 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 00517 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 00518 00519 *p++ = (uint8_t) ssl->own_cid_len; 00520 memcpy( p, ssl->own_cid, ssl->own_cid_len ); 00521 00522 *olen = ssl->own_cid_len + 5; 00523 } 00524 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 00525 00526 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00527 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00528 unsigned char *buf, 00529 size_t *olen ) 00530 { 00531 unsigned char *p = buf; 00532 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00533 00534 *olen = 0; 00535 00536 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00537 return; 00538 } 00539 00540 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00541 00542 if( end < p || (size_t)( end - p ) < 5 ) 00543 { 00544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00545 return; 00546 } 00547 00548 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00549 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00550 00551 *p++ = 0x00; 00552 *p++ = 1; 00553 00554 *p++ = ssl->conf->mfl_code; 00555 00556 *olen = 5; 00557 } 00558 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00559 00560 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00561 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00562 unsigned char *buf, size_t *olen ) 00563 { 00564 unsigned char *p = buf; 00565 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00566 00567 *olen = 0; 00568 00569 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00570 { 00571 return; 00572 } 00573 00574 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00575 00576 if( end < p || (size_t)( end - p ) < 4 ) 00577 { 00578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00579 return; 00580 } 00581 00582 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00583 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00584 00585 *p++ = 0x00; 00586 *p++ = 0x00; 00587 00588 *olen = 4; 00589 } 00590 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00591 00592 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00593 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00594 unsigned char *buf, size_t *olen ) 00595 { 00596 unsigned char *p = buf; 00597 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00598 00599 *olen = 0; 00600 00601 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00602 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00603 { 00604 return; 00605 } 00606 00607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00608 "extension" ) ); 00609 00610 if( end < p || (size_t)( end - p ) < 4 ) 00611 { 00612 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00613 return; 00614 } 00615 00616 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00617 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00618 00619 *p++ = 0x00; 00620 *p++ = 0x00; 00621 00622 *olen = 4; 00623 } 00624 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00625 00626 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00627 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00628 unsigned char *buf, size_t *olen ) 00629 { 00630 unsigned char *p = buf; 00631 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00632 00633 *olen = 0; 00634 00635 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00636 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00637 { 00638 return; 00639 } 00640 00641 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00642 "extension" ) ); 00643 00644 if( end < p || (size_t)( end - p ) < 4 ) 00645 { 00646 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00647 return; 00648 } 00649 00650 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00651 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00652 00653 *p++ = 0x00; 00654 *p++ = 0x00; 00655 00656 *olen = 4; 00657 } 00658 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00659 00660 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00661 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00662 unsigned char *buf, size_t *olen ) 00663 { 00664 unsigned char *p = buf; 00665 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00666 size_t tlen = ssl->session_negotiate->ticket_len; 00667 00668 *olen = 0; 00669 00670 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00671 { 00672 return; 00673 } 00674 00675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00676 00677 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00678 { 00679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00680 return; 00681 } 00682 00683 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00684 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00685 00686 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00687 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00688 00689 *olen = 4; 00690 00691 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00692 { 00693 return; 00694 } 00695 00696 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00697 00698 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00699 00700 *olen += tlen; 00701 } 00702 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00703 00704 #if defined(MBEDTLS_SSL_ALPN) 00705 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00706 unsigned char *buf, size_t *olen ) 00707 { 00708 unsigned char *p = buf; 00709 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 00710 size_t alpnlen = 0; 00711 const char **cur; 00712 00713 *olen = 0; 00714 00715 if( ssl->conf->alpn_list == NULL ) 00716 { 00717 return; 00718 } 00719 00720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00721 00722 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00723 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00724 00725 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00726 { 00727 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00728 return; 00729 } 00730 00731 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00732 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00733 00734 /* 00735 * opaque ProtocolName<1..2^8-1>; 00736 * 00737 * struct { 00738 * ProtocolName protocol_name_list<2..2^16-1> 00739 * } ProtocolNameList; 00740 */ 00741 00742 /* Skip writing extension and list length for now */ 00743 p += 4; 00744 00745 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00746 { 00747 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00748 memcpy( p + 1, *cur, *p ); 00749 p += 1 + *p; 00750 } 00751 00752 *olen = p - buf; 00753 00754 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00755 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00756 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00757 00758 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00759 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00760 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00761 } 00762 #endif /* MBEDTLS_SSL_ALPN */ 00763 00764 /* 00765 * Generate random bytes for ClientHello 00766 */ 00767 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00768 { 00769 int ret; 00770 unsigned char *p = ssl->handshake->randbytes; 00771 #if defined(MBEDTLS_HAVE_TIME) 00772 mbedtls_time_t t; 00773 #endif 00774 00775 /* 00776 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00777 */ 00778 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00779 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00780 ssl->handshake->verify_cookie != NULL ) 00781 { 00782 return( 0 ); 00783 } 00784 #endif 00785 00786 #if defined(MBEDTLS_HAVE_TIME) 00787 t = mbedtls_time( NULL ); 00788 *p++ = (unsigned char)( t >> 24 ); 00789 *p++ = (unsigned char)( t >> 16 ); 00790 *p++ = (unsigned char)( t >> 8 ); 00791 *p++ = (unsigned char)( t ); 00792 00793 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00794 #else 00795 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00796 return( ret ); 00797 00798 p += 4; 00799 #endif /* MBEDTLS_HAVE_TIME */ 00800 00801 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00802 return( ret ); 00803 00804 return( 0 ); 00805 } 00806 00807 /** 00808 * \brief Validate cipher suite against config in SSL context. 00809 * 00810 * \param suite_info cipher suite to validate 00811 * \param ssl SSL context 00812 * \param min_minor_ver Minimal minor version to accept a cipher suite 00813 * \param max_minor_ver Maximal minor version to accept a cipher suite 00814 * 00815 * \return 0 if valid, else 1 00816 */ 00817 static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info, 00818 const mbedtls_ssl_context * ssl, 00819 int min_minor_ver, int max_minor_ver ) 00820 { 00821 (void) ssl; 00822 if( suite_info == NULL ) 00823 return( 1 ); 00824 00825 if( suite_info->min_minor_ver > max_minor_ver || 00826 suite_info->max_minor_ver < min_minor_ver ) 00827 return( 1 ); 00828 00829 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00830 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00831 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00832 return( 1 ); 00833 #endif 00834 00835 #if defined(MBEDTLS_ARC4_C) 00836 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00837 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00838 return( 1 ); 00839 #endif 00840 00841 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00842 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00843 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00844 return( 1 ); 00845 #endif 00846 00847 /* Don't suggest PSK-based ciphersuite if no PSK is available. */ 00848 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00849 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00850 ssl_conf_has_static_psk( ssl->conf ) == 0 ) 00851 { 00852 return( 1 ); 00853 } 00854 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 00855 00856 return( 0 ); 00857 } 00858 00859 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00860 { 00861 int ret; 00862 size_t i, n, olen, ext_len = 0; 00863 unsigned char *buf; 00864 unsigned char *p, *q; 00865 unsigned char offer_compress; 00866 const int *ciphersuites; 00867 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00868 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00869 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00870 int uses_ec = 0; 00871 #endif 00872 00873 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00874 00875 if( ssl->conf->f_rng == NULL ) 00876 { 00877 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00878 return( MBEDTLS_ERR_SSL_NO_RNG ); 00879 } 00880 00881 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00882 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00883 #endif 00884 { 00885 ssl->major_ver = ssl->conf->min_major_ver; 00886 ssl->minor_ver = ssl->conf->min_minor_ver; 00887 } 00888 00889 if( ssl->conf->max_major_ver == 0 ) 00890 { 00891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00892 "consider using mbedtls_ssl_config_defaults()" ) ); 00893 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00894 } 00895 00896 /* 00897 * 0 . 0 handshake type 00898 * 1 . 3 handshake length 00899 * 4 . 5 highest version supported 00900 * 6 . 9 current UNIX time 00901 * 10 . 37 random bytes 00902 */ 00903 buf = ssl->out_msg; 00904 p = buf + 4; 00905 00906 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00907 ssl->conf->transport, p ); 00908 p += 2; 00909 00910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00911 buf[4], buf[5] ) ); 00912 00913 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00914 { 00915 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00916 return( ret ); 00917 } 00918 00919 memcpy( p, ssl->handshake->randbytes, 32 ); 00920 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00921 p += 32; 00922 00923 /* 00924 * 38 . 38 session id length 00925 * 39 . 39+n session id 00926 * 39+n . 39+n DTLS only: cookie length (1 byte) 00927 * 40+n . .. DTSL only: cookie 00928 * .. . .. ciphersuitelist length (2 bytes) 00929 * .. . .. ciphersuitelist 00930 * .. . .. compression methods length (1 byte) 00931 * .. . .. compression methods 00932 * .. . .. extensions length (2 bytes) 00933 * .. . .. extensions 00934 */ 00935 n = ssl->session_negotiate->id_len; 00936 00937 if( n < 16 || n > 32 || 00938 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00939 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00940 #endif 00941 ssl->handshake->resume == 0 ) 00942 { 00943 n = 0; 00944 } 00945 00946 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00947 /* 00948 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00949 * generate and include a Session ID in the TLS ClientHello." 00950 */ 00951 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00952 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00953 #endif 00954 { 00955 if( ssl->session_negotiate->ticket != NULL && 00956 ssl->session_negotiate->ticket_len != 0 ) 00957 { 00958 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00959 00960 if( ret != 0 ) 00961 return( ret ); 00962 00963 ssl->session_negotiate->id_len = n = 32; 00964 } 00965 } 00966 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00967 00968 *p++ = (unsigned char) n; 00969 00970 for( i = 0; i < n; i++ ) 00971 *p++ = ssl->session_negotiate->id[i]; 00972 00973 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00974 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00975 00976 /* 00977 * DTLS cookie 00978 */ 00979 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00980 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00981 { 00982 if( ssl->handshake->verify_cookie == NULL ) 00983 { 00984 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00985 *p++ = 0; 00986 } 00987 else 00988 { 00989 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00990 ssl->handshake->verify_cookie, 00991 ssl->handshake->verify_cookie_len ); 00992 00993 *p++ = ssl->handshake->verify_cookie_len; 00994 memcpy( p, ssl->handshake->verify_cookie, 00995 ssl->handshake->verify_cookie_len ); 00996 p += ssl->handshake->verify_cookie_len; 00997 } 00998 } 00999 #endif 01000 01001 /* 01002 * Ciphersuite list 01003 */ 01004 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01005 01006 /* Skip writing ciphersuite length for now */ 01007 n = 0; 01008 q = p; 01009 p += 2; 01010 01011 for( i = 0; ciphersuites[i] != 0; i++ ) 01012 { 01013 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 01014 01015 if( ssl_validate_ciphersuite( ciphersuite_info, ssl, 01016 ssl->conf->min_minor_ver, 01017 ssl->conf->max_minor_ver ) != 0 ) 01018 continue; 01019 01020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 01021 ciphersuites[i] ) ); 01022 01023 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01024 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01025 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info ); 01026 #endif 01027 01028 n++; 01029 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 01030 *p++ = (unsigned char)( ciphersuites[i] ); 01031 } 01032 01033 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) ); 01034 01035 /* 01036 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01037 */ 01038 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01039 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01040 #endif 01041 { 01042 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); 01043 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 01044 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 01045 n++; 01046 } 01047 01048 /* Some versions of OpenSSL don't handle it correctly if not at end */ 01049 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01050 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 01051 { 01052 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 01053 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 01054 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 01055 n++; 01056 } 01057 #endif 01058 01059 *q++ = (unsigned char)( n >> 7 ); 01060 *q++ = (unsigned char)( n << 1 ); 01061 01062 #if defined(MBEDTLS_ZLIB_SUPPORT) 01063 offer_compress = 1; 01064 #else 01065 offer_compress = 0; 01066 #endif 01067 01068 /* 01069 * We don't support compression with DTLS right now: if many records come 01070 * in the same datagram, uncompressing one could overwrite the next one. 01071 * We don't want to add complexity for handling that case unless there is 01072 * an actual need for it. 01073 */ 01074 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01075 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01076 offer_compress = 0; 01077 #endif 01078 01079 if( offer_compress ) 01080 { 01081 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 01082 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 01083 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 01084 01085 *p++ = 2; 01086 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 01087 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 01088 } 01089 else 01090 { 01091 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 01092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 01093 MBEDTLS_SSL_COMPRESS_NULL ) ); 01094 01095 *p++ = 1; 01096 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 01097 } 01098 01099 // First write extensions, then the total length 01100 // 01101 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01102 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 01103 ext_len += olen; 01104 #endif 01105 01106 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 01107 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 01108 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01109 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 01110 ext_len += olen; 01111 #endif 01112 01113 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01114 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01115 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 01116 ext_len += olen; 01117 #endif 01118 01119 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01120 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01121 if( uses_ec ) 01122 { 01123 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 01124 ext_len += olen; 01125 01126 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 01127 ext_len += olen; 01128 } 01129 #endif 01130 01131 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01132 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 01133 ext_len += olen; 01134 #endif 01135 01136 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 01137 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen ); 01138 ext_len += olen; 01139 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 01140 01141 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01142 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 01143 ext_len += olen; 01144 #endif 01145 01146 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01147 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 01148 ext_len += olen; 01149 #endif 01150 01151 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01152 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01153 ext_len += olen; 01154 #endif 01155 01156 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01157 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01158 ext_len += olen; 01159 #endif 01160 01161 #if defined(MBEDTLS_SSL_ALPN) 01162 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01163 ext_len += olen; 01164 #endif 01165 01166 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01167 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01168 ext_len += olen; 01169 #endif 01170 01171 /* olen unused if all extensions are disabled */ 01172 ((void) olen); 01173 01174 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01175 ext_len ) ); 01176 01177 if( ext_len > 0 ) 01178 { 01179 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01180 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01181 p += ext_len; 01182 } 01183 01184 ssl->out_msglen = p - buf; 01185 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01186 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01187 01188 ssl->state++; 01189 01190 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01191 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01192 mbedtls_ssl_send_flight_completed( ssl ); 01193 #endif 01194 01195 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 01196 { 01197 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 01198 return( ret ); 01199 } 01200 01201 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01202 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 01203 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 01204 { 01205 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); 01206 return( ret ); 01207 } 01208 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01209 01210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01211 01212 return( 0 ); 01213 } 01214 01215 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01216 const unsigned char *buf, 01217 size_t len ) 01218 { 01219 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01220 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01221 { 01222 /* Check verify-data in constant-time. The length OTOH is no secret */ 01223 if( len != 1 + ssl->verify_data_len * 2 || 01224 buf[0] != ssl->verify_data_len * 2 || 01225 mbedtls_ssl_safer_memcmp( buf + 1, 01226 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01227 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01228 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01229 { 01230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01231 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01232 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01233 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01234 } 01235 } 01236 else 01237 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01238 { 01239 if( len != 1 || buf[0] != 0x00 ) 01240 { 01241 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01242 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01243 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01244 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01245 } 01246 01247 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01248 } 01249 01250 return( 0 ); 01251 } 01252 01253 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01254 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01255 const unsigned char *buf, 01256 size_t len ) 01257 { 01258 /* 01259 * server should use the extension only if we did, 01260 * and if so the server's value should match ours (and len is always 1) 01261 */ 01262 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01263 len != 1 || 01264 buf[0] != ssl->conf->mfl_code ) 01265 { 01266 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 01267 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01268 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01269 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01270 } 01271 01272 return( 0 ); 01273 } 01274 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01275 01276 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01277 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01278 const unsigned char *buf, 01279 size_t len ) 01280 { 01281 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01282 len != 0 ) 01283 { 01284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 01285 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01286 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01287 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01288 } 01289 01290 ((void) buf); 01291 01292 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01293 01294 return( 0 ); 01295 } 01296 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01297 01298 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 01299 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, 01300 const unsigned char *buf, 01301 size_t len ) 01302 { 01303 size_t peer_cid_len; 01304 01305 if( /* CID extension only makes sense in DTLS */ 01306 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 01307 /* The server must only send the CID extension if we have offered it. */ 01308 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) 01309 { 01310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) ); 01311 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01312 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01313 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01314 } 01315 01316 if( len == 0 ) 01317 { 01318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) ); 01319 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01320 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01321 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01322 } 01323 01324 peer_cid_len = *buf++; 01325 len--; 01326 01327 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX ) 01328 { 01329 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) ); 01330 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01331 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01332 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01333 } 01334 01335 if( len != peer_cid_len ) 01336 { 01337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) ); 01338 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01339 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01340 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01341 } 01342 01343 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; 01344 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; 01345 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len ); 01346 01347 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) ); 01348 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len ); 01349 01350 return( 0 ); 01351 } 01352 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 01353 01354 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01355 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01356 const unsigned char *buf, 01357 size_t len ) 01358 { 01359 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01360 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01361 len != 0 ) 01362 { 01363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 01364 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01365 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01366 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01367 } 01368 01369 ((void) buf); 01370 01371 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01372 01373 return( 0 ); 01374 } 01375 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01376 01377 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01378 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01379 const unsigned char *buf, 01380 size_t len ) 01381 { 01382 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01383 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01384 len != 0 ) 01385 { 01386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 01387 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01388 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01389 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01390 } 01391 01392 ((void) buf); 01393 01394 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01395 01396 return( 0 ); 01397 } 01398 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01399 01400 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01401 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01402 const unsigned char *buf, 01403 size_t len ) 01404 { 01405 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01406 len != 0 ) 01407 { 01408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 01409 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01410 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01411 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01412 } 01413 01414 ((void) buf); 01415 01416 ssl->handshake->new_session_ticket = 1; 01417 01418 return( 0 ); 01419 } 01420 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01421 01422 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01423 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01424 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01425 const unsigned char *buf, 01426 size_t len ) 01427 { 01428 size_t list_size; 01429 const unsigned char *p; 01430 01431 if( len == 0 || (size_t)( buf[0] + 1 ) != len ) 01432 { 01433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01434 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01435 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01436 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01437 } 01438 list_size = buf[0]; 01439 01440 p = buf + 1; 01441 while( list_size > 0 ) 01442 { 01443 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01444 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01445 { 01446 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01447 ssl->handshake->ecdh_ctx.point_format = p[0]; 01448 #endif 01449 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01450 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01451 #endif 01452 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01453 return( 0 ); 01454 } 01455 01456 list_size--; 01457 p++; 01458 } 01459 01460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01461 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01462 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01463 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01464 } 01465 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01466 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01467 01468 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01469 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01470 const unsigned char *buf, 01471 size_t len ) 01472 { 01473 int ret; 01474 01475 if( ssl->handshake->ciphersuite_info->key_exchange != 01476 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01477 { 01478 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01479 return( 0 ); 01480 } 01481 01482 /* If we got here, we no longer need our cached extension */ 01483 mbedtls_free( ssl->handshake->ecjpake_cache ); 01484 ssl->handshake->ecjpake_cache = NULL; 01485 ssl->handshake->ecjpake_cache_len = 0; 01486 01487 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01488 buf, len ) ) != 0 ) 01489 { 01490 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01492 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01493 return( ret ); 01494 } 01495 01496 return( 0 ); 01497 } 01498 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01499 01500 #if defined(MBEDTLS_SSL_ALPN) 01501 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01502 const unsigned char *buf, size_t len ) 01503 { 01504 size_t list_len, name_len; 01505 const char **p; 01506 01507 /* If we didn't send it, the server shouldn't send it */ 01508 if( ssl->conf->alpn_list == NULL ) 01509 { 01510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 01511 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01512 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01513 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01514 } 01515 01516 /* 01517 * opaque ProtocolName<1..2^8-1>; 01518 * 01519 * struct { 01520 * ProtocolName protocol_name_list<2..2^16-1> 01521 * } ProtocolNameList; 01522 * 01523 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01524 */ 01525 01526 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01527 if( len < 4 ) 01528 { 01529 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01530 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01531 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01532 } 01533 01534 list_len = ( buf[0] << 8 ) | buf[1]; 01535 if( list_len != len - 2 ) 01536 { 01537 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01538 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01539 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01540 } 01541 01542 name_len = buf[2]; 01543 if( name_len != list_len - 1 ) 01544 { 01545 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01546 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01547 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01548 } 01549 01550 /* Check that the server chosen protocol was in our list and save it */ 01551 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01552 { 01553 if( name_len == strlen( *p ) && 01554 memcmp( buf + 3, *p, name_len ) == 0 ) 01555 { 01556 ssl->alpn_chosen = *p; 01557 return( 0 ); 01558 } 01559 } 01560 01561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 01562 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01563 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01564 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01565 } 01566 #endif /* MBEDTLS_SSL_ALPN */ 01567 01568 /* 01569 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01570 */ 01571 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01572 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01573 { 01574 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01575 int major_ver, minor_ver; 01576 unsigned char cookie_len; 01577 01578 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01579 01580 /* 01581 * struct { 01582 * ProtocolVersion server_version; 01583 * opaque cookie<0..2^8-1>; 01584 * } HelloVerifyRequest; 01585 */ 01586 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01587 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01588 p += 2; 01589 01590 /* 01591 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01592 * even is lower than our min version. 01593 */ 01594 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01595 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01596 major_ver > ssl->conf->max_major_ver || 01597 minor_ver > ssl->conf->max_minor_ver ) 01598 { 01599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01600 01601 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01602 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01603 01604 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01605 } 01606 01607 cookie_len = *p++; 01608 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01609 01610 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01611 { 01612 MBEDTLS_SSL_DEBUG_MSG( 1, 01613 ( "cookie length does not match incoming message size" ) ); 01614 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01615 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01616 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01617 } 01618 01619 mbedtls_free( ssl->handshake->verify_cookie ); 01620 01621 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01622 if( ssl->handshake->verify_cookie == NULL ) 01623 { 01624 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01625 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01626 } 01627 01628 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01629 ssl->handshake->verify_cookie_len = cookie_len; 01630 01631 /* Start over at ClientHello */ 01632 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01633 mbedtls_ssl_reset_checksum( ssl ); 01634 01635 mbedtls_ssl_recv_flight_completed( ssl ); 01636 01637 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01638 01639 return( 0 ); 01640 } 01641 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01642 01643 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01644 { 01645 int ret, i; 01646 size_t n; 01647 size_t ext_len; 01648 unsigned char *buf, *ext; 01649 unsigned char comp; 01650 #if defined(MBEDTLS_ZLIB_SUPPORT) 01651 int accept_comp; 01652 #endif 01653 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01654 int renegotiation_info_seen = 0; 01655 #endif 01656 int handshake_failure = 0; 01657 const mbedtls_ssl_ciphersuite_t *suite_info; 01658 01659 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01660 01661 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 01662 { 01663 /* No alert on a read error. */ 01664 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01665 return( ret ); 01666 } 01667 01668 buf = ssl->in_msg; 01669 01670 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01671 { 01672 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01673 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01674 { 01675 ssl->renego_records_seen++; 01676 01677 if( ssl->conf->renego_max_records >= 0 && 01678 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01679 { 01680 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01681 "but not honored by server" ) ); 01682 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01683 } 01684 01685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01686 01687 ssl->keep_current_message = 1; 01688 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01689 } 01690 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01691 01692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01693 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01694 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 01695 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01696 } 01697 01698 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01699 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01700 { 01701 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01702 { 01703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01704 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01705 return( ssl_parse_hello_verify_request( ssl ) ); 01706 } 01707 else 01708 { 01709 /* We made it through the verification process */ 01710 mbedtls_free( ssl->handshake->verify_cookie ); 01711 ssl->handshake->verify_cookie = NULL; 01712 ssl->handshake->verify_cookie_len = 0; 01713 } 01714 } 01715 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01716 01717 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01718 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01719 { 01720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01722 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01723 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01724 } 01725 01726 /* 01727 * 0 . 1 server_version 01728 * 2 . 33 random (maybe including 4 bytes of Unix time) 01729 * 34 . 34 session_id length = n 01730 * 35 . 34+n session_id 01731 * 35+n . 36+n cipher_suite 01732 * 37+n . 37+n compression_method 01733 * 01734 * 38+n . 39+n extensions length (optional) 01735 * 40+n . .. extensions 01736 */ 01737 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01738 01739 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01740 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01741 ssl->conf->transport, buf + 0 ); 01742 01743 if( ssl->major_ver < ssl->conf->min_major_ver || 01744 ssl->minor_ver < ssl->conf->min_minor_ver || 01745 ssl->major_ver > ssl->conf->max_major_ver || 01746 ssl->minor_ver > ssl->conf->max_minor_ver ) 01747 { 01748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01749 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01750 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01751 ssl->major_ver, ssl->minor_ver, 01752 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01753 01754 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01755 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01756 01757 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01758 } 01759 01760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 01761 ( (uint32_t) buf[2] << 24 ) | 01762 ( (uint32_t) buf[3] << 16 ) | 01763 ( (uint32_t) buf[4] << 8 ) | 01764 ( (uint32_t) buf[5] ) ) ); 01765 01766 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01767 01768 n = buf[34]; 01769 01770 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01771 01772 if( n > 32 ) 01773 { 01774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01775 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01776 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01777 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01778 } 01779 01780 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01781 { 01782 ext_len = ( ( buf[38 + n] << 8 ) 01783 | ( buf[39 + n] ) ); 01784 01785 if( ( ext_len > 0 && ext_len < 4 ) || 01786 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01787 { 01788 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01789 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01790 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01791 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01792 } 01793 } 01794 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01795 { 01796 ext_len = 0; 01797 } 01798 else 01799 { 01800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01801 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01802 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01803 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01804 } 01805 01806 /* ciphersuite (used later) */ 01807 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01808 01809 /* 01810 * Read and check compression 01811 */ 01812 comp = buf[37 + n]; 01813 01814 #if defined(MBEDTLS_ZLIB_SUPPORT) 01815 /* See comments in ssl_write_client_hello() */ 01816 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01817 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01818 accept_comp = 0; 01819 else 01820 #endif 01821 accept_comp = 1; 01822 01823 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01824 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01825 #else /* MBEDTLS_ZLIB_SUPPORT */ 01826 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01827 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01828 { 01829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01830 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01831 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01832 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01833 } 01834 01835 /* 01836 * Initialize update checksum functions 01837 */ 01838 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01839 if( ssl->handshake->ciphersuite_info == NULL ) 01840 { 01841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01842 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01843 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01844 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01845 } 01846 01847 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info ); 01848 01849 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01850 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01851 01852 /* 01853 * Check if the session can be resumed 01854 */ 01855 if( ssl->handshake->resume == 0 || n == 0 || 01856 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01857 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01858 #endif 01859 ssl->session_negotiate->ciphersuite != i || 01860 ssl->session_negotiate->compression != comp || 01861 ssl->session_negotiate->id_len != n || 01862 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01863 { 01864 ssl->state++; 01865 ssl->handshake->resume = 0; 01866 #if defined(MBEDTLS_HAVE_TIME) 01867 ssl->session_negotiate->start = mbedtls_time( NULL ); 01868 #endif 01869 ssl->session_negotiate->ciphersuite = i; 01870 ssl->session_negotiate->compression = comp; 01871 ssl->session_negotiate->id_len = n; 01872 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01873 } 01874 else 01875 { 01876 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01877 01878 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01879 { 01880 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01881 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01882 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01883 return( ret ); 01884 } 01885 } 01886 01887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01888 ssl->handshake->resume ? "a" : "no" ) ); 01889 01890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01891 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01892 01893 /* 01894 * Perform cipher suite validation in same way as in ssl_write_client_hello. 01895 */ 01896 i = 0; 01897 while( 1 ) 01898 { 01899 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01900 { 01901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01902 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01903 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01904 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01905 } 01906 01907 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01908 ssl->session_negotiate->ciphersuite ) 01909 { 01910 break; 01911 } 01912 } 01913 01914 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01915 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 ) 01916 { 01917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01918 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01919 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01920 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01921 } 01922 01923 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01924 01925 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 01926 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && 01927 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 01928 { 01929 ssl->handshake->ecrs_enabled = 1; 01930 } 01931 #endif 01932 01933 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01934 #if defined(MBEDTLS_ZLIB_SUPPORT) 01935 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01936 #endif 01937 ) 01938 { 01939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01940 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01941 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01942 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01943 } 01944 ssl->session_negotiate->compression = comp; 01945 01946 ext = buf + 40 + n; 01947 01948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01949 01950 while( ext_len ) 01951 { 01952 unsigned int ext_id = ( ( ext[0] << 8 ) 01953 | ( ext[1] ) ); 01954 unsigned int ext_size = ( ( ext[2] << 8 ) 01955 | ( ext[3] ) ); 01956 01957 if( ext_size + 4 > ext_len ) 01958 { 01959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01960 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01961 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01962 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01963 } 01964 01965 switch( ext_id ) 01966 { 01967 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01968 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01969 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01970 renegotiation_info_seen = 1; 01971 #endif 01972 01973 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01974 ext_size ) ) != 0 ) 01975 return( ret ); 01976 01977 break; 01978 01979 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01980 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01981 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01982 01983 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01984 ext + 4, ext_size ) ) != 0 ) 01985 { 01986 return( ret ); 01987 } 01988 01989 break; 01990 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01991 01992 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01993 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01994 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01995 01996 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01997 ext + 4, ext_size ) ) != 0 ) 01998 { 01999 return( ret ); 02000 } 02001 02002 break; 02003 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 02004 02005 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 02006 case MBEDTLS_TLS_EXT_CID: 02007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); 02008 02009 if( ( ret = ssl_parse_cid_ext( ssl, 02010 ext + 4, 02011 ext_size ) ) != 0 ) 02012 { 02013 return( ret ); 02014 } 02015 02016 break; 02017 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 02018 02019 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02020 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 02021 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 02022 02023 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 02024 ext + 4, ext_size ) ) != 0 ) 02025 { 02026 return( ret ); 02027 } 02028 02029 break; 02030 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 02031 02032 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02033 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 02034 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 02035 02036 if( ( ret = ssl_parse_extended_ms_ext( ssl, 02037 ext + 4, ext_size ) ) != 0 ) 02038 { 02039 return( ret ); 02040 } 02041 02042 break; 02043 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 02044 02045 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02046 case MBEDTLS_TLS_EXT_SESSION_TICKET: 02047 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 02048 02049 if( ( ret = ssl_parse_session_ticket_ext( ssl, 02050 ext + 4, ext_size ) ) != 0 ) 02051 { 02052 return( ret ); 02053 } 02054 02055 break; 02056 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02057 02058 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02059 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02060 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 02061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 02062 02063 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 02064 ext + 4, ext_size ) ) != 0 ) 02065 { 02066 return( ret ); 02067 } 02068 02069 break; 02070 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 02071 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02072 02073 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02074 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 02075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 02076 02077 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 02078 ext + 4, ext_size ) ) != 0 ) 02079 { 02080 return( ret ); 02081 } 02082 02083 break; 02084 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02085 02086 #if defined(MBEDTLS_SSL_ALPN) 02087 case MBEDTLS_TLS_EXT_ALPN: 02088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 02089 02090 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 02091 return( ret ); 02092 02093 break; 02094 #endif /* MBEDTLS_SSL_ALPN */ 02095 02096 default: 02097 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 02098 ext_id ) ); 02099 } 02100 02101 ext_len -= 4 + ext_size; 02102 ext += 4 + ext_size; 02103 02104 if( ext_len > 0 && ext_len < 4 ) 02105 { 02106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 02107 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 02108 } 02109 } 02110 02111 /* 02112 * Renegotiation security checks 02113 */ 02114 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 02115 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 02116 { 02117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 02118 handshake_failure = 1; 02119 } 02120 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02121 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 02122 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 02123 renegotiation_info_seen == 0 ) 02124 { 02125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 02126 handshake_failure = 1; 02127 } 02128 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 02129 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 02130 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 02131 { 02132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 02133 handshake_failure = 1; 02134 } 02135 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 02136 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 02137 renegotiation_info_seen == 1 ) 02138 { 02139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 02140 handshake_failure = 1; 02141 } 02142 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02143 02144 if( handshake_failure == 1 ) 02145 { 02146 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02147 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02148 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 02149 } 02150 02151 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 02152 02153 return( 0 ); 02154 } 02155 02156 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02157 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02158 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 02159 unsigned char *end ) 02160 { 02161 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02162 02163 /* 02164 * Ephemeral DH parameters: 02165 * 02166 * struct { 02167 * opaque dh_p<1..2^16-1>; 02168 * opaque dh_g<1..2^16-1>; 02169 * opaque dh_Ys<1..2^16-1>; 02170 * } ServerDHParams; 02171 */ 02172 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 02173 { 02174 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 02175 return( ret ); 02176 } 02177 02178 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 02179 { 02180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 02181 ssl->handshake->dhm_ctx.len * 8, 02182 ssl->conf->dhm_min_bitlen ) ); 02183 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02184 } 02185 02186 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02187 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02188 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 02189 02190 return( ret ); 02191 } 02192 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02193 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02194 02195 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02196 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02197 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02198 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02199 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02200 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 02201 { 02202 const mbedtls_ecp_curve_info *curve_info; 02203 mbedtls_ecp_group_id grp_id; 02204 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 02205 grp_id = ssl->handshake->ecdh_ctx.grp.id; 02206 #else 02207 grp_id = ssl->handshake->ecdh_ctx.grp_id ; 02208 #endif 02209 02210 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id ); 02211 if( curve_info == NULL ) 02212 { 02213 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02214 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02215 } 02216 02217 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 02218 02219 #if defined(MBEDTLS_ECP_C) 02220 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 ) 02221 #else 02222 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 02223 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 02224 #endif 02225 return( -1 ); 02226 02227 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 02228 MBEDTLS_DEBUG_ECDH_QP ); 02229 02230 return( 0 ); 02231 } 02232 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02233 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02234 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02235 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02236 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02237 02238 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 02239 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02240 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) 02241 static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl, 02242 unsigned char **p, 02243 unsigned char *end ) 02244 { 02245 uint16_t tls_id; 02246 uint8_t ecpoint_len; 02247 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 02248 02249 /* 02250 * Parse ECC group 02251 */ 02252 02253 if( end - *p < 4 ) 02254 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02255 02256 /* First byte is curve_type; only named_curve is handled */ 02257 if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE ) 02258 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02259 02260 /* Next two bytes are the namedcurve value */ 02261 tls_id = *(*p)++; 02262 tls_id <<= 8; 02263 tls_id |= *(*p)++; 02264 02265 /* Convert EC group to PSA key type. */ 02266 if( ( handshake->ecdh_psa_curve = 02267 mbedtls_psa_parse_tls_ecc_group( tls_id ) ) == 0 ) 02268 { 02269 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02270 } 02271 02272 /* 02273 * Put peer's ECDH public key in the format understood by PSA. 02274 */ 02275 02276 ecpoint_len = *(*p)++; 02277 if( (size_t)( end - *p ) < ecpoint_len ) 02278 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02279 02280 if( mbedtls_psa_tls_ecpoint_to_psa_ec( handshake->ecdh_psa_curve, 02281 *p, ecpoint_len, 02282 handshake->ecdh_psa_peerkey, 02283 sizeof( handshake->ecdh_psa_peerkey ), 02284 &handshake->ecdh_psa_peerkey_len ) != 0 ) 02285 { 02286 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02287 } 02288 02289 *p += ecpoint_len; 02290 return( 0 ); 02291 } 02292 #endif /* MBEDTLS_USE_PSA_CRYPTO && 02293 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02294 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ 02295 02296 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02297 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02298 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02299 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 02300 unsigned char **p, 02301 unsigned char *end ) 02302 { 02303 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02304 02305 /* 02306 * Ephemeral ECDH parameters: 02307 * 02308 * struct { 02309 * ECParameters curve_params; 02310 * ECPoint public; 02311 * } ServerECDHParams; 02312 */ 02313 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 02314 (const unsigned char **) p, end ) ) != 0 ) 02315 { 02316 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 02317 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 02318 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 02319 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 02320 #endif 02321 return( ret ); 02322 } 02323 02324 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02325 { 02326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 02327 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02328 } 02329 02330 return( ret ); 02331 } 02332 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02333 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02334 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02335 02336 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02337 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 02338 unsigned char **p, 02339 unsigned char *end ) 02340 { 02341 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02342 size_t len; 02343 ((void) ssl); 02344 02345 /* 02346 * PSK parameters: 02347 * 02348 * opaque psk_identity_hint<0..2^16-1>; 02349 */ 02350 if( end - (*p) < 2 ) 02351 { 02352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02353 "(psk_identity_hint length)" ) ); 02354 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02355 } 02356 len = (*p)[0] << 8 | (*p)[1]; 02357 *p += 2; 02358 02359 if( end - (*p) < (int) len ) 02360 { 02361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02362 "(psk_identity_hint length)" ) ); 02363 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02364 } 02365 02366 /* 02367 * Note: we currently ignore the PKS identity hint, as we only allow one 02368 * PSK to be provisionned on the client. This could be changed later if 02369 * someone needs that feature. 02370 */ 02371 *p += len; 02372 ret = 0; 02373 02374 return( ret ); 02375 } 02376 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02377 02378 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02379 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02380 /* 02381 * Generate a pre-master secret and encrypt it with the server's RSA key 02382 */ 02383 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02384 size_t offset, size_t *olen, 02385 size_t pms_offset ) 02386 { 02387 int ret; 02388 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02389 unsigned char *p = ssl->handshake->premaster + pms_offset; 02390 mbedtls_pk_context * peer_pk; 02391 02392 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN ) 02393 { 02394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02395 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02396 } 02397 02398 /* 02399 * Generate (part of) the pre-master as 02400 * struct { 02401 * ProtocolVersion client_version; 02402 * opaque random[46]; 02403 * } PreMasterSecret; 02404 */ 02405 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02406 ssl->conf->transport, p ); 02407 02408 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02409 { 02410 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02411 return( ret ); 02412 } 02413 02414 ssl->handshake->pmslen = 48; 02415 02416 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 02417 peer_pk = &ssl->handshake->peer_pubkey; 02418 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02419 if( ssl->session_negotiate->peer_cert == NULL ) 02420 { 02421 /* Should never happen */ 02422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02424 } 02425 peer_pk = &ssl->session_negotiate->peer_cert->pk; 02426 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02427 02428 /* 02429 * Now write it out, encrypted 02430 */ 02431 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) ) 02432 { 02433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02434 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02435 } 02436 02437 if( ( ret = mbedtls_pk_encrypt( peer_pk, 02438 p, ssl->handshake->pmslen, 02439 ssl->out_msg + offset + len_bytes, olen, 02440 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, 02441 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02442 { 02443 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02444 return( ret ); 02445 } 02446 02447 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02448 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02449 if( len_bytes == 2 ) 02450 { 02451 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02452 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02453 *olen += 2; 02454 } 02455 #endif 02456 02457 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 02458 /* We don't need the peer's public key anymore. Free it. */ 02459 mbedtls_pk_free( peer_pk ); 02460 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02461 return( 0 ); 02462 } 02463 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02464 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02465 02466 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02467 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02468 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02469 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02470 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02471 unsigned char **p, 02472 unsigned char *end, 02473 mbedtls_md_type_t *md_alg, 02474 mbedtls_pk_type_t *pk_alg ) 02475 { 02476 ((void) ssl); 02477 *md_alg = MBEDTLS_MD_NONE; 02478 *pk_alg = MBEDTLS_PK_NONE; 02479 02480 /* Only in TLS 1.2 */ 02481 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02482 { 02483 return( 0 ); 02484 } 02485 02486 if( (*p) + 2 > end ) 02487 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02488 02489 /* 02490 * Get hash algorithm 02491 */ 02492 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02493 { 02494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02495 "HashAlgorithm %d", *(p)[0] ) ); 02496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02497 } 02498 02499 /* 02500 * Get signature algorithm 02501 */ 02502 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02503 { 02504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02505 "SignatureAlgorithm %d", (*p)[1] ) ); 02506 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02507 } 02508 02509 /* 02510 * Check if the hash is acceptable 02511 */ 02512 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02513 { 02514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 02515 *(p)[0] ) ); 02516 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02517 } 02518 02519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02521 *p += 2; 02522 02523 return( 0 ); 02524 } 02525 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02526 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02527 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02528 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02529 02530 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02531 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02532 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02533 { 02534 int ret; 02535 const mbedtls_ecp_keypair *peer_key; 02536 mbedtls_pk_context * peer_pk; 02537 02538 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 02539 peer_pk = &ssl->handshake->peer_pubkey; 02540 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02541 if( ssl->session_negotiate->peer_cert == NULL ) 02542 { 02543 /* Should never happen */ 02544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02545 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02546 } 02547 peer_pk = &ssl->session_negotiate->peer_cert->pk; 02548 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02549 02550 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) ) 02551 { 02552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02553 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02554 } 02555 02556 peer_key = mbedtls_pk_ec( *peer_pk ); 02557 02558 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02559 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02560 { 02561 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02562 return( ret ); 02563 } 02564 02565 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02566 { 02567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02568 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02569 } 02570 02571 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 02572 /* We don't need the peer's public key anymore. Free it, 02573 * so that more RAM is available for upcoming expensive 02574 * operations like ECDHE. */ 02575 mbedtls_pk_free( peer_pk ); 02576 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02577 02578 return( ret ); 02579 } 02580 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02581 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02582 02583 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02584 { 02585 int ret; 02586 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02587 ssl->handshake->ciphersuite_info; 02588 unsigned char *p = NULL, *end = NULL; 02589 02590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02591 02592 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02593 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02594 { 02595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02596 ssl->state++; 02597 return( 0 ); 02598 } 02599 ((void) p); 02600 ((void) end); 02601 #endif 02602 02603 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02604 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02605 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02606 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02607 { 02608 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02609 { 02610 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02611 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02612 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02613 return( ret ); 02614 } 02615 02616 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02617 ssl->state++; 02618 return( 0 ); 02619 } 02620 ((void) p); 02621 ((void) end); 02622 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02623 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02624 02625 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 02626 if( ssl->handshake->ecrs_enabled && 02627 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing ) 02628 { 02629 goto start_processing; 02630 } 02631 #endif 02632 02633 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 02634 { 02635 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02636 return( ret ); 02637 } 02638 02639 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02640 { 02641 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02642 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02643 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02644 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02645 } 02646 02647 /* 02648 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02649 * doesn't use a psk_identity_hint 02650 */ 02651 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02652 { 02653 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02654 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02655 { 02656 /* Current message is probably either 02657 * CertificateRequest or ServerHelloDone */ 02658 ssl->keep_current_message = 1; 02659 goto exit; 02660 } 02661 02662 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 02663 "not be skipped" ) ); 02664 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02665 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02666 02667 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02668 } 02669 02670 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 02671 if( ssl->handshake->ecrs_enabled ) 02672 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; 02673 02674 start_processing: 02675 #endif 02676 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02677 end = ssl->in_msg + ssl->in_hslen; 02678 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02679 02680 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02681 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02682 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02683 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02684 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02685 { 02686 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02687 { 02688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02689 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02690 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02691 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02692 } 02693 } /* FALLTROUGH */ 02694 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02695 02696 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02697 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02698 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02699 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02700 ; /* nothing more to do */ 02701 else 02702 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02703 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02704 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02705 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02706 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02708 { 02709 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02710 { 02711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02712 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02713 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02714 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02715 } 02716 } 02717 else 02718 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02719 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02720 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 02721 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02722 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) 02723 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02724 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02725 { 02726 if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 ) 02727 { 02728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02729 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02730 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02731 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02732 } 02733 } 02734 else 02735 #endif /* MBEDTLS_USE_PSA_CRYPTO && 02736 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02737 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ 02738 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02739 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02740 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02741 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02742 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02743 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02744 { 02745 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02746 { 02747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02748 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02749 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02750 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02751 } 02752 } 02753 else 02754 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02755 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02756 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02757 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02758 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02759 { 02760 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02761 p, end - p ); 02762 if( ret != 0 ) 02763 { 02764 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02765 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02766 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02767 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02768 } 02769 } 02770 else 02771 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02772 { 02773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02774 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02775 } 02776 02777 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02778 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 02779 { 02780 size_t sig_len, hashlen; 02781 unsigned char hash[64]; 02782 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02783 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02784 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02785 size_t params_len = p - params; 02786 void *rs_ctx = NULL; 02787 02788 mbedtls_pk_context * peer_pk; 02789 02790 /* 02791 * Handle the digitally-signed structure 02792 */ 02793 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02794 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02795 { 02796 if( ssl_parse_signature_algorithm( ssl, &p, end, 02797 &md_alg, &pk_alg ) != 0 ) 02798 { 02799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02800 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02801 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02802 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02803 } 02804 02805 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02806 { 02807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02808 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02809 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02810 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02811 } 02812 } 02813 else 02814 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02815 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02816 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02817 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02818 { 02819 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02820 02821 /* Default hash for ECDSA is SHA-1 */ 02822 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02823 md_alg = MBEDTLS_MD_SHA1; 02824 } 02825 else 02826 #endif 02827 { 02828 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02829 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02830 } 02831 02832 /* 02833 * Read signature 02834 */ 02835 02836 if( p > end - 2 ) 02837 { 02838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02840 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02841 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02842 } 02843 sig_len = ( p[0] << 8 ) | p[1]; 02844 p += 2; 02845 02846 if( p != end - sig_len ) 02847 { 02848 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02849 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02850 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02851 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02852 } 02853 02854 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02855 02856 /* 02857 * Compute the hash that has been signed 02858 */ 02859 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02860 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02861 if( md_alg == MBEDTLS_MD_NONE ) 02862 { 02863 hashlen = 36; 02864 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 02865 params_len ); 02866 if( ret != 0 ) 02867 return( ret ); 02868 } 02869 else 02870 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02871 MBEDTLS_SSL_PROTO_TLS1_1 */ 02872 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02873 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02874 if( md_alg != MBEDTLS_MD_NONE ) 02875 { 02876 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, 02877 params, params_len, 02878 md_alg ); 02879 if( ret != 0 ) 02880 return( ret ); 02881 } 02882 else 02883 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02884 MBEDTLS_SSL_PROTO_TLS1_2 */ 02885 { 02886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02887 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02888 } 02889 02890 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); 02891 02892 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 02893 peer_pk = &ssl->handshake->peer_pubkey; 02894 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02895 if( ssl->session_negotiate->peer_cert == NULL ) 02896 { 02897 /* Should never happen */ 02898 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02899 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02900 } 02901 peer_pk = &ssl->session_negotiate->peer_cert->pk; 02902 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02903 02904 /* 02905 * Verify signature 02906 */ 02907 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) 02908 { 02909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02910 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02911 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02912 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02913 } 02914 02915 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 02916 if( ssl->handshake->ecrs_enabled ) 02917 rs_ctx = &ssl->handshake->ecrs_ctx.pk; 02918 #endif 02919 02920 if( ( ret = mbedtls_pk_verify_restartable( peer_pk, 02921 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 ) 02922 { 02923 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 02924 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) 02925 #endif 02926 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02927 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 02928 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02929 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 02930 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 02931 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 02932 #endif 02933 return( ret ); 02934 } 02935 02936 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 02937 /* We don't need the peer's public key anymore. Free it, 02938 * so that more RAM is available for upcoming expensive 02939 * operations like ECDHE. */ 02940 mbedtls_pk_free( peer_pk ); 02941 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 02942 } 02943 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02944 02945 exit: 02946 ssl->state++; 02947 02948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02949 02950 return( 0 ); 02951 } 02952 02953 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02954 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02955 { 02956 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02957 ssl->handshake->ciphersuite_info; 02958 02959 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02960 02961 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02962 { 02963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02964 ssl->state++; 02965 return( 0 ); 02966 } 02967 02968 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02969 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02970 } 02971 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02972 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02973 { 02974 int ret; 02975 unsigned char *buf; 02976 size_t n = 0; 02977 size_t cert_type_len = 0, dn_len = 0; 02978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02979 ssl->handshake->ciphersuite_info; 02980 02981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02982 02983 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02984 { 02985 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02986 ssl->state++; 02987 return( 0 ); 02988 } 02989 02990 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 02991 { 02992 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02993 return( ret ); 02994 } 02995 02996 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02997 { 02998 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02999 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03000 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03001 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03002 } 03003 03004 ssl->state++; 03005 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 03006 03007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 03008 ssl->client_auth ? "a" : "no" ) ); 03009 03010 if( ssl->client_auth == 0 ) 03011 { 03012 /* Current message is probably the ServerHelloDone */ 03013 ssl->keep_current_message = 1; 03014 goto exit; 03015 } 03016 03017 /* 03018 * struct { 03019 * ClientCertificateType certificate_types<1..2^8-1>; 03020 * SignatureAndHashAlgorithm 03021 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 03022 * DistinguishedName certificate_authorities<0..2^16-1>; 03023 * } CertificateRequest; 03024 * 03025 * Since we only support a single certificate on clients, let's just 03026 * ignore all the information that's supposed to help us pick a 03027 * certificate. 03028 * 03029 * We could check that our certificate matches the request, and bail out 03030 * if it doesn't, but it's simpler to just send the certificate anyway, 03031 * and give the server the opportunity to decide if it should terminate 03032 * the connection when it doesn't like our certificate. 03033 * 03034 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 03035 * point we only have one hash available (see comments in 03036 * write_certificate_verify), so let's just use what we have. 03037 * 03038 * However, we still minimally parse the message to check it is at least 03039 * superficially sane. 03040 */ 03041 buf = ssl->in_msg; 03042 03043 /* certificate_types */ 03044 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) ) 03045 { 03046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 03047 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03048 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03049 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 03050 } 03051 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 03052 n = cert_type_len; 03053 03054 /* 03055 * In the subsequent code there are two paths that read from buf: 03056 * * the length of the signature algorithms field (if minor version of 03057 * SSL is 3), 03058 * * distinguished name length otherwise. 03059 * Both reach at most the index: 03060 * ...hdr_len + 2 + n, 03061 * therefore the buffer length at this point must be greater than that 03062 * regardless of the actual code path. 03063 */ 03064 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 03065 { 03066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 03067 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03068 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03069 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 03070 } 03071 03072 /* supported_signature_algorithms */ 03073 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03074 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03075 { 03076 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 03077 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 03078 #if defined(MBEDTLS_DEBUG_C) 03079 unsigned char* sig_alg; 03080 size_t i; 03081 #endif 03082 03083 /* 03084 * The furthest access in buf is in the loop few lines below: 03085 * sig_alg[i + 1], 03086 * where: 03087 * sig_alg = buf + ...hdr_len + 3 + n, 03088 * max(i) = sig_alg_len - 1. 03089 * Therefore the furthest access is: 03090 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], 03091 * which reduces to: 03092 * buf[...hdr_len + 3 + n + sig_alg_len], 03093 * which is one less than we need the buf to be. 03094 */ 03095 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len ) 03096 { 03097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 03098 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03099 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03100 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 03101 } 03102 03103 #if defined(MBEDTLS_DEBUG_C) 03104 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 03105 for( i = 0; i < sig_alg_len; i += 2 ) 03106 { 03107 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 03108 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 03109 } 03110 #endif 03111 03112 n += 2 + sig_alg_len; 03113 } 03114 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03115 03116 /* certificate_authorities */ 03117 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 03118 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 03119 03120 n += dn_len; 03121 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 03122 { 03123 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 03124 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03125 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03126 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 03127 } 03128 03129 exit: 03130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 03131 03132 return( 0 ); 03133 } 03134 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 03135 03136 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 03137 { 03138 int ret; 03139 03140 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 03141 03142 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 03143 { 03144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03145 return( ret ); 03146 } 03147 03148 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03149 { 03150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 03151 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03152 } 03153 03154 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 03155 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 03156 { 03157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 03158 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03159 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03160 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 03161 } 03162 03163 ssl->state++; 03164 03165 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03166 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03167 mbedtls_ssl_recv_flight_completed( ssl ); 03168 #endif 03169 03170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 03171 03172 return( 0 ); 03173 } 03174 03175 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 03176 { 03177 int ret; 03178 03179 size_t header_len; 03180 size_t content_len; 03181 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03182 ssl->handshake->ciphersuite_info; 03183 03184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 03185 03186 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03187 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03188 { 03189 /* 03190 * DHM key exchange -- send G^X mod P 03191 */ 03192 content_len = ssl->handshake->dhm_ctx.len; 03193 03194 ssl->out_msg[4] = (unsigned char)( content_len >> 8 ); 03195 ssl->out_msg[5] = (unsigned char)( content_len ); 03196 header_len = 6; 03197 03198 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 03199 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 03200 &ssl->out_msg[header_len], content_len, 03201 ssl->conf->f_rng, ssl->conf->p_rng ); 03202 if( ret != 0 ) 03203 { 03204 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 03205 return( ret ); 03206 } 03207 03208 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 03209 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 03210 03211 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03212 ssl->handshake->premaster, 03213 MBEDTLS_PREMASTER_SIZE, 03214 &ssl->handshake->pmslen, 03215 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03216 { 03217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03218 return( ret ); 03219 } 03220 03221 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03222 } 03223 else 03224 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03225 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 03226 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03227 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) 03228 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03229 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 03230 { 03231 psa_status_t status; 03232 psa_key_attributes_t key_attributes; 03233 03234 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 03235 03236 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; 03237 size_t own_pubkey_len; 03238 unsigned char *own_pubkey_ecpoint; 03239 size_t own_pubkey_ecpoint_len; 03240 03241 header_len = 4; 03242 03243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); 03244 03245 /* 03246 * Generate EC private key for ECDHE exchange. 03247 */ 03248 03249 /* The master secret is obtained from the shared ECDH secret by 03250 * applying the TLS 1.2 PRF with a specific salt and label. While 03251 * the PSA Crypto API encourages combining key agreement schemes 03252 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not 03253 * yet support the provisioning of salt + label to the KDF. 03254 * For the time being, we therefore need to split the computation 03255 * of the ECDH secret and the application of the TLS 1.2 PRF. */ 03256 key_attributes = psa_key_attributes_init(); 03257 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); 03258 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH ); 03259 psa_set_key_type( &key_attributes, 03260 PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve ) 03261 ); 03262 psa_set_key_bits( &key_attributes, 03263 PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) ); 03264 03265 /* Generate ECDH private key. */ 03266 status = psa_generate_key( &key_attributes, 03267 &handshake->ecdh_psa_privkey ); 03268 if( status != PSA_SUCCESS ) 03269 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03270 03271 /* Export the public part of the ECDH private key from PSA 03272 * and convert it to ECPoint format used in ClientKeyExchange. */ 03273 status = psa_export_public_key( handshake->ecdh_psa_privkey, 03274 own_pubkey, sizeof( own_pubkey ), 03275 &own_pubkey_len ); 03276 if( status != PSA_SUCCESS ) 03277 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03278 03279 if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey, 03280 own_pubkey_len, 03281 &own_pubkey_ecpoint, 03282 &own_pubkey_ecpoint_len ) != 0 ) 03283 { 03284 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03285 } 03286 03287 /* Copy ECPoint structure to outgoing message buffer. */ 03288 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len; 03289 memcpy( ssl->out_msg + header_len + 1, 03290 own_pubkey_ecpoint, own_pubkey_ecpoint_len ); 03291 content_len = own_pubkey_ecpoint_len + 1; 03292 03293 /* The ECDH secret is the premaster secret used for key derivation. */ 03294 03295 /* Compute ECDH shared secret. */ 03296 status = psa_raw_key_agreement( PSA_ALG_ECDH, 03297 handshake->ecdh_psa_privkey, 03298 handshake->ecdh_psa_peerkey, 03299 handshake->ecdh_psa_peerkey_len, 03300 ssl->handshake->premaster, 03301 sizeof( ssl->handshake->premaster ), 03302 &ssl->handshake->pmslen ); 03303 if( status != PSA_SUCCESS ) 03304 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03305 03306 status = psa_destroy_key( handshake->ecdh_psa_privkey ); 03307 if( status != PSA_SUCCESS ) 03308 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03309 handshake->ecdh_psa_privkey = 0; 03310 } 03311 else 03312 #endif /* MBEDTLS_USE_PSA_CRYPTO && 03313 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03314 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ 03315 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03316 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03317 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03318 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03319 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03320 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03321 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03322 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03323 { 03324 /* 03325 * ECDH key exchange -- send client public value 03326 */ 03327 header_len = 4; 03328 03329 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03330 if( ssl->handshake->ecrs_enabled ) 03331 { 03332 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret ) 03333 goto ecdh_calc_secret; 03334 03335 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx ); 03336 } 03337 #endif 03338 03339 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 03340 &content_len, 03341 &ssl->out_msg[header_len], 1000, 03342 ssl->conf->f_rng, ssl->conf->p_rng ); 03343 if( ret != 0 ) 03344 { 03345 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 03346 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03347 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 03348 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 03349 #endif 03350 return( ret ); 03351 } 03352 03353 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 03354 MBEDTLS_DEBUG_ECDH_Q ); 03355 03356 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03357 if( ssl->handshake->ecrs_enabled ) 03358 { 03359 ssl->handshake->ecrs_n = content_len; 03360 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; 03361 } 03362 03363 ecdh_calc_secret: 03364 if( ssl->handshake->ecrs_enabled ) 03365 content_len = ssl->handshake->ecrs_n; 03366 #endif 03367 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03368 &ssl->handshake->pmslen, 03369 ssl->handshake->premaster, 03370 MBEDTLS_MPI_MAX_SIZE, 03371 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03372 { 03373 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03374 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03375 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 03376 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 03377 #endif 03378 return( ret ); 03379 } 03380 03381 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 03382 MBEDTLS_DEBUG_ECDH_Z ); 03383 } 03384 else 03385 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03386 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03387 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03388 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03389 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03390 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 03391 { 03392 /* 03393 * opaque psk_identity<0..2^16-1>; 03394 */ 03395 if( ssl_conf_has_static_psk( ssl->conf ) == 0 ) 03396 { 03397 /* We don't offer PSK suites if we don't have a PSK, 03398 * and we check that the server's choice is among the 03399 * ciphersuites we offered, so this should never happen. */ 03400 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03401 } 03402 03403 header_len = 4; 03404 content_len = ssl->conf->psk_identity_len; 03405 03406 if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) 03407 { 03408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 03409 "SSL buffer too short" ) ); 03410 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03411 } 03412 03413 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 ); 03414 ssl->out_msg[header_len++] = (unsigned char)( content_len ); 03415 03416 memcpy( ssl->out_msg + header_len, 03417 ssl->conf->psk_identity, 03418 ssl->conf->psk_identity_len ); 03419 header_len += ssl->conf->psk_identity_len; 03420 03421 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03422 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03423 { 03424 content_len = 0; 03425 } 03426 else 03427 #endif 03428 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03429 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 03430 { 03431 #if defined(MBEDTLS_USE_PSA_CRYPTO) 03432 /* Opaque PSKs are currently only supported for PSK-only suites. */ 03433 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) 03434 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03435 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 03436 03437 if( ( ret = ssl_write_encrypted_pms( ssl, header_len, 03438 &content_len, 2 ) ) != 0 ) 03439 return( ret ); 03440 } 03441 else 03442 #endif 03443 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03444 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 03445 { 03446 #if defined(MBEDTLS_USE_PSA_CRYPTO) 03447 /* Opaque PSKs are currently only supported for PSK-only suites. */ 03448 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) 03449 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03450 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 03451 03452 /* 03453 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 03454 */ 03455 content_len = ssl->handshake->dhm_ctx.len; 03456 03457 if( header_len + 2 + content_len > 03458 MBEDTLS_SSL_OUT_CONTENT_LEN ) 03459 { 03460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 03461 " or SSL buffer too short" ) ); 03462 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03463 } 03464 03465 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 ); 03466 ssl->out_msg[header_len++] = (unsigned char)( content_len ); 03467 03468 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 03469 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 03470 &ssl->out_msg[header_len], content_len, 03471 ssl->conf->f_rng, ssl->conf->p_rng ); 03472 if( ret != 0 ) 03473 { 03474 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 03475 return( ret ); 03476 } 03477 } 03478 else 03479 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03480 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03481 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03482 { 03483 #if defined(MBEDTLS_USE_PSA_CRYPTO) 03484 /* Opaque PSKs are currently only supported for PSK-only suites. */ 03485 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) 03486 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03487 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 03488 03489 /* 03490 * ClientECDiffieHellmanPublic public; 03491 */ 03492 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 03493 &content_len, 03494 &ssl->out_msg[header_len], 03495 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, 03496 ssl->conf->f_rng, ssl->conf->p_rng ); 03497 if( ret != 0 ) 03498 { 03499 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 03500 return( ret ); 03501 } 03502 03503 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 03504 MBEDTLS_DEBUG_ECDH_Q ); 03505 } 03506 else 03507 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03508 { 03509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03510 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03511 } 03512 03513 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 03514 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03515 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK && 03516 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 03517 ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) 03518 { 03519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); 03520 } 03521 else 03522 #endif /* MBEDTLS_USE_PSA_CRYPTO && 03523 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 03524 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03525 ciphersuite_info->key_exchange ) ) != 0 ) 03526 { 03527 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03528 return( ret ); 03529 } 03530 } 03531 else 03532 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03533 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03534 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03535 { 03536 header_len = 4; 03537 if( ( ret = ssl_write_encrypted_pms( ssl, header_len, 03538 &content_len, 0 ) ) != 0 ) 03539 return( ret ); 03540 } 03541 else 03542 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03543 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03544 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03545 { 03546 header_len = 4; 03547 03548 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 03549 ssl->out_msg + header_len, 03550 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, 03551 &content_len, 03552 ssl->conf->f_rng, ssl->conf->p_rng ); 03553 if( ret != 0 ) 03554 { 03555 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 03556 return( ret ); 03557 } 03558 03559 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03560 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03561 ssl->conf->f_rng, ssl->conf->p_rng ); 03562 if( ret != 0 ) 03563 { 03564 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03565 return( ret ); 03566 } 03567 } 03568 else 03569 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03570 { 03571 ((void) ciphersuite_info); 03572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03573 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03574 } 03575 03576 ssl->out_msglen = header_len + content_len; 03577 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03578 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 03579 03580 ssl->state++; 03581 03582 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 03583 { 03584 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 03585 return( ret ); 03586 } 03587 03588 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 03589 03590 return( 0 ); 03591 } 03592 03593 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 03594 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03595 { 03596 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03597 ssl->handshake->ciphersuite_info; 03598 int ret; 03599 03600 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03601 03602 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03603 { 03604 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03605 return( ret ); 03606 } 03607 03608 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 03609 { 03610 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03611 ssl->state++; 03612 return( 0 ); 03613 } 03614 03615 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03616 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03617 } 03618 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 03619 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03620 { 03621 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03622 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03623 ssl->handshake->ciphersuite_info; 03624 size_t n = 0, offset = 0; 03625 unsigned char hash[48]; 03626 unsigned char *hash_start = hash; 03627 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03628 size_t hashlen; 03629 void *rs_ctx = NULL; 03630 03631 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03632 03633 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03634 if( ssl->handshake->ecrs_enabled && 03635 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign ) 03636 { 03637 goto sign; 03638 } 03639 #endif 03640 03641 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03642 { 03643 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03644 return( ret ); 03645 } 03646 03647 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 03648 { 03649 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03650 ssl->state++; 03651 return( 0 ); 03652 } 03653 03654 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03655 { 03656 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03657 ssl->state++; 03658 return( 0 ); 03659 } 03660 03661 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03662 { 03663 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03664 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03665 } 03666 03667 /* 03668 * Make a signature of the handshake digests 03669 */ 03670 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03671 if( ssl->handshake->ecrs_enabled ) 03672 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; 03673 03674 sign: 03675 #endif 03676 03677 ssl->handshake->calc_verify( ssl, hash, &hashlen ); 03678 03679 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03680 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03681 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03682 { 03683 /* 03684 * digitally-signed struct { 03685 * opaque md5_hash[16]; 03686 * opaque sha_hash[20]; 03687 * }; 03688 * 03689 * md5_hash 03690 * MD5(handshake_messages); 03691 * 03692 * sha_hash 03693 * SHA(handshake_messages); 03694 */ 03695 md_alg = MBEDTLS_MD_NONE; 03696 03697 /* 03698 * For ECDSA, default hash is SHA-1 only 03699 */ 03700 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03701 { 03702 hash_start += 16; 03703 hashlen -= 16; 03704 md_alg = MBEDTLS_MD_SHA1; 03705 } 03706 } 03707 else 03708 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03709 MBEDTLS_SSL_PROTO_TLS1_1 */ 03710 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03711 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03712 { 03713 /* 03714 * digitally-signed struct { 03715 * opaque handshake_messages[handshake_messages_length]; 03716 * }; 03717 * 03718 * Taking shortcut here. We assume that the server always allows the 03719 * PRF Hash function and has sent it in the allowed signature 03720 * algorithms list received in the Certificate Request message. 03721 * 03722 * Until we encounter a server that does not, we will take this 03723 * shortcut. 03724 * 03725 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03726 * in order to satisfy 'weird' needs from the server side. 03727 */ 03728 if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 03729 { 03730 md_alg = MBEDTLS_MD_SHA384; 03731 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03732 } 03733 else 03734 { 03735 md_alg = MBEDTLS_MD_SHA256; 03736 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03737 } 03738 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03739 03740 /* Info from md_alg will be used instead */ 03741 hashlen = 0; 03742 offset = 2; 03743 } 03744 else 03745 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03746 { 03747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03748 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03749 } 03750 03751 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03752 if( ssl->handshake->ecrs_enabled ) 03753 rs_ctx = &ssl->handshake->ecrs_ctx.pk; 03754 #endif 03755 03756 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ), 03757 md_alg, hash_start, hashlen, 03758 ssl->out_msg + 6 + offset, &n, 03759 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 ) 03760 { 03761 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03762 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 03763 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 03764 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 03765 #endif 03766 return( ret ); 03767 } 03768 03769 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03770 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03771 03772 ssl->out_msglen = 6 + n + offset; 03773 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03774 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03775 03776 ssl->state++; 03777 03778 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 03779 { 03780 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 03781 return( ret ); 03782 } 03783 03784 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03785 03786 return( ret ); 03787 } 03788 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 03789 03790 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03791 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03792 { 03793 int ret; 03794 uint32_t lifetime; 03795 size_t ticket_len; 03796 unsigned char *ticket; 03797 const unsigned char *msg; 03798 03799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03800 03801 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 03802 { 03803 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03804 return( ret ); 03805 } 03806 03807 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03808 { 03809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03810 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03811 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03812 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03813 } 03814 03815 /* 03816 * struct { 03817 * uint32 ticket_lifetime_hint; 03818 * opaque ticket<0..2^16-1>; 03819 * } NewSessionTicket; 03820 * 03821 * 0 . 3 ticket_lifetime_hint 03822 * 4 . 5 ticket_len (n) 03823 * 6 . 5+n ticket content 03824 */ 03825 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03826 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03827 { 03828 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03829 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03830 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03831 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03832 } 03833 03834 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03835 03836 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) | 03837 ( msg[2] << 8 ) | ( msg[3] ); 03838 03839 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03840 03841 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03842 { 03843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03844 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03845 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03846 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03847 } 03848 03849 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03850 03851 /* We're not waiting for a NewSessionTicket message any more */ 03852 ssl->handshake->new_session_ticket = 0; 03853 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03854 03855 /* 03856 * Zero-length ticket means the server changed his mind and doesn't want 03857 * to send a ticket after all, so just forget it 03858 */ 03859 if( ticket_len == 0 ) 03860 return( 0 ); 03861 03862 if( ssl->session != NULL && ssl->session->ticket != NULL ) 03863 { 03864 mbedtls_platform_zeroize( ssl->session->ticket, 03865 ssl->session->ticket_len ); 03866 mbedtls_free( ssl->session->ticket ); 03867 ssl->session->ticket = NULL; 03868 ssl->session->ticket_len = 0; 03869 } 03870 03871 mbedtls_platform_zeroize( ssl->session_negotiate->ticket, 03872 ssl->session_negotiate->ticket_len ); 03873 mbedtls_free( ssl->session_negotiate->ticket ); 03874 ssl->session_negotiate->ticket = NULL; 03875 ssl->session_negotiate->ticket_len = 0; 03876 03877 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03878 { 03879 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03880 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03881 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 03882 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03883 } 03884 03885 memcpy( ticket, msg + 6, ticket_len ); 03886 03887 ssl->session_negotiate->ticket = ticket; 03888 ssl->session_negotiate->ticket_len = ticket_len; 03889 ssl->session_negotiate->ticket_lifetime = lifetime; 03890 03891 /* 03892 * RFC 5077 section 3.4: 03893 * "If the client receives a session ticket from the server, then it 03894 * discards any Session ID that was sent in the ServerHello." 03895 */ 03896 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03897 ssl->session_negotiate->id_len = 0; 03898 03899 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03900 03901 return( 0 ); 03902 } 03903 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03904 03905 /* 03906 * SSL handshake -- client side -- single step 03907 */ 03908 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03909 { 03910 int ret = 0; 03911 03912 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03913 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03914 03915 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03916 03917 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03918 return( ret ); 03919 03920 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03921 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03922 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03923 { 03924 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 03925 return( ret ); 03926 } 03927 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03928 03929 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03930 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03931 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03932 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03933 ssl->handshake->new_session_ticket != 0 ) 03934 { 03935 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03936 } 03937 #endif 03938 03939 switch( ssl->state ) 03940 { 03941 case MBEDTLS_SSL_HELLO_REQUEST: 03942 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03943 break; 03944 03945 /* 03946 * ==> ClientHello 03947 */ 03948 case MBEDTLS_SSL_CLIENT_HELLO: 03949 ret = ssl_write_client_hello( ssl ); 03950 break; 03951 03952 /* 03953 * <== ServerHello 03954 * Certificate 03955 * ( ServerKeyExchange ) 03956 * ( CertificateRequest ) 03957 * ServerHelloDone 03958 */ 03959 case MBEDTLS_SSL_SERVER_HELLO: 03960 ret = ssl_parse_server_hello( ssl ); 03961 break; 03962 03963 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03964 ret = mbedtls_ssl_parse_certificate( ssl ); 03965 break; 03966 03967 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03968 ret = ssl_parse_server_key_exchange( ssl ); 03969 break; 03970 03971 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03972 ret = ssl_parse_certificate_request( ssl ); 03973 break; 03974 03975 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03976 ret = ssl_parse_server_hello_done( ssl ); 03977 break; 03978 03979 /* 03980 * ==> ( Certificate/Alert ) 03981 * ClientKeyExchange 03982 * ( CertificateVerify ) 03983 * ChangeCipherSpec 03984 * Finished 03985 */ 03986 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03987 ret = mbedtls_ssl_write_certificate( ssl ); 03988 break; 03989 03990 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03991 ret = ssl_write_client_key_exchange( ssl ); 03992 break; 03993 03994 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03995 ret = ssl_write_certificate_verify( ssl ); 03996 break; 03997 03998 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03999 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 04000 break; 04001 04002 case MBEDTLS_SSL_CLIENT_FINISHED: 04003 ret = mbedtls_ssl_write_finished( ssl ); 04004 break; 04005 04006 /* 04007 * <== ( NewSessionTicket ) 04008 * ChangeCipherSpec 04009 * Finished 04010 */ 04011 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04012 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 04013 ret = ssl_parse_new_session_ticket( ssl ); 04014 break; 04015 #endif 04016 04017 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 04018 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 04019 break; 04020 04021 case MBEDTLS_SSL_SERVER_FINISHED: 04022 ret = mbedtls_ssl_parse_finished( ssl ); 04023 break; 04024 04025 case MBEDTLS_SSL_FLUSH_BUFFERS: 04026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 04027 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 04028 break; 04029 04030 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 04031 mbedtls_ssl_handshake_wrapup( ssl ); 04032 break; 04033 04034 default: 04035 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 04036 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04037 } 04038 04039 return( ret ); 04040 } 04041 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 13:54:52 by
1.7.2