Kenji Arai
/
mbed-os_TYBLE16
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
Embed:
(wiki syntax)
Show/hide line numbers
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_SRV_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 #include "mbedtls/platform_util.h" 00042 00043 #include <string.h> 00044 00045 #if defined(MBEDTLS_ECP_C) 00046 #include "mbedtls/ecp.h" 00047 #endif 00048 00049 #if defined(MBEDTLS_HAVE_TIME) 00050 #include "mbedtls/platform_time.h" 00051 #endif 00052 00053 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 00054 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, 00055 const unsigned char *info, 00056 size_t ilen ) 00057 { 00058 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) 00059 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00060 00061 mbedtls_free( ssl->cli_id ); 00062 00063 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) 00064 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00065 00066 memcpy( ssl->cli_id, info, ilen ); 00067 ssl->cli_id_len = ilen; 00068 00069 return( 0 ); 00070 } 00071 00072 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, 00073 mbedtls_ssl_cookie_write_t *f_cookie_write, 00074 mbedtls_ssl_cookie_check_t *f_cookie_check, 00075 void *p_cookie ) 00076 { 00077 conf->f_cookie_write = f_cookie_write; 00078 conf->f_cookie_check = f_cookie_check; 00079 conf->p_cookie = p_cookie; 00080 } 00081 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 00082 00083 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00084 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, 00085 const unsigned char *buf, 00086 size_t len ) 00087 { 00088 int ret; 00089 size_t servername_list_size, hostname_len; 00090 const unsigned char *p; 00091 00092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00093 00094 if( len < 2 ) 00095 { 00096 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00097 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00098 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00099 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00100 } 00101 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00102 if( servername_list_size + 2 != len ) 00103 { 00104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00105 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00106 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00107 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00108 } 00109 00110 p = buf + 2; 00111 while( servername_list_size > 2 ) 00112 { 00113 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00114 if( hostname_len + 3 > servername_list_size ) 00115 { 00116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00117 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00118 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00119 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00120 } 00121 00122 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) 00123 { 00124 ret = ssl->conf->f_sni( ssl->conf->p_sni, 00125 ssl, p + 3, hostname_len ); 00126 if( ret != 0 ) 00127 { 00128 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00129 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00130 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00131 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00132 } 00133 return( 0 ); 00134 } 00135 00136 servername_list_size -= hostname_len + 3; 00137 p += hostname_len + 3; 00138 } 00139 00140 if( servername_list_size != 0 ) 00141 { 00142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00143 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00144 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00145 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00146 } 00147 00148 return( 0 ); 00149 } 00150 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00151 00152 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00153 static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf ) 00154 { 00155 if( conf->f_psk != NULL ) 00156 return( 1 ); 00157 00158 if( conf->psk_identity_len == 0 || conf->psk_identity == NULL ) 00159 return( 0 ); 00160 00161 if( conf->psk != NULL && conf->psk_len != 0 ) 00162 return( 1 ); 00163 00164 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00165 if( conf->psk_opaque != 0 ) 00166 return( 1 ); 00167 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00168 00169 return( 0 ); 00170 } 00171 00172 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00173 static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) 00174 { 00175 if( ssl->conf->f_psk != NULL ) 00176 { 00177 /* If we've used a callback to select the PSK, 00178 * the static configuration is irrelevant. */ 00179 00180 if( ssl->handshake->psk_opaque != 0 ) 00181 return( 1 ); 00182 00183 return( 0 ); 00184 } 00185 00186 if( ssl->conf->psk_opaque != 0 ) 00187 return( 1 ); 00188 00189 return( 0 ); 00190 } 00191 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00192 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 00193 00194 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 00195 const unsigned char *buf, 00196 size_t len ) 00197 { 00198 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00199 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00200 { 00201 /* Check verify-data in constant-time. The length OTOH is no secret */ 00202 if( len != 1 + ssl->verify_data_len || 00203 buf[0] != ssl->verify_data_len || 00204 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, 00205 ssl->verify_data_len ) != 0 ) 00206 { 00207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00208 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00209 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00210 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00211 } 00212 } 00213 else 00214 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00215 { 00216 if( len != 1 || buf[0] != 0x0 ) 00217 { 00218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00219 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00220 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00221 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00222 } 00223 00224 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00225 } 00226 00227 return( 0 ); 00228 } 00229 00230 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00231 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00232 00233 /* 00234 * Status of the implementation of signature-algorithms extension: 00235 * 00236 * Currently, we are only considering the signature-algorithm extension 00237 * to pick a ciphersuite which allows us to send the ServerKeyExchange 00238 * message with a signature-hash combination that the user allows. 00239 * 00240 * We do *not* check whether all certificates in our certificate 00241 * chain are signed with an allowed signature-hash pair. 00242 * This needs to be done at a later stage. 00243 * 00244 */ 00245 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00246 const unsigned char *buf, 00247 size_t len ) 00248 { 00249 size_t sig_alg_list_size; 00250 00251 const unsigned char *p; 00252 const unsigned char *end = buf + len; 00253 00254 mbedtls_md_type_t md_cur; 00255 mbedtls_pk_type_t sig_cur; 00256 00257 if ( len < 2 ) { 00258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00262 } 00263 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00264 if( sig_alg_list_size + 2 != len || 00265 sig_alg_list_size % 2 != 0 ) 00266 { 00267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00268 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00269 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00270 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00271 } 00272 00273 /* Currently we only guarantee signing the ServerKeyExchange message according 00274 * to the constraints specified in this extension (see above), so it suffices 00275 * to remember only one suitable hash for each possible signature algorithm. 00276 * 00277 * This will change when we also consider certificate signatures, 00278 * in which case we will need to remember the whole signature-hash 00279 * pair list from the extension. 00280 */ 00281 00282 for( p = buf + 2; p < end; p += 2 ) 00283 { 00284 /* Silently ignore unknown signature or hash algorithms. */ 00285 00286 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) 00287 { 00288 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" 00289 " unknown sig alg encoding %d", p[1] ) ); 00290 continue; 00291 } 00292 00293 /* Check if we support the hash the user proposes */ 00294 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); 00295 if( md_cur == MBEDTLS_MD_NONE ) 00296 { 00297 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00298 " unknown hash alg encoding %d", p[0] ) ); 00299 continue; 00300 } 00301 00302 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) 00303 { 00304 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); 00305 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00306 " match sig %d and hash %d", 00307 sig_cur, md_cur ) ); 00308 } 00309 else 00310 { 00311 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " 00312 "hash alg %d not supported", md_cur ) ); 00313 } 00314 } 00315 00316 return( 0 ); 00317 } 00318 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00319 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00320 00321 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00322 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00323 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, 00324 const unsigned char *buf, 00325 size_t len ) 00326 { 00327 size_t list_size, our_size; 00328 const unsigned char *p; 00329 const mbedtls_ecp_curve_info *curve_info, **curves; 00330 00331 if ( len < 2 ) { 00332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00333 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00334 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00335 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00336 } 00337 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00338 if( list_size + 2 != len || 00339 list_size % 2 != 0 ) 00340 { 00341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00342 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00343 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00344 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00345 } 00346 00347 /* Should never happen unless client duplicates the extension */ 00348 if( ssl->handshake->curves != NULL ) 00349 { 00350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00351 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00352 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00353 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00354 } 00355 00356 /* Don't allow our peer to make us allocate too much memory, 00357 * and leave room for a final 0 */ 00358 our_size = list_size / 2 + 1; 00359 if( our_size > MBEDTLS_ECP_DP_MAX ) 00360 our_size = MBEDTLS_ECP_DP_MAX; 00361 00362 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) 00363 { 00364 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00365 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 00366 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00367 } 00368 00369 ssl->handshake->curves = curves; 00370 00371 p = buf + 2; 00372 while( list_size > 0 && our_size > 1 ) 00373 { 00374 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00375 00376 if( curve_info != NULL ) 00377 { 00378 *curves++ = curve_info; 00379 our_size--; 00380 } 00381 00382 list_size -= 2; 00383 p += 2; 00384 } 00385 00386 return( 0 ); 00387 } 00388 00389 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, 00390 const unsigned char *buf, 00391 size_t len ) 00392 { 00393 size_t list_size; 00394 const unsigned char *p; 00395 00396 if( len == 0 || (size_t)( buf[0] + 1 ) != len ) 00397 { 00398 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00399 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00400 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00401 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00402 } 00403 list_size = buf[0]; 00404 00405 p = buf + 1; 00406 while( list_size > 0 ) 00407 { 00408 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 00409 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 00410 { 00411 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00412 ssl->handshake->ecdh_ctx.point_format = p[0]; 00413 #endif 00414 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00415 ssl->handshake->ecjpake_ctx.point_format = p[0]; 00416 #endif 00417 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00418 return( 0 ); 00419 } 00420 00421 list_size--; 00422 p++; 00423 } 00424 00425 return( 0 ); 00426 } 00427 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00428 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00429 00430 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00431 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 00432 const unsigned char *buf, 00433 size_t len ) 00434 { 00435 int ret; 00436 00437 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00438 { 00439 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 00440 return( 0 ); 00441 } 00442 00443 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 00444 buf, len ) ) != 0 ) 00445 { 00446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 00447 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00448 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00449 return( ret ); 00450 } 00451 00452 /* Only mark the extension as OK when we're sure it is */ 00453 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 00454 00455 return( 0 ); 00456 } 00457 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00458 00459 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00460 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00461 const unsigned char *buf, 00462 size_t len ) 00463 { 00464 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) 00465 { 00466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00467 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00468 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00469 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00470 } 00471 00472 ssl->session_negotiate->mfl_code = buf[0]; 00473 00474 return( 0 ); 00475 } 00476 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00477 00478 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00479 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, 00480 const unsigned char *buf, 00481 size_t len ) 00482 { 00483 size_t peer_cid_len; 00484 00485 /* CID extension only makes sense in DTLS */ 00486 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00487 { 00488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00490 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00491 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00492 } 00493 00494 /* 00495 * Quoting draft-ietf-tls-dtls-connection-id-05 00496 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 00497 * 00498 * struct { 00499 * opaque cid<0..2^8-1>; 00500 * } ConnectionId; 00501 */ 00502 00503 if( len < 1 ) 00504 { 00505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00506 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00507 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00508 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00509 } 00510 00511 peer_cid_len = *buf++; 00512 len--; 00513 00514 if( len != peer_cid_len ) 00515 { 00516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00517 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00518 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00519 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00520 } 00521 00522 /* Ignore CID if the user has disabled its use. */ 00523 if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) 00524 { 00525 /* Leave ssl->handshake->cid_in_use in its default 00526 * value of MBEDTLS_SSL_CID_DISABLED. */ 00527 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) ); 00528 return( 0 ); 00529 } 00530 00531 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX ) 00532 { 00533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00534 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00535 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00537 } 00538 00539 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; 00540 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; 00541 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len ); 00542 00543 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) ); 00544 MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len ); 00545 00546 return( 0 ); 00547 } 00548 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 00549 00550 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00551 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00552 const unsigned char *buf, 00553 size_t len ) 00554 { 00555 if( len != 0 ) 00556 { 00557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00558 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00559 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00560 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00561 } 00562 00563 ((void) buf); 00564 00565 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00566 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 00567 00568 return( 0 ); 00569 } 00570 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00571 00572 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00573 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00574 const unsigned char *buf, 00575 size_t len ) 00576 { 00577 if( len != 0 ) 00578 { 00579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00580 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00583 } 00584 00585 ((void) buf); 00586 00587 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 00588 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00589 { 00590 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 00591 } 00592 00593 return( 0 ); 00594 } 00595 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00596 00597 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00598 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 00599 const unsigned char *buf, 00600 size_t len ) 00601 { 00602 if( len != 0 ) 00603 { 00604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00605 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00606 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00607 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00608 } 00609 00610 ((void) buf); 00611 00612 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && 00613 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00614 { 00615 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 00616 } 00617 00618 return( 0 ); 00619 } 00620 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00621 00622 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00623 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 00624 unsigned char *buf, 00625 size_t len ) 00626 { 00627 int ret; 00628 mbedtls_ssl_session session; 00629 00630 mbedtls_ssl_session_init( &session ); 00631 00632 if( ssl->conf->f_ticket_parse == NULL || 00633 ssl->conf->f_ticket_write == NULL ) 00634 { 00635 return( 0 ); 00636 } 00637 00638 /* Remember the client asked us to send a new ticket */ 00639 ssl->handshake->new_session_ticket = 1; 00640 00641 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00642 00643 if( len == 0 ) 00644 return( 0 ); 00645 00646 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00647 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00648 { 00649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00650 return( 0 ); 00651 } 00652 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00653 00654 /* 00655 * Failures are ok: just ignore the ticket and proceed. 00656 */ 00657 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, 00658 buf, len ) ) != 0 ) 00659 { 00660 mbedtls_ssl_session_free( &session ); 00661 00662 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 00663 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); 00664 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) 00665 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); 00666 else 00667 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); 00668 00669 return( 0 ); 00670 } 00671 00672 /* 00673 * Keep the session ID sent by the client, since we MUST send it back to 00674 * inform them we're accepting the ticket (RFC 5077 section 3.4) 00675 */ 00676 session.id_len = ssl->session_negotiate->id_len; 00677 memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); 00678 00679 mbedtls_ssl_session_free( ssl->session_negotiate ); 00680 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); 00681 00682 /* Zeroize instead of free as we copied the content */ 00683 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) ); 00684 00685 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00686 00687 ssl->handshake->resume = 1; 00688 00689 /* Don't send a new ticket after all, this one is OK */ 00690 ssl->handshake->new_session_ticket = 0; 00691 00692 return( 0 ); 00693 } 00694 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00695 00696 #if defined(MBEDTLS_SSL_ALPN) 00697 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 00698 const unsigned char *buf, size_t len ) 00699 { 00700 size_t list_len, cur_len, ours_len; 00701 const unsigned char *theirs, *start, *end; 00702 const char **ours; 00703 00704 /* If ALPN not configured, just ignore the extension */ 00705 if( ssl->conf->alpn_list == NULL ) 00706 return( 0 ); 00707 00708 /* 00709 * opaque ProtocolName<1..2^8-1>; 00710 * 00711 * struct { 00712 * ProtocolName protocol_name_list<2..2^16-1> 00713 * } ProtocolNameList; 00714 */ 00715 00716 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00717 if( len < 4 ) 00718 { 00719 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00720 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00721 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00722 } 00723 00724 list_len = ( buf[0] << 8 ) | buf[1]; 00725 if( list_len != len - 2 ) 00726 { 00727 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00729 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00730 } 00731 00732 /* 00733 * Validate peer's list (lengths) 00734 */ 00735 start = buf + 2; 00736 end = buf + len; 00737 for( theirs = start; theirs != end; theirs += cur_len ) 00738 { 00739 cur_len = *theirs++; 00740 00741 /* Current identifier must fit in list */ 00742 if( cur_len > (size_t)( end - theirs ) ) 00743 { 00744 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00745 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00746 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00747 } 00748 00749 /* Empty strings MUST NOT be included */ 00750 if( cur_len == 0 ) 00751 { 00752 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00753 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00754 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00755 } 00756 } 00757 00758 /* 00759 * Use our order of preference 00760 */ 00761 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) 00762 { 00763 ours_len = strlen( *ours ); 00764 for( theirs = start; theirs != end; theirs += cur_len ) 00765 { 00766 cur_len = *theirs++; 00767 00768 if( cur_len == ours_len && 00769 memcmp( theirs, *ours, cur_len ) == 0 ) 00770 { 00771 ssl->alpn_chosen = *ours; 00772 return( 0 ); 00773 } 00774 } 00775 } 00776 00777 /* If we get there, no match was found */ 00778 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00779 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00780 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00781 } 00782 #endif /* MBEDTLS_SSL_ALPN */ 00783 00784 /* 00785 * Auxiliary functions for ServerHello parsing and related actions 00786 */ 00787 00788 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00789 /* 00790 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00791 */ 00792 #if defined(MBEDTLS_ECDSA_C) 00793 static int ssl_check_key_curve( mbedtls_pk_context *pk, 00794 const mbedtls_ecp_curve_info **curves ) 00795 { 00796 const mbedtls_ecp_curve_info **crv = curves; 00797 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ; 00798 00799 while( *crv != NULL ) 00800 { 00801 if( (*crv)->grp_id == grp_id ) 00802 return( 0 ); 00803 crv++; 00804 } 00805 00806 return( -1 ); 00807 } 00808 #endif /* MBEDTLS_ECDSA_C */ 00809 00810 /* 00811 * Try picking a certificate for this ciphersuite, 00812 * return 0 on success and -1 on failure. 00813 */ 00814 static int ssl_pick_cert( mbedtls_ssl_context *ssl, 00815 const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) 00816 { 00817 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; 00818 mbedtls_pk_type_t pk_alg = 00819 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00820 uint32_t flags; 00821 00822 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00823 if( ssl->handshake->sni_key_cert != NULL ) 00824 list = ssl->handshake->sni_key_cert; 00825 else 00826 #endif 00827 list = ssl->conf->key_cert; 00828 00829 if( pk_alg == MBEDTLS_PK_NONE ) 00830 return( 0 ); 00831 00832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00833 00834 if( list == NULL ) 00835 { 00836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); 00837 return( -1 ); 00838 } 00839 00840 for( cur = list; cur != NULL; cur = cur->next ) 00841 { 00842 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00843 cur->cert ); 00844 00845 if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) ) 00846 { 00847 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00848 continue; 00849 } 00850 00851 /* 00852 * This avoids sending the client a cert it'll reject based on 00853 * keyUsage or other extensions. 00854 * 00855 * It also allows the user to provision different certificates for 00856 * different uses based on keyUsage, eg if they want to avoid signing 00857 * and decrypting with the same RSA key. 00858 */ 00859 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, 00860 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) 00861 { 00862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00863 "(extended) key usage extension" ) ); 00864 continue; 00865 } 00866 00867 #if defined(MBEDTLS_ECDSA_C) 00868 if( pk_alg == MBEDTLS_PK_ECDSA && 00869 ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 ) 00870 { 00871 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00872 continue; 00873 } 00874 #endif 00875 00876 /* 00877 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00878 * present them a SHA-higher cert rather than failing if it's the only 00879 * one we got that satisfies the other conditions. 00880 */ 00881 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && 00882 cur->cert->sig_md != MBEDTLS_MD_SHA1 ) 00883 { 00884 if( fallback == NULL ) 00885 fallback = cur; 00886 { 00887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00888 "sha-2 with pre-TLS 1.2 client" ) ); 00889 continue; 00890 } 00891 } 00892 00893 /* If we get there, we got a winner */ 00894 break; 00895 } 00896 00897 if( cur == NULL ) 00898 cur = fallback; 00899 00900 /* Do not update ssl->handshake->key_cert unless there is a match */ 00901 if( cur != NULL ) 00902 { 00903 ssl->handshake->key_cert = cur; 00904 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00905 ssl->handshake->key_cert->cert ); 00906 return( 0 ); 00907 } 00908 00909 return( -1 ); 00910 } 00911 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00912 00913 /* 00914 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00915 * Sets ciphersuite_info only if the suite matches. 00916 */ 00917 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, 00918 const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) 00919 { 00920 const mbedtls_ssl_ciphersuite_t *suite_info; 00921 00922 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00923 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00924 mbedtls_pk_type_t sig_type; 00925 #endif 00926 00927 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); 00928 if( suite_info == NULL ) 00929 { 00930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00931 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00932 } 00933 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00935 00936 if( suite_info->min_minor_ver > ssl->minor_ver || 00937 suite_info->max_minor_ver < ssl->minor_ver ) 00938 { 00939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00940 return( 0 ); 00941 } 00942 00943 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00944 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00945 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00946 return( 0 ); 00947 #endif 00948 00949 #if defined(MBEDTLS_ARC4_C) 00950 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00951 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00952 { 00953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00954 return( 0 ); 00955 } 00956 #endif 00957 00958 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00959 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00960 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) 00961 { 00962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " 00963 "not configured or ext missing" ) ); 00964 return( 0 ); 00965 } 00966 #endif 00967 00968 00969 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00970 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && 00971 ( ssl->handshake->curves == NULL || 00972 ssl->handshake->curves[0] == NULL ) ) 00973 { 00974 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00975 "no common elliptic curve" ) ); 00976 return( 0 ); 00977 } 00978 #endif 00979 00980 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00981 /* If the ciphersuite requires a pre-shared key and we don't 00982 * have one, skip it now rather than failing later */ 00983 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00984 ssl_conf_has_psk_or_cb( ssl->conf ) == 0 ) 00985 { 00986 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00987 return( 0 ); 00988 } 00989 #endif 00990 00991 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00992 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00993 /* If the ciphersuite requires signing, check whether 00994 * a suitable hash algorithm is present. */ 00995 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00996 { 00997 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); 00998 if( sig_type != MBEDTLS_PK_NONE && 00999 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) 01000 { 01001 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " 01002 "for signature algorithm %d", sig_type ) ); 01003 return( 0 ); 01004 } 01005 } 01006 01007 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01008 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01009 01010 #if defined(MBEDTLS_X509_CRT_PARSE_C) 01011 /* 01012 * Final check: if ciphersuite requires us to have a 01013 * certificate/key of a particular type: 01014 * - select the appropriate certificate if we have one, or 01015 * - try the next ciphersuite if we don't 01016 * This must be done last since we modify the key_cert list. 01017 */ 01018 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 01019 { 01020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 01021 "no suitable certificate" ) ); 01022 return( 0 ); 01023 } 01024 #endif 01025 01026 *ciphersuite_info = suite_info; 01027 return( 0 ); 01028 } 01029 01030 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01031 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) 01032 { 01033 int ret, got_common_suite; 01034 unsigned int i, j; 01035 size_t n; 01036 unsigned int ciph_len, sess_len, chal_len; 01037 unsigned char *buf, *p; 01038 const int *ciphersuites; 01039 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01040 01041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 01042 01043 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01044 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01045 { 01046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 01047 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01048 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01049 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01050 } 01051 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01052 01053 buf = ssl->in_hdr; 01054 01055 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 01056 01057 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 01058 buf[2] ) ); 01059 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 01060 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 01061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 01062 buf[3], buf[4] ) ); 01063 01064 /* 01065 * SSLv2 Client Hello 01066 * 01067 * Record layer: 01068 * 0 . 1 message length 01069 * 01070 * SSL layer: 01071 * 2 . 2 message type 01072 * 3 . 4 protocol version 01073 */ 01074 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || 01075 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) 01076 { 01077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01078 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01079 } 01080 01081 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 01082 01083 if( n < 17 || n > 512 ) 01084 { 01085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01086 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01087 } 01088 01089 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 01090 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) 01091 ? buf[4] : ssl->conf->max_minor_ver; 01092 01093 if( ssl->minor_ver < ssl->conf->min_minor_ver ) 01094 { 01095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01096 " [%d:%d] < [%d:%d]", 01097 ssl->major_ver, ssl->minor_ver, 01098 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01099 01100 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01101 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01102 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01103 } 01104 01105 ssl->handshake->max_major_ver = buf[3]; 01106 ssl->handshake->max_minor_ver = buf[4]; 01107 01108 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 01109 { 01110 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01111 return( ret ); 01112 } 01113 01114 ssl->handshake->update_checksum( ssl, buf + 2, n ); 01115 01116 buf = ssl->in_msg; 01117 n = ssl->in_left - 5; 01118 01119 /* 01120 * 0 . 1 ciphersuitelist length 01121 * 2 . 3 session id length 01122 * 4 . 5 challenge length 01123 * 6 . .. ciphersuitelist 01124 * .. . .. session id 01125 * .. . .. challenge 01126 */ 01127 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); 01128 01129 ciph_len = ( buf[0] << 8 ) | buf[1]; 01130 sess_len = ( buf[2] << 8 ) | buf[3]; 01131 chal_len = ( buf[4] << 8 ) | buf[5]; 01132 01133 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 01134 ciph_len, sess_len, chal_len ) ); 01135 01136 /* 01137 * Make sure each parameter length is valid 01138 */ 01139 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01140 { 01141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01142 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01143 } 01144 01145 if( sess_len > 32 ) 01146 { 01147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01148 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01149 } 01150 01151 if( chal_len < 8 || chal_len > 32 ) 01152 { 01153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01154 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01155 } 01156 01157 if( n != 6 + ciph_len + sess_len + chal_len ) 01158 { 01159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01160 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01161 } 01162 01163 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01164 buf + 6, ciph_len ); 01165 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", 01166 buf + 6 + ciph_len, sess_len ); 01167 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", 01168 buf + 6 + ciph_len + sess_len, chal_len ); 01169 01170 p = buf + 6 + ciph_len; 01171 ssl->session_negotiate->id_len = sess_len; 01172 memset( ssl->session_negotiate->id, 0, 01173 sizeof( ssl->session_negotiate->id ) ); 01174 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); 01175 01176 p += sess_len; 01177 memset( ssl->handshake->randbytes, 0, 64 ); 01178 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01179 01180 /* 01181 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01182 */ 01183 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01184 { 01185 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01186 { 01187 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01188 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01189 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01190 { 01191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01192 "during renegotiation" ) ); 01193 01194 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01195 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01196 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01197 } 01198 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01199 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01200 break; 01201 } 01202 } 01203 01204 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01205 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01206 { 01207 if( p[0] == 0 && 01208 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01209 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01210 { 01211 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 01212 01213 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01214 { 01215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01216 01217 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01218 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01219 01220 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01221 } 01222 01223 break; 01224 } 01225 } 01226 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01227 01228 got_common_suite = 0; 01229 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01230 ciphersuite_info = NULL; 01231 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01232 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01233 for( i = 0; ciphersuites[i] != 0; i++ ) 01234 #else 01235 for( i = 0; ciphersuites[i] != 0; i++ ) 01236 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01237 #endif 01238 { 01239 if( p[0] != 0 || 01240 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01241 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01242 continue; 01243 01244 got_common_suite = 1; 01245 01246 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01247 &ciphersuite_info ) ) != 0 ) 01248 return( ret ); 01249 01250 if( ciphersuite_info != NULL ) 01251 goto have_ciphersuite_v2; 01252 } 01253 01254 if( got_common_suite ) 01255 { 01256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01257 "but none of them usable" ) ); 01258 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01259 } 01260 else 01261 { 01262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01263 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01264 } 01265 01266 have_ciphersuite_v2: 01267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01268 01269 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01270 ssl->handshake->ciphersuite_info = ciphersuite_info; 01271 01272 /* 01273 * SSLv2 Client Hello relevant renegotiation security checks 01274 */ 01275 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01276 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01277 { 01278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01279 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01280 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01281 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01282 } 01283 01284 ssl->in_left = 0; 01285 ssl->state++; 01286 01287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01288 01289 return( 0 ); 01290 } 01291 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01292 01293 /* This function doesn't alert on errors that happen early during 01294 ClientHello parsing because they might indicate that the client is 01295 not talking SSL/TLS at all and would not understand our alert. */ 01296 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) 01297 { 01298 int ret, got_common_suite; 01299 size_t i, j; 01300 size_t ciph_offset, comp_offset, ext_offset; 01301 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 01302 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01303 size_t cookie_offset, cookie_len; 01304 #endif 01305 unsigned char *buf, *p, *ext; 01306 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01307 int renegotiation_info_seen = 0; 01308 #endif 01309 int handshake_failure = 0; 01310 const int *ciphersuites; 01311 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01312 int major, minor; 01313 01314 /* If there is no signature-algorithm extension present, 01315 * we need to fall back to the default values for allowed 01316 * signature-hash pairs. */ 01317 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01318 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01319 int sig_hash_alg_ext_present = 0; 01320 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01321 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01322 01323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01324 01325 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01326 read_record_header: 01327 #endif 01328 /* 01329 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 01330 * otherwise read it ourselves manually in order to support SSLv2 01331 * ClientHello, which doesn't use the same record layer format. 01332 */ 01333 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01334 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01335 #endif 01336 { 01337 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) 01338 { 01339 /* No alert on a read error. */ 01340 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01341 return( ret ); 01342 } 01343 } 01344 01345 buf = ssl->in_hdr; 01346 01347 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01348 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01349 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 01350 #endif 01351 if( ( buf[0] & 0x80 ) != 0 ) 01352 return( ssl_parse_client_hello_v2( ssl ) ); 01353 #endif 01354 01355 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) ); 01356 01357 /* 01358 * SSLv3/TLS Client Hello 01359 * 01360 * Record layer: 01361 * 0 . 0 message type 01362 * 1 . 2 protocol version 01363 * 3 . 11 DTLS: epoch + record sequence number 01364 * 3 . 4 message length 01365 */ 01366 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01367 buf[0] ) ); 01368 01369 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) 01370 { 01371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01372 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01373 } 01374 01375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01376 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); 01377 01378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", 01379 buf[1], buf[2] ) ); 01380 01381 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); 01382 01383 /* According to RFC 5246 Appendix E.1, the version here is typically 01384 * "{03,00}, the lowest version number supported by the client, [or] the 01385 * value of ClientHello.client_version", so the only meaningful check here 01386 * is the major version shouldn't be less than 3 */ 01387 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) 01388 { 01389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01390 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01391 } 01392 01393 /* For DTLS if this is the initial handshake, remember the client sequence 01394 * number to use it in our next message (RFC 6347 4.2.1) */ 01395 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01396 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 01397 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01398 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01399 #endif 01400 ) 01401 { 01402 /* Epoch should be 0 for initial handshakes */ 01403 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) 01404 { 01405 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01406 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01407 } 01408 01409 memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 ); 01410 01411 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01412 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 01413 { 01414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); 01415 ssl->next_record_offset = 0; 01416 ssl->in_left = 0; 01417 goto read_record_header; 01418 } 01419 01420 /* No MAC to check yet, so we can update right now */ 01421 mbedtls_ssl_dtls_replay_update( ssl ); 01422 #endif 01423 } 01424 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01425 01426 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 01427 01428 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01429 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01430 { 01431 /* Set by mbedtls_ssl_read_record() */ 01432 msg_len = ssl->in_hslen; 01433 } 01434 else 01435 #endif 01436 { 01437 if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN ) 01438 { 01439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01440 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01441 } 01442 01443 if( ( ret = mbedtls_ssl_fetch_input( ssl, 01444 mbedtls_ssl_in_hdr_len( ssl ) + msg_len ) ) != 0 ) 01445 { 01446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01447 return( ret ); 01448 } 01449 01450 /* Done reading this record, get ready for the next one */ 01451 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01452 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01453 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl ); 01454 else 01455 #endif 01456 ssl->in_left = 0; 01457 } 01458 01459 buf = ssl->in_msg; 01460 01461 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); 01462 01463 ssl->handshake->update_checksum( ssl, buf, msg_len ); 01464 01465 /* 01466 * Handshake layer: 01467 * 0 . 0 handshake type 01468 * 1 . 3 handshake length 01469 * 4 . 5 DTLS only: message seqence number 01470 * 6 . 8 DTLS only: fragment offset 01471 * 9 . 11 DTLS only: fragment length 01472 */ 01473 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) 01474 { 01475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01476 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01477 } 01478 01479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); 01480 01481 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 01482 { 01483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01484 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01485 } 01486 01487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01488 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01489 01490 /* We don't support fragmentation of ClientHello (yet?) */ 01491 if( buf[1] != 0 || 01492 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) 01493 { 01494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01495 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01496 } 01497 01498 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01499 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01500 { 01501 /* 01502 * Copy the client's handshake message_seq on initial handshakes, 01503 * check sequence number on renego. 01504 */ 01505 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01506 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01507 { 01508 /* This couldn't be done in ssl_prepare_handshake_record() */ 01509 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01510 ssl->in_msg[5]; 01511 01512 if( cli_msg_seq != ssl->handshake->in_msg_seq ) 01513 { 01514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " 01515 "%d (expected %d)", cli_msg_seq, 01516 ssl->handshake->in_msg_seq ) ); 01517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01518 } 01519 01520 ssl->handshake->in_msg_seq++; 01521 } 01522 else 01523 #endif 01524 { 01525 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01526 ssl->in_msg[5]; 01527 ssl->handshake->out_msg_seq = cli_msg_seq; 01528 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 01529 } 01530 01531 /* 01532 * For now we don't support fragmentation, so make sure 01533 * fragment_offset == 0 and fragment_length == length 01534 */ 01535 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || 01536 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) 01537 { 01538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); 01539 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01540 } 01541 } 01542 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01543 01544 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01545 msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); 01546 01547 /* 01548 * ClientHello layer: 01549 * 0 . 1 protocol version 01550 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 01551 * 34 . 35 session id length (1 byte) 01552 * 35 . 34+x session id 01553 * 35+x . 35+x DTLS only: cookie length (1 byte) 01554 * 36+x . .. DTLS only: cookie 01555 * .. . .. ciphersuite list length (2 bytes) 01556 * .. . .. ciphersuite list 01557 * .. . .. compression alg. list length (1 byte) 01558 * .. . .. compression alg. list 01559 * .. . .. extensions length (2 bytes, optional) 01560 * .. . .. extensions (optional) 01561 */ 01562 01563 /* 01564 * Minimal length (with everything empty and extensions omitted) is 01565 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 01566 * read at least up to session id length without worrying. 01567 */ 01568 if( msg_len < 38 ) 01569 { 01570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01571 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01572 } 01573 01574 /* 01575 * Check and save the protocol version 01576 */ 01577 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); 01578 01579 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01580 ssl->conf->transport, buf ); 01581 01582 ssl->handshake->max_major_ver = ssl->major_ver; 01583 ssl->handshake->max_minor_ver = ssl->minor_ver; 01584 01585 if( ssl->major_ver < ssl->conf->min_major_ver || 01586 ssl->minor_ver < ssl->conf->min_minor_ver ) 01587 { 01588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01589 " [%d:%d] < [%d:%d]", 01590 ssl->major_ver, ssl->minor_ver, 01591 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01593 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01594 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01595 } 01596 01597 if( ssl->major_ver > ssl->conf->max_major_ver ) 01598 { 01599 ssl->major_ver = ssl->conf->max_major_ver; 01600 ssl->minor_ver = ssl->conf->max_minor_ver; 01601 } 01602 else if( ssl->minor_ver > ssl->conf->max_minor_ver ) 01603 ssl->minor_ver = ssl->conf->max_minor_ver; 01604 01605 /* 01606 * Save client random (inc. Unix time) 01607 */ 01608 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); 01609 01610 memcpy( ssl->handshake->randbytes, buf + 2, 32 ); 01611 01612 /* 01613 * Check the session ID length and save session ID 01614 */ 01615 sess_len = buf[34]; 01616 01617 if( sess_len > sizeof( ssl->session_negotiate->id ) || 01618 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ 01619 { 01620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01621 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01622 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01623 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01624 } 01625 01626 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); 01627 01628 ssl->session_negotiate->id_len = sess_len; 01629 memset( ssl->session_negotiate->id, 0, 01630 sizeof( ssl->session_negotiate->id ) ); 01631 memcpy( ssl->session_negotiate->id, buf + 35, 01632 ssl->session_negotiate->id_len ); 01633 01634 /* 01635 * Check the cookie length and content 01636 */ 01637 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01638 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01639 { 01640 cookie_offset = 35 + sess_len; 01641 cookie_len = buf[cookie_offset]; 01642 01643 if( cookie_offset + 1 + cookie_len + 2 > msg_len ) 01644 { 01645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01646 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01647 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01648 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01649 } 01650 01651 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 01652 buf + cookie_offset + 1, cookie_len ); 01653 01654 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 01655 if( ssl->conf->f_cookie_check != NULL 01656 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01657 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01658 #endif 01659 ) 01660 { 01661 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, 01662 buf + cookie_offset + 1, cookie_len, 01663 ssl->cli_id, ssl->cli_id_len ) != 0 ) 01664 { 01665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); 01666 ssl->handshake->verify_cookie_len = 1; 01667 } 01668 else 01669 { 01670 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); 01671 ssl->handshake->verify_cookie_len = 0; 01672 } 01673 } 01674 else 01675 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 01676 { 01677 /* We know we didn't send a cookie, so it should be empty */ 01678 if( cookie_len != 0 ) 01679 { 01680 /* This may be an attacker's probe, so don't send an alert */ 01681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01682 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01683 } 01684 01685 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); 01686 } 01687 01688 /* 01689 * Check the ciphersuitelist length (will be parsed later) 01690 */ 01691 ciph_offset = cookie_offset + 1 + cookie_len; 01692 } 01693 else 01694 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01695 ciph_offset = 35 + sess_len; 01696 01697 ciph_len = ( buf[ciph_offset + 0] << 8 ) 01698 | ( buf[ciph_offset + 1] ); 01699 01700 if( ciph_len < 2 || 01701 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 01702 ( ciph_len % 2 ) != 0 ) 01703 { 01704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01705 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01706 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01707 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01708 } 01709 01710 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01711 buf + ciph_offset + 2, ciph_len ); 01712 01713 /* 01714 * Check the compression algorithms length and pick one 01715 */ 01716 comp_offset = ciph_offset + 2 + ciph_len; 01717 01718 comp_len = buf[comp_offset]; 01719 01720 if( comp_len < 1 || 01721 comp_len > 16 || 01722 comp_len + comp_offset + 1 > msg_len ) 01723 { 01724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01725 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01726 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01727 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01728 } 01729 01730 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", 01731 buf + comp_offset + 1, comp_len ); 01732 01733 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01734 #if defined(MBEDTLS_ZLIB_SUPPORT) 01735 for( i = 0; i < comp_len; ++i ) 01736 { 01737 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) 01738 { 01739 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; 01740 break; 01741 } 01742 } 01743 #endif 01744 01745 /* See comments in ssl_write_client_hello() */ 01746 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01747 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01748 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01749 #endif 01750 01751 /* Do not parse the extensions if the protocol is SSLv3 */ 01752 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01753 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 01754 { 01755 #endif 01756 /* 01757 * Check the extension length 01758 */ 01759 ext_offset = comp_offset + 1 + comp_len; 01760 if( msg_len > ext_offset ) 01761 { 01762 if( msg_len < ext_offset + 2 ) 01763 { 01764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01765 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01766 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01767 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01768 } 01769 01770 ext_len = ( buf[ext_offset + 0] << 8 ) 01771 | ( buf[ext_offset + 1] ); 01772 01773 if( ( ext_len > 0 && ext_len < 4 ) || 01774 msg_len != ext_offset + 2 + ext_len ) 01775 { 01776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01777 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01778 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01779 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01780 } 01781 } 01782 else 01783 ext_len = 0; 01784 01785 ext = buf + ext_offset + 2; 01786 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); 01787 01788 while( ext_len != 0 ) 01789 { 01790 unsigned int ext_id; 01791 unsigned int ext_size; 01792 if ( ext_len < 4 ) { 01793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01794 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01795 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01796 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01797 } 01798 ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); 01799 ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); 01800 01801 if( ext_size + 4 > ext_len ) 01802 { 01803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01804 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01805 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01806 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01807 } 01808 switch( ext_id ) 01809 { 01810 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01811 case MBEDTLS_TLS_EXT_SERVERNAME: 01812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01813 if( ssl->conf->f_sni == NULL ) 01814 break; 01815 01816 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01817 if( ret != 0 ) 01818 return( ret ); 01819 break; 01820 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 01821 01822 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01824 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01825 renegotiation_info_seen = 1; 01826 #endif 01827 01828 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01829 if( ret != 0 ) 01830 return( ret ); 01831 break; 01832 01833 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01834 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01835 case MBEDTLS_TLS_EXT_SIG_ALG: 01836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01837 01838 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01839 if( ret != 0 ) 01840 return( ret ); 01841 01842 sig_hash_alg_ext_present = 1; 01843 break; 01844 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01845 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01846 01847 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01848 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01849 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01850 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01851 01852 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01853 if( ret != 0 ) 01854 return( ret ); 01855 break; 01856 01857 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01858 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01859 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01860 01861 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01862 if( ret != 0 ) 01863 return( ret ); 01864 break; 01865 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01866 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01867 01868 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01869 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); 01871 01872 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); 01873 if( ret != 0 ) 01874 return( ret ); 01875 break; 01876 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01877 01878 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01879 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01880 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01881 01882 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01883 if( ret != 0 ) 01884 return( ret ); 01885 break; 01886 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01887 01888 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01889 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01891 01892 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01893 if( ret != 0 ) 01894 return( ret ); 01895 break; 01896 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01897 01898 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 01899 case MBEDTLS_TLS_EXT_CID: 01900 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); 01901 01902 ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size ); 01903 if( ret != 0 ) 01904 return( ret ); 01905 break; 01906 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01907 01908 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01909 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01911 01912 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01913 if( ret != 0 ) 01914 return( ret ); 01915 break; 01916 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01917 01918 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01919 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01920 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01921 01922 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01923 if( ret != 0 ) 01924 return( ret ); 01925 break; 01926 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01927 01928 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01929 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01931 01932 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01933 if( ret != 0 ) 01934 return( ret ); 01935 break; 01936 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01937 01938 #if defined(MBEDTLS_SSL_ALPN) 01939 case MBEDTLS_TLS_EXT_ALPN: 01940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01941 01942 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01943 if( ret != 0 ) 01944 return( ret ); 01945 break; 01946 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01947 01948 default: 01949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01950 ext_id ) ); 01951 } 01952 01953 ext_len -= 4 + ext_size; 01954 ext += 4 + ext_size; 01955 01956 if( ext_len > 0 && ext_len < 4 ) 01957 { 01958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01959 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01960 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01961 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01962 } 01963 } 01964 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01965 } 01966 #endif 01967 01968 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01969 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01970 { 01971 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01972 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01973 { 01974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); 01975 01976 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01977 { 01978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01979 01980 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01981 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01982 01983 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01984 } 01985 01986 break; 01987 } 01988 } 01989 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01990 01991 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01992 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01993 01994 /* 01995 * Try to fall back to default hash SHA1 if the client 01996 * hasn't provided any preferred signature-hash combinations. 01997 */ 01998 if( sig_hash_alg_ext_present == 0 ) 01999 { 02000 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1; 02001 02002 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 ) 02003 md_default = MBEDTLS_MD_NONE; 02004 02005 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default ); 02006 } 02007 02008 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 02009 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 02010 02011 /* 02012 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 02013 */ 02014 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 02015 { 02016 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 02017 { 02018 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 02019 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02020 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 02021 { 02022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 02023 "during renegotiation" ) ); 02024 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02025 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02026 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 02027 } 02028 #endif 02029 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 02030 break; 02031 } 02032 } 02033 02034 /* 02035 * Renegotiation security checks 02036 */ 02037 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 02038 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 02039 { 02040 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 02041 handshake_failure = 1; 02042 } 02043 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02044 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 02045 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 02046 renegotiation_info_seen == 0 ) 02047 { 02048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 02049 handshake_failure = 1; 02050 } 02051 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 02052 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 02053 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 02054 { 02055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 02056 handshake_failure = 1; 02057 } 02058 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 02059 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 02060 renegotiation_info_seen == 1 ) 02061 { 02062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 02063 handshake_failure = 1; 02064 } 02065 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02066 02067 if( handshake_failure == 1 ) 02068 { 02069 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02070 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02071 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 02072 } 02073 02074 /* 02075 * Search for a matching ciphersuite 02076 * (At the end because we need information from the EC-based extensions 02077 * and certificate from the SNI callback triggered by the SNI extension.) 02078 */ 02079 got_common_suite = 0; 02080 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 02081 ciphersuite_info = NULL; 02082 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 02083 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 02084 for( i = 0; ciphersuites[i] != 0; i++ ) 02085 #else 02086 for( i = 0; ciphersuites[i] != 0; i++ ) 02087 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 02088 #endif 02089 { 02090 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 02091 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 02092 continue; 02093 02094 got_common_suite = 1; 02095 02096 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 02097 &ciphersuite_info ) ) != 0 ) 02098 return( ret ); 02099 02100 if( ciphersuite_info != NULL ) 02101 goto have_ciphersuite; 02102 } 02103 02104 if( got_common_suite ) 02105 { 02106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 02107 "but none of them usable" ) ); 02108 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02109 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02110 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 02111 } 02112 else 02113 { 02114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 02115 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02116 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02117 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 02118 } 02119 02120 have_ciphersuite: 02121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 02122 02123 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 02124 ssl->handshake->ciphersuite_info = ciphersuite_info; 02125 02126 ssl->state++; 02127 02128 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02129 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02130 mbedtls_ssl_recv_flight_completed( ssl ); 02131 #endif 02132 02133 /* Debugging-only output for testsuite */ 02134 #if defined(MBEDTLS_DEBUG_C) && \ 02135 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 02136 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 02137 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02138 { 02139 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); 02140 if( sig_alg != MBEDTLS_PK_NONE ) 02141 { 02142 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 02143 sig_alg ); 02144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 02145 mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); 02146 } 02147 else 02148 { 02149 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " 02150 "%d - should not happen", sig_alg ) ); 02151 } 02152 } 02153 #endif 02154 02155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 02156 02157 return( 0 ); 02158 } 02159 02160 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02161 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 02162 unsigned char *buf, 02163 size_t *olen ) 02164 { 02165 unsigned char *p = buf; 02166 02167 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 02168 { 02169 *olen = 0; 02170 return; 02171 } 02172 02173 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 02174 02175 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 02176 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 02177 02178 *p++ = 0x00; 02179 *p++ = 0x00; 02180 02181 *olen = 4; 02182 } 02183 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 02184 02185 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 02186 static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, 02187 unsigned char *buf, 02188 size_t *olen ) 02189 { 02190 unsigned char *p = buf; 02191 size_t ext_len; 02192 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 02193 02194 *olen = 0; 02195 02196 /* Skip writing the extension if we don't want to use it or if 02197 * the client hasn't offered it. */ 02198 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED ) 02199 return; 02200 02201 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX 02202 * which is at most 255, so the increment cannot overflow. */ 02203 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) ) 02204 { 02205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02206 return; 02207 } 02208 02209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) ); 02210 02211 /* 02212 * Quoting draft-ietf-tls-dtls-connection-id-05 02213 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 02214 * 02215 * struct { 02216 * opaque cid<0..2^8-1>; 02217 * } ConnectionId; 02218 */ 02219 02220 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF ); 02221 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF ); 02222 ext_len = (size_t) ssl->own_cid_len + 1; 02223 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02224 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02225 02226 *p++ = (uint8_t) ssl->own_cid_len; 02227 memcpy( p, ssl->own_cid, ssl->own_cid_len ); 02228 02229 *olen = ssl->own_cid_len + 5; 02230 } 02231 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 02232 02233 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02234 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 02235 unsigned char *buf, 02236 size_t *olen ) 02237 { 02238 unsigned char *p = buf; 02239 const mbedtls_ssl_ciphersuite_t *suite = NULL; 02240 const mbedtls_cipher_info_t *cipher = NULL; 02241 02242 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 02243 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02244 { 02245 *olen = 0; 02246 return; 02247 } 02248 02249 /* 02250 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 02251 * from a client and then selects a stream or Authenticated Encryption 02252 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 02253 * encrypt-then-MAC response extension back to the client." 02254 */ 02255 if( ( suite = mbedtls_ssl_ciphersuite_from_id( 02256 ssl->session_negotiate->ciphersuite ) ) == NULL || 02257 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || 02258 cipher->mode != MBEDTLS_MODE_CBC ) 02259 { 02260 *olen = 0; 02261 return; 02262 } 02263 02264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 02265 02266 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 02267 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 02268 02269 *p++ = 0x00; 02270 *p++ = 0x00; 02271 02272 *olen = 4; 02273 } 02274 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 02275 02276 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02277 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 02278 unsigned char *buf, 02279 size_t *olen ) 02280 { 02281 unsigned char *p = buf; 02282 02283 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 02284 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02285 { 02286 *olen = 0; 02287 return; 02288 } 02289 02290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 02291 "extension" ) ); 02292 02293 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 02294 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 02295 02296 *p++ = 0x00; 02297 *p++ = 0x00; 02298 02299 *olen = 4; 02300 } 02301 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 02302 02303 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02304 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 02305 unsigned char *buf, 02306 size_t *olen ) 02307 { 02308 unsigned char *p = buf; 02309 02310 if( ssl->handshake->new_session_ticket == 0 ) 02311 { 02312 *olen = 0; 02313 return; 02314 } 02315 02316 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 02317 02318 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 02319 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 02320 02321 *p++ = 0x00; 02322 *p++ = 0x00; 02323 02324 *olen = 4; 02325 } 02326 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02327 02328 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 02329 unsigned char *buf, 02330 size_t *olen ) 02331 { 02332 unsigned char *p = buf; 02333 02334 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) 02335 { 02336 *olen = 0; 02337 return; 02338 } 02339 02340 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 02341 02342 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 02343 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 02344 02345 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02346 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 02347 { 02348 *p++ = 0x00; 02349 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 02350 *p++ = ssl->verify_data_len * 2 & 0xFF; 02351 02352 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 02353 p += ssl->verify_data_len; 02354 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 02355 p += ssl->verify_data_len; 02356 } 02357 else 02358 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02359 { 02360 *p++ = 0x00; 02361 *p++ = 0x01; 02362 *p++ = 0x00; 02363 } 02364 02365 *olen = p - buf; 02366 } 02367 02368 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02369 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 02370 unsigned char *buf, 02371 size_t *olen ) 02372 { 02373 unsigned char *p = buf; 02374 02375 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 02376 { 02377 *olen = 0; 02378 return; 02379 } 02380 02381 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 02382 02383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 02384 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 02385 02386 *p++ = 0x00; 02387 *p++ = 1; 02388 02389 *p++ = ssl->session_negotiate->mfl_code; 02390 02391 *olen = 5; 02392 } 02393 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 02394 02395 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02396 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02397 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 02398 unsigned char *buf, 02399 size_t *olen ) 02400 { 02401 unsigned char *p = buf; 02402 ((void) ssl); 02403 02404 if( ( ssl->handshake->cli_exts & 02405 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02406 { 02407 *olen = 0; 02408 return; 02409 } 02410 02411 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02412 02413 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02414 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02415 02416 *p++ = 0x00; 02417 *p++ = 2; 02418 02419 *p++ = 1; 02420 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 02421 02422 *olen = 6; 02423 } 02424 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02425 02426 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02427 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 02428 unsigned char *buf, 02429 size_t *olen ) 02430 { 02431 int ret; 02432 unsigned char *p = buf; 02433 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 02434 size_t kkpp_len; 02435 02436 *olen = 0; 02437 02438 /* Skip costly computation if not needed */ 02439 if( ssl->handshake->ciphersuite_info->key_exchange != 02440 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02441 return; 02442 02443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); 02444 02445 if( end - p < 4 ) 02446 { 02447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02448 return; 02449 } 02450 02451 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 02452 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 02453 02454 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 02455 p + 2, end - p - 2, &kkpp_len, 02456 ssl->conf->f_rng, ssl->conf->p_rng ); 02457 if( ret != 0 ) 02458 { 02459 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 02460 return; 02461 } 02462 02463 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 02464 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 02465 02466 *olen = kkpp_len + 4; 02467 } 02468 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02469 02470 #if defined(MBEDTLS_SSL_ALPN ) 02471 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 02472 unsigned char *buf, size_t *olen ) 02473 { 02474 if( ssl->alpn_chosen == NULL ) 02475 { 02476 *olen = 0; 02477 return; 02478 } 02479 02480 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02481 02482 /* 02483 * 0 . 1 ext identifier 02484 * 2 . 3 ext length 02485 * 4 . 5 protocol list length 02486 * 6 . 6 protocol name length 02487 * 7 . 7+n protocol name 02488 */ 02489 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 02490 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 02491 02492 *olen = 7 + strlen( ssl->alpn_chosen ); 02493 02494 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02495 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02496 02497 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02498 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02499 02500 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02501 02502 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02503 } 02504 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 02505 02506 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02507 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) 02508 { 02509 int ret; 02510 unsigned char *p = ssl->out_msg + 4; 02511 unsigned char *cookie_len_byte; 02512 02513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); 02514 02515 /* 02516 * struct { 02517 * ProtocolVersion server_version; 02518 * opaque cookie<0..2^8-1>; 02519 * } HelloVerifyRequest; 02520 */ 02521 02522 /* The RFC is not clear on this point, but sending the actual negotiated 02523 * version looks like the most interoperable thing to do. */ 02524 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02525 ssl->conf->transport, p ); 02526 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 02527 p += 2; 02528 02529 /* If we get here, f_cookie_check is not null */ 02530 if( ssl->conf->f_cookie_write == NULL ) 02531 { 02532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); 02533 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02534 } 02535 02536 /* Skip length byte until we know the length */ 02537 cookie_len_byte = p++; 02538 02539 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, 02540 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, 02541 ssl->cli_id, ssl->cli_id_len ) ) != 0 ) 02542 { 02543 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); 02544 return( ret ); 02545 } 02546 02547 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); 02548 02549 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); 02550 02551 ssl->out_msglen = p - ssl->out_msg; 02552 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02553 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 02554 02555 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 02556 02557 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 02558 { 02559 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 02560 return( ret ); 02561 } 02562 02563 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02564 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02565 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 02566 { 02567 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); 02568 return( ret ); 02569 } 02570 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02571 02572 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); 02573 02574 return( 0 ); 02575 } 02576 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02577 02578 static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) 02579 { 02580 #if defined(MBEDTLS_HAVE_TIME) 02581 mbedtls_time_t t; 02582 #endif 02583 int ret; 02584 size_t olen, ext_len = 0, n; 02585 unsigned char *buf, *p; 02586 02587 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02588 02589 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02590 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02591 ssl->handshake->verify_cookie_len != 0 ) 02592 { 02593 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); 02594 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02595 02596 return( ssl_write_hello_verify_request( ssl ) ); 02597 } 02598 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02599 02600 if( ssl->conf->f_rng == NULL ) 02601 { 02602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02603 return( MBEDTLS_ERR_SSL_NO_RNG ); 02604 } 02605 02606 /* 02607 * 0 . 0 handshake type 02608 * 1 . 3 handshake length 02609 * 4 . 5 protocol version 02610 * 6 . 9 UNIX time() 02611 * 10 . 37 random bytes 02612 */ 02613 buf = ssl->out_msg; 02614 p = buf + 4; 02615 02616 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02617 ssl->conf->transport, p ); 02618 p += 2; 02619 02620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02621 buf[4], buf[5] ) ); 02622 02623 #if defined(MBEDTLS_HAVE_TIME) 02624 t = mbedtls_time( NULL ); 02625 *p++ = (unsigned char)( t >> 24 ); 02626 *p++ = (unsigned char)( t >> 16 ); 02627 *p++ = (unsigned char)( t >> 8 ); 02628 *p++ = (unsigned char)( t ); 02629 02630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02631 #else 02632 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 02633 return( ret ); 02634 02635 p += 4; 02636 #endif /* MBEDTLS_HAVE_TIME */ 02637 02638 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 02639 return( ret ); 02640 02641 p += 28; 02642 02643 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02644 02645 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02646 02647 /* 02648 * Resume is 0 by default, see ssl_handshake_init(). 02649 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02650 * If not, try looking up session ID in our cache. 02651 */ 02652 if( ssl->handshake->resume == 0 && 02653 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02654 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && 02655 #endif 02656 ssl->session_negotiate->id_len != 0 && 02657 ssl->conf->f_get_cache != NULL && 02658 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) 02659 { 02660 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02661 ssl->handshake->resume = 1; 02662 } 02663 02664 if( ssl->handshake->resume == 0 ) 02665 { 02666 /* 02667 * New session, create a new session id, 02668 * unless we're about to issue a session ticket 02669 */ 02670 ssl->state++; 02671 02672 #if defined(MBEDTLS_HAVE_TIME) 02673 ssl->session_negotiate->start = mbedtls_time( NULL ); 02674 #endif 02675 02676 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02677 if( ssl->handshake->new_session_ticket != 0 ) 02678 { 02679 ssl->session_negotiate->id_len = n = 0; 02680 memset( ssl->session_negotiate->id, 0, 32 ); 02681 } 02682 else 02683 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02684 { 02685 ssl->session_negotiate->id_len = n = 32; 02686 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 02687 n ) ) != 0 ) 02688 return( ret ); 02689 } 02690 } 02691 else 02692 { 02693 /* 02694 * Resuming a session 02695 */ 02696 n = ssl->session_negotiate->id_len; 02697 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 02698 02699 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02700 { 02701 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02702 return( ret ); 02703 } 02704 } 02705 02706 /* 02707 * 38 . 38 session id length 02708 * 39 . 38+n session id 02709 * 39+n . 40+n chosen ciphersuite 02710 * 41+n . 41+n chosen compression alg. 02711 * 42+n . 43+n extensions length 02712 * 44+n . 43+n+m extensions 02713 */ 02714 *p++ = (unsigned char) ssl->session_negotiate->id_len; 02715 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); 02716 p += ssl->session_negotiate->id_len; 02717 02718 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02719 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02721 ssl->handshake->resume ? "a" : "no" ) ); 02722 02723 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02724 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02725 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02726 02727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02728 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02729 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02730 ssl->session_negotiate->compression ) ); 02731 02732 /* Do not write the extensions if the protocol is SSLv3 */ 02733 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02734 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 02735 { 02736 #endif 02737 02738 /* 02739 * First write extensions, then the total length 02740 */ 02741 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02742 ext_len += olen; 02743 02744 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02745 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02746 ext_len += olen; 02747 #endif 02748 02749 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02750 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02751 ext_len += olen; 02752 #endif 02753 02754 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 02755 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen ); 02756 ext_len += olen; 02757 #endif 02758 02759 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02760 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02761 ext_len += olen; 02762 #endif 02763 02764 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02765 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02766 ext_len += olen; 02767 #endif 02768 02769 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02770 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02771 ext_len += olen; 02772 #endif 02773 02774 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02775 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02776 if ( mbedtls_ssl_ciphersuite_uses_ec( 02777 mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) ) 02778 { 02779 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02780 ext_len += olen; 02781 } 02782 #endif 02783 02784 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02785 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 02786 ext_len += olen; 02787 #endif 02788 02789 #if defined(MBEDTLS_SSL_ALPN) 02790 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02791 ext_len += olen; 02792 #endif 02793 02794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02795 02796 if( ext_len > 0 ) 02797 { 02798 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02799 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02800 p += ext_len; 02801 } 02802 02803 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02804 } 02805 #endif 02806 02807 ssl->out_msglen = p - buf; 02808 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02809 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 02810 02811 ret = mbedtls_ssl_write_handshake_msg( ssl ); 02812 02813 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02814 02815 return( ret ); 02816 } 02817 02818 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02819 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02820 { 02821 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02822 ssl->handshake->ciphersuite_info; 02823 02824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02825 02826 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02827 { 02828 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02829 ssl->state++; 02830 return( 0 ); 02831 } 02832 02833 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02834 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02835 } 02836 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02837 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02838 { 02839 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02840 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02841 ssl->handshake->ciphersuite_info; 02842 size_t dn_size, total_dn_size; /* excluding length bytes */ 02843 size_t ct_len, sa_len; /* including length bytes */ 02844 unsigned char *buf, *p; 02845 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 02846 const mbedtls_x509_crt *crt; 02847 int authmode; 02848 02849 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02850 02851 ssl->state++; 02852 02853 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02854 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 02855 authmode = ssl->handshake->sni_authmode; 02856 else 02857 #endif 02858 authmode = ssl->conf->authmode; 02859 02860 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || 02861 authmode == MBEDTLS_SSL_VERIFY_NONE ) 02862 { 02863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02864 return( 0 ); 02865 } 02866 02867 /* 02868 * 0 . 0 handshake type 02869 * 1 . 3 handshake length 02870 * 4 . 4 cert type count 02871 * 5 .. m-1 cert types 02872 * m .. m+1 sig alg length (TLS 1.2 only) 02873 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02874 * n .. n+1 length of all DNs 02875 * n+2 .. n+3 length of DN 1 02876 * n+4 .. ... Distinguished Name #1 02877 * ... .. ... length of DN 2, etc. 02878 */ 02879 buf = ssl->out_msg; 02880 p = buf + 4; 02881 02882 /* 02883 * Supported certificate types 02884 * 02885 * ClientCertificateType certificate_types<1..2^8-1>; 02886 * enum { (255) } ClientCertificateType; 02887 */ 02888 ct_len = 0; 02889 02890 #if defined(MBEDTLS_RSA_C) 02891 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02892 #endif 02893 #if defined(MBEDTLS_ECDSA_C) 02894 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02895 #endif 02896 02897 p[0] = (unsigned char) ct_len++; 02898 p += ct_len; 02899 02900 sa_len = 0; 02901 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02902 /* 02903 * Add signature_algorithms for verify (TLS 1.2) 02904 * 02905 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02906 * 02907 * struct { 02908 * HashAlgorithm hash; 02909 * SignatureAlgorithm signature; 02910 * } SignatureAndHashAlgorithm; 02911 * 02912 * enum { (255) } HashAlgorithm; 02913 * enum { (255) } SignatureAlgorithm; 02914 */ 02915 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02916 { 02917 const int *cur; 02918 02919 /* 02920 * Supported signature algorithms 02921 */ 02922 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 02923 { 02924 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur ); 02925 02926 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) 02927 continue; 02928 02929 #if defined(MBEDTLS_RSA_C) 02930 p[2 + sa_len++] = hash; 02931 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; 02932 #endif 02933 #if defined(MBEDTLS_ECDSA_C) 02934 p[2 + sa_len++] = hash; 02935 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; 02936 #endif 02937 } 02938 02939 p[0] = (unsigned char)( sa_len >> 8 ); 02940 p[1] = (unsigned char)( sa_len ); 02941 sa_len += 2; 02942 p += sa_len; 02943 } 02944 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02945 02946 /* 02947 * DistinguishedName certificate_authorities<0..2^16-1>; 02948 * opaque DistinguishedName<1..2^16-1>; 02949 */ 02950 p += 2; 02951 02952 total_dn_size = 0; 02953 02954 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) 02955 { 02956 /* NOTE: If trusted certificates are provisioned 02957 * via a CA callback (configured through 02958 * `mbedtls_ssl_conf_ca_cb()`, then the 02959 * CertificateRequest is currently left empty. */ 02960 02961 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02962 if( ssl->handshake->sni_ca_chain != NULL ) 02963 crt = ssl->handshake->sni_ca_chain; 02964 else 02965 #endif 02966 crt = ssl->conf->ca_chain; 02967 02968 while( crt != NULL && crt->version != 0 ) 02969 { 02970 dn_size = crt->subject_raw.len; 02971 02972 if( end < p || 02973 (size_t)( end - p ) < dn_size || 02974 (size_t)( end - p ) < 2 + dn_size ) 02975 { 02976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); 02977 break; 02978 } 02979 02980 *p++ = (unsigned char)( dn_size >> 8 ); 02981 *p++ = (unsigned char)( dn_size ); 02982 memcpy( p, crt->subject_raw.p, dn_size ); 02983 p += dn_size; 02984 02985 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); 02986 02987 total_dn_size += 2 + dn_size; 02988 crt = crt->next; 02989 } 02990 } 02991 02992 ssl->out_msglen = p - buf; 02993 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02994 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 02995 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02996 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02997 02998 ret = mbedtls_ssl_write_handshake_msg( ssl ); 02999 03000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 03001 03002 return( ret ); 03003 } 03004 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 03005 03006 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03007 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03008 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 03009 { 03010 int ret; 03011 03012 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) 03013 { 03014 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 03015 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 03016 } 03017 03018 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, 03019 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), 03020 MBEDTLS_ECDH_OURS ) ) != 0 ) 03021 { 03022 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 03023 return( ret ); 03024 } 03025 03026 return( 0 ); 03027 } 03028 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 03029 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03030 03031 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \ 03032 defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03033 static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, 03034 size_t *signature_len ) 03035 { 03036 /* Append the signature to ssl->out_msg, leaving 2 bytes for the 03037 * signature length which will be added in ssl_write_server_key_exchange 03038 * after the call to ssl_prepare_server_key_exchange. 03039 * ssl_write_server_key_exchange also takes care of incrementing 03040 * ssl->out_msglen. */ 03041 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; 03042 size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN 03043 - sig_start ); 03044 int ret = ssl->conf->f_async_resume( ssl, 03045 sig_start, signature_len, sig_max_len ); 03046 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) 03047 { 03048 ssl->handshake->async_in_progress = 0; 03049 mbedtls_ssl_set_async_operation_data( ssl, NULL ); 03050 } 03051 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret ); 03052 return( ret ); 03053 } 03054 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && 03055 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ 03056 03057 /* Prepare the ServerKeyExchange message, up to and including 03058 * calculating the signature if any, but excluding formatting the 03059 * signature and sending the message. */ 03060 static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, 03061 size_t *signature_len ) 03062 { 03063 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03064 ssl->handshake->ciphersuite_info; 03065 03066 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) 03067 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03068 unsigned char *dig_signed = NULL; 03069 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03070 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ 03071 03072 (void) ciphersuite_info; /* unused in some configurations */ 03073 #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03074 (void) signature_len; 03075 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03076 03077 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ 03078 03079 /* 03080 * 03081 * Part 1: Provide key exchange parameters for chosen ciphersuite. 03082 * 03083 */ 03084 03085 /* 03086 * - ECJPAKE key exchanges 03087 */ 03088 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03089 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03090 { 03091 int ret; 03092 size_t len = 0; 03093 03094 ret = mbedtls_ecjpake_write_round_two( 03095 &ssl->handshake->ecjpake_ctx, 03096 ssl->out_msg + ssl->out_msglen, 03097 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, 03098 ssl->conf->f_rng, ssl->conf->p_rng ); 03099 if( ret != 0 ) 03100 { 03101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 03102 return( ret ); 03103 } 03104 03105 ssl->out_msglen += len; 03106 } 03107 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 03108 03109 /* 03110 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 03111 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 03112 * we use empty support identity hints here. 03113 **/ 03114 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 03115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03116 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03117 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03118 { 03119 ssl->out_msg[ssl->out_msglen++] = 0x00; 03120 ssl->out_msg[ssl->out_msglen++] = 0x00; 03121 } 03122 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 03123 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03124 03125 /* 03126 * - DHE key exchanges 03127 */ 03128 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) 03129 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) 03130 { 03131 int ret; 03132 size_t len = 0; 03133 03134 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) 03135 { 03136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); 03137 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03138 } 03139 03140 /* 03141 * Ephemeral DH parameters: 03142 * 03143 * struct { 03144 * opaque dh_p<1..2^16-1>; 03145 * opaque dh_g<1..2^16-1>; 03146 * opaque dh_Ys<1..2^16-1>; 03147 * } ServerDHParams; 03148 */ 03149 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, 03150 &ssl->conf->dhm_P, 03151 &ssl->conf->dhm_G ) ) != 0 ) 03152 { 03153 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); 03154 return( ret ); 03155 } 03156 03157 if( ( ret = mbedtls_dhm_make_params( 03158 &ssl->handshake->dhm_ctx, 03159 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 03160 ssl->out_msg + ssl->out_msglen, &len, 03161 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03162 { 03163 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); 03164 return( ret ); 03165 } 03166 03167 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03168 dig_signed = ssl->out_msg + ssl->out_msglen; 03169 #endif 03170 03171 ssl->out_msglen += len; 03172 03173 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 03174 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 03175 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 03176 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 03177 } 03178 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ 03179 03180 /* 03181 * - ECDHE key exchanges 03182 */ 03183 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 03184 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) 03185 { 03186 /* 03187 * Ephemeral ECDH parameters: 03188 * 03189 * struct { 03190 * ECParameters curve_params; 03191 * ECPoint public; 03192 * } ServerECDHParams; 03193 */ 03194 const mbedtls_ecp_curve_info **curve = NULL; 03195 const mbedtls_ecp_group_id *gid; 03196 int ret; 03197 size_t len = 0; 03198 03199 /* Match our preference list against the offered curves */ 03200 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 03201 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 03202 if( (*curve)->grp_id == *gid ) 03203 goto curve_matching_done; 03204 03205 curve_matching_done: 03206 if( curve == NULL || *curve == NULL ) 03207 { 03208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 03209 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 03210 } 03211 03212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 03213 03214 if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, 03215 (*curve)->grp_id ) ) != 0 ) 03216 { 03217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); 03218 return( ret ); 03219 } 03220 03221 if( ( ret = mbedtls_ecdh_make_params( 03222 &ssl->handshake->ecdh_ctx, &len, 03223 ssl->out_msg + ssl->out_msglen, 03224 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, 03225 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03226 { 03227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); 03228 return( ret ); 03229 } 03230 03231 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03232 dig_signed = ssl->out_msg + ssl->out_msglen; 03233 #endif 03234 03235 ssl->out_msglen += len; 03236 03237 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 03238 MBEDTLS_DEBUG_ECDH_Q ); 03239 } 03240 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 03241 03242 /* 03243 * 03244 * Part 2: For key exchanges involving the server signing the 03245 * exchange parameters, compute and add the signature here. 03246 * 03247 */ 03248 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03249 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 03250 { 03251 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; 03252 size_t hashlen = 0; 03253 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 03254 int ret; 03255 03256 /* 03257 * 2.1: Choose hash algorithm: 03258 * A: For TLS 1.2, obey signature-hash-algorithm extension 03259 * to choose appropriate hash. 03260 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 03261 * (RFC 4492, Sec. 5.4) 03262 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) 03263 */ 03264 03265 mbedtls_md_type_t md_alg; 03266 03267 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03268 mbedtls_pk_type_t sig_alg = 03269 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 03270 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03271 { 03272 /* A: For TLS 1.2, obey signature-hash-algorithm extension 03273 * (RFC 5246, Sec. 7.4.1.4.1). */ 03274 if( sig_alg == MBEDTLS_PK_NONE || 03275 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 03276 sig_alg ) ) == MBEDTLS_MD_NONE ) 03277 { 03278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03279 /* (... because we choose a cipher suite 03280 * only if there is a matching hash.) */ 03281 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03282 } 03283 } 03284 else 03285 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03286 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03287 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03288 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 03289 { 03290 /* B: Default hash SHA1 */ 03291 md_alg = MBEDTLS_MD_SHA1; 03292 } 03293 else 03294 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03295 MBEDTLS_SSL_PROTO_TLS1_1 */ 03296 { 03297 /* C: MD5 + SHA1 */ 03298 md_alg = MBEDTLS_MD_NONE; 03299 } 03300 03301 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); 03302 03303 /* 03304 * 2.2: Compute the hash to be signed 03305 */ 03306 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03307 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03308 if( md_alg == MBEDTLS_MD_NONE ) 03309 { 03310 hashlen = 36; 03311 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, 03312 dig_signed, 03313 dig_signed_len ); 03314 if( ret != 0 ) 03315 return( ret ); 03316 } 03317 else 03318 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03319 MBEDTLS_SSL_PROTO_TLS1_1 */ 03320 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03321 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03322 if( md_alg != MBEDTLS_MD_NONE ) 03323 { 03324 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, 03325 dig_signed, 03326 dig_signed_len, 03327 md_alg ); 03328 if( ret != 0 ) 03329 return( ret ); 03330 } 03331 else 03332 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 03333 MBEDTLS_SSL_PROTO_TLS1_2 */ 03334 { 03335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03336 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03337 } 03338 03339 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); 03340 03341 /* 03342 * 2.3: Compute and add the signature 03343 */ 03344 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03345 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03346 { 03347 /* 03348 * For TLS 1.2, we need to specify signature and hash algorithm 03349 * explicitly through a prefix to the signature. 03350 * 03351 * struct { 03352 * HashAlgorithm hash; 03353 * SignatureAlgorithm signature; 03354 * } SignatureAndHashAlgorithm; 03355 * 03356 * struct { 03357 * SignatureAndHashAlgorithm algorithm; 03358 * opaque signature<0..2^16-1>; 03359 * } DigitallySigned; 03360 * 03361 */ 03362 03363 ssl->out_msg[ssl->out_msglen++] = 03364 mbedtls_ssl_hash_from_md_alg( md_alg ); 03365 ssl->out_msg[ssl->out_msglen++] = 03366 mbedtls_ssl_sig_from_pk_alg( sig_alg ); 03367 } 03368 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03369 03370 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03371 if( ssl->conf->f_async_sign_start != NULL ) 03372 { 03373 ret = ssl->conf->f_async_sign_start( ssl, 03374 mbedtls_ssl_own_cert( ssl ), 03375 md_alg, hash, hashlen ); 03376 switch( ret ) 03377 { 03378 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: 03379 /* act as if f_async_sign was null */ 03380 break; 03381 case 0: 03382 ssl->handshake->async_in_progress = 1; 03383 return( ssl_resume_server_key_exchange( ssl, signature_len ) ); 03384 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: 03385 ssl->handshake->async_in_progress = 1; 03386 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); 03387 default: 03388 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret ); 03389 return( ret ); 03390 } 03391 } 03392 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 03393 03394 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03395 { 03396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 03397 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03398 } 03399 03400 /* Append the signature to ssl->out_msg, leaving 2 bytes for the 03401 * signature length which will be added in ssl_write_server_key_exchange 03402 * after the call to ssl_prepare_server_key_exchange. 03403 * ssl_write_server_key_exchange also takes care of incrementing 03404 * ssl->out_msglen. */ 03405 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), 03406 md_alg, hash, hashlen, 03407 ssl->out_msg + ssl->out_msglen + 2, 03408 signature_len, 03409 ssl->conf->f_rng, 03410 ssl->conf->p_rng ) ) != 0 ) 03411 { 03412 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03413 return( ret ); 03414 } 03415 } 03416 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03417 03418 return( 0 ); 03419 } 03420 03421 /* Prepare the ServerKeyExchange message and send it. For ciphersuites 03422 * that do not include a ServerKeyExchange message, do nothing. Either 03423 * way, if successful, move on to the next step in the SSL state 03424 * machine. */ 03425 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) 03426 { 03427 int ret; 03428 size_t signature_len = 0; 03429 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) 03430 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03431 ssl->handshake->ciphersuite_info; 03432 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */ 03433 03434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 03435 03436 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) 03437 /* Extract static ECDH parameters and abort if ServerKeyExchange 03438 * is not needed. */ 03439 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) 03440 { 03441 /* For suites involving ECDH, extract DH parameters 03442 * from certificate at this point. */ 03443 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) 03444 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) 03445 { 03446 ssl_get_ecdh_params_from_cert( ssl ); 03447 } 03448 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */ 03449 03450 /* Key exchanges not involving ephemeral keys don't use 03451 * ServerKeyExchange, so end here. */ 03452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 03453 ssl->state++; 03454 return( 0 ); 03455 } 03456 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */ 03457 03458 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \ 03459 defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03460 /* If we have already prepared the message and there is an ongoing 03461 * signature operation, resume signing. */ 03462 if( ssl->handshake->async_in_progress != 0 ) 03463 { 03464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) ); 03465 ret = ssl_resume_server_key_exchange( ssl, &signature_len ); 03466 } 03467 else 03468 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && 03469 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ 03470 { 03471 /* ServerKeyExchange is needed. Prepare the message. */ 03472 ret = ssl_prepare_server_key_exchange( ssl, &signature_len ); 03473 } 03474 03475 if( ret != 0 ) 03476 { 03477 /* If we're starting to write a new message, set ssl->out_msglen 03478 * to 0. But if we're resuming after an asynchronous message, 03479 * out_msglen is the amount of data written so far and mst be 03480 * preserved. */ 03481 if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) 03482 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) ); 03483 else 03484 ssl->out_msglen = 0; 03485 return( ret ); 03486 } 03487 03488 /* If there is a signature, write its length. 03489 * ssl_prepare_server_key_exchange already wrote the signature 03490 * itself at its proper place in the output buffer. */ 03491 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03492 if( signature_len != 0 ) 03493 { 03494 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 ); 03495 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len ); 03496 03497 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", 03498 ssl->out_msg + ssl->out_msglen, 03499 signature_len ); 03500 03501 /* Skip over the already-written signature */ 03502 ssl->out_msglen += signature_len; 03503 } 03504 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03505 03506 /* Add header and send. */ 03507 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03508 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 03509 03510 ssl->state++; 03511 03512 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 03513 { 03514 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 03515 return( ret ); 03516 } 03517 03518 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 03519 return( 0 ); 03520 } 03521 03522 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) 03523 { 03524 int ret; 03525 03526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 03527 03528 ssl->out_msglen = 4; 03529 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03530 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 03531 03532 ssl->state++; 03533 03534 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03535 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03536 mbedtls_ssl_send_flight_completed( ssl ); 03537 #endif 03538 03539 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 03540 { 03541 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 03542 return( ret ); 03543 } 03544 03545 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03546 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03547 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 03548 { 03549 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); 03550 return( ret ); 03551 } 03552 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03553 03554 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 03555 03556 return( 0 ); 03557 } 03558 03559 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 03560 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03561 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, 03562 const unsigned char *end ) 03563 { 03564 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03565 size_t n; 03566 03567 /* 03568 * Receive G^Y mod P, premaster = (G^Y)^X mod P 03569 */ 03570 if( *p + 2 > end ) 03571 { 03572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03573 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03574 } 03575 03576 n = ( (*p)[0] << 8 ) | (*p)[1]; 03577 *p += 2; 03578 03579 if( *p + n > end ) 03580 { 03581 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03583 } 03584 03585 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 03586 { 03587 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); 03588 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03589 } 03590 03591 *p += n; 03592 03593 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 03594 03595 return( ret ); 03596 } 03597 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 03598 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03599 03600 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03601 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03602 03603 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03604 static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl, 03605 unsigned char *peer_pms, 03606 size_t *peer_pmslen, 03607 size_t peer_pmssize ) 03608 { 03609 int ret = ssl->conf->f_async_resume( ssl, 03610 peer_pms, peer_pmslen, peer_pmssize ); 03611 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) 03612 { 03613 ssl->handshake->async_in_progress = 0; 03614 mbedtls_ssl_set_async_operation_data( ssl, NULL ); 03615 } 03616 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret ); 03617 return( ret ); 03618 } 03619 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 03620 03621 static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, 03622 const unsigned char *p, 03623 const unsigned char *end, 03624 unsigned char *peer_pms, 03625 size_t *peer_pmslen, 03626 size_t peer_pmssize ) 03627 { 03628 int ret; 03629 mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl ); 03630 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk; 03631 size_t len = mbedtls_pk_get_len( public_key ); 03632 03633 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03634 /* If we have already started decoding the message and there is an ongoing 03635 * decryption operation, resume signing. */ 03636 if( ssl->handshake->async_in_progress != 0 ) 03637 { 03638 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) ); 03639 return( ssl_resume_decrypt_pms( ssl, 03640 peer_pms, peer_pmslen, peer_pmssize ) ); 03641 } 03642 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 03643 03644 /* 03645 * Prepare to decrypt the premaster using own private RSA key 03646 */ 03647 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03648 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03649 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 03650 { 03651 if ( p + 2 > end ) { 03652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03653 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03654 } 03655 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 03656 *p++ != ( ( len ) & 0xFF ) ) 03657 { 03658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03659 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03660 } 03661 } 03662 #endif 03663 03664 if( p + len != end ) 03665 { 03666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03667 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03668 } 03669 03670 /* 03671 * Decrypt the premaster secret 03672 */ 03673 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03674 if( ssl->conf->f_async_decrypt_start != NULL ) 03675 { 03676 ret = ssl->conf->f_async_decrypt_start( ssl, 03677 mbedtls_ssl_own_cert( ssl ), 03678 p, len ); 03679 switch( ret ) 03680 { 03681 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: 03682 /* act as if f_async_decrypt_start was null */ 03683 break; 03684 case 0: 03685 ssl->handshake->async_in_progress = 1; 03686 return( ssl_resume_decrypt_pms( ssl, 03687 peer_pms, 03688 peer_pmslen, 03689 peer_pmssize ) ); 03690 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: 03691 ssl->handshake->async_in_progress = 1; 03692 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); 03693 default: 03694 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret ); 03695 return( ret ); 03696 } 03697 } 03698 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 03699 03700 if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) ) 03701 { 03702 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 03703 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03704 } 03705 03706 ret = mbedtls_pk_decrypt( private_key, p, len, 03707 peer_pms, peer_pmslen, peer_pmssize, 03708 ssl->conf->f_rng, ssl->conf->p_rng ); 03709 return( ret ); 03710 } 03711 03712 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, 03713 const unsigned char *p, 03714 const unsigned char *end, 03715 size_t pms_offset ) 03716 { 03717 int ret; 03718 unsigned char *pms = ssl->handshake->premaster + pms_offset; 03719 unsigned char ver[2]; 03720 unsigned char fake_pms[48], peer_pms[48]; 03721 unsigned char mask; 03722 size_t i, peer_pmslen; 03723 unsigned int diff; 03724 03725 /* In case of a failure in decryption, the decryption may write less than 03726 * 2 bytes of output, but we always read the first two bytes. It doesn't 03727 * matter in the end because diff will be nonzero in that case due to 03728 * peer_pmslen being less than 48, and we only care whether diff is 0. 03729 * But do initialize peer_pms for robustness anyway. This also makes 03730 * memory analyzers happy (don't access uninitialized memory, even 03731 * if it's an unsigned char). */ 03732 peer_pms[0] = peer_pms[1] = ~0; 03733 03734 ret = ssl_decrypt_encrypted_pms( ssl, p, end, 03735 peer_pms, 03736 &peer_pmslen, 03737 sizeof( peer_pms ) ); 03738 03739 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 03740 if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) 03741 return( ret ); 03742 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 03743 03744 mbedtls_ssl_write_version( ssl->handshake->max_major_ver, 03745 ssl->handshake->max_minor_ver, 03746 ssl->conf->transport, ver ); 03747 03748 /* Avoid data-dependent branches while checking for invalid 03749 * padding, to protect against timing-based Bleichenbacher-type 03750 * attacks. */ 03751 diff = (unsigned int) ret; 03752 diff |= peer_pmslen ^ 48; 03753 diff |= peer_pms[0] ^ ver[0]; 03754 diff |= peer_pms[1] ^ ver[1]; 03755 03756 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 03757 /* MSVC has a warning about unary minus on unsigned, but this is 03758 * well-defined and precisely what we want to do here */ 03759 #if defined(_MSC_VER) 03760 #pragma warning( push ) 03761 #pragma warning( disable : 4146 ) 03762 #endif 03763 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); 03764 #if defined(_MSC_VER) 03765 #pragma warning( pop ) 03766 #endif 03767 03768 /* 03769 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 03770 * must not cause the connection to end immediately; instead, send a 03771 * bad_record_mac later in the handshake. 03772 * To protect against timing-based variants of the attack, we must 03773 * not have any branch that depends on whether the decryption was 03774 * successful. In particular, always generate the fake premaster secret, 03775 * regardless of whether it will ultimately influence the output or not. 03776 */ 03777 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); 03778 if( ret != 0 ) 03779 { 03780 /* It's ok to abort on an RNG failure, since this does not reveal 03781 * anything about the RSA decryption. */ 03782 return( ret ); 03783 } 03784 03785 #if defined(MBEDTLS_SSL_DEBUG_ALL) 03786 if( diff != 0 ) 03787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03788 #endif 03789 03790 if( sizeof( ssl->handshake->premaster ) < pms_offset || 03791 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 03792 { 03793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03794 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03795 } 03796 ssl->handshake->pmslen = 48; 03797 03798 /* Set pms to either the true or the fake PMS, without 03799 * data-dependent branches. */ 03800 for( i = 0; i < ssl->handshake->pmslen; i++ ) 03801 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 03802 03803 return( 0 ); 03804 } 03805 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 03806 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03807 03808 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03809 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, 03810 const unsigned char *end ) 03811 { 03812 int ret = 0; 03813 size_t n; 03814 03815 if( ssl_conf_has_psk_or_cb( ssl->conf ) == 0 ) 03816 { 03817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 03818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03819 } 03820 03821 /* 03822 * Receive client pre-shared key identity name 03823 */ 03824 if( end - *p < 2 ) 03825 { 03826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03827 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03828 } 03829 03830 n = ( (*p)[0] << 8 ) | (*p)[1]; 03831 *p += 2; 03832 03833 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) 03834 { 03835 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03836 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03837 } 03838 03839 if( ssl->conf->f_psk != NULL ) 03840 { 03841 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) 03842 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03843 } 03844 else 03845 { 03846 /* Identity is not a big secret since clients send it in the clear, 03847 * but treat it carefully anyway, just in case */ 03848 if( n != ssl->conf->psk_identity_len || 03849 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) 03850 { 03851 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03852 } 03853 } 03854 03855 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) 03856 { 03857 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03859 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); 03860 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); 03861 } 03862 03863 *p += n; 03864 03865 return( 0 ); 03866 } 03867 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03868 03869 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) 03870 { 03871 int ret; 03872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 03873 unsigned char *p, *end; 03874 03875 ciphersuite_info = ssl->handshake->ciphersuite_info; 03876 03877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03878 03879 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ 03880 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03881 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ) 03882 if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03883 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) && 03884 ( ssl->handshake->async_in_progress != 0 ) ) 03885 { 03886 /* We've already read a record and there is an asynchronous 03887 * operation in progress to decrypt it. So skip reading the 03888 * record. */ 03889 MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) ); 03890 } 03891 else 03892 #endif 03893 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 03894 { 03895 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03896 return( ret ); 03897 } 03898 03899 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03900 end = ssl->in_msg + ssl->in_hslen; 03901 03902 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03903 { 03904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03905 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03906 } 03907 03908 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) 03909 { 03910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03911 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03912 } 03913 03914 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03915 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03916 { 03917 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03918 { 03919 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03920 return( ret ); 03921 } 03922 03923 if( p != end ) 03924 { 03925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03926 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03927 } 03928 03929 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03930 ssl->handshake->premaster, 03931 MBEDTLS_PREMASTER_SIZE, 03932 &ssl->handshake->pmslen, 03933 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03934 { 03935 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03936 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03937 } 03938 03939 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03940 } 03941 else 03942 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03943 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03944 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03945 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03946 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03947 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03948 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03949 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03950 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03951 { 03952 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03953 p, end - p) ) != 0 ) 03954 { 03955 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03956 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03957 } 03958 03959 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 03960 MBEDTLS_DEBUG_ECDH_QP ); 03961 03962 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03963 &ssl->handshake->pmslen, 03964 ssl->handshake->premaster, 03965 MBEDTLS_MPI_MAX_SIZE, 03966 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03967 { 03968 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03969 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03970 } 03971 03972 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 03973 MBEDTLS_DEBUG_ECDH_Z ); 03974 } 03975 else 03976 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03977 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03978 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03979 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03980 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03981 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03982 { 03983 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03984 { 03985 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03986 return( ret ); 03987 } 03988 03989 if( p != end ) 03990 { 03991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03992 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03993 } 03994 03995 #if defined(MBEDTLS_USE_PSA_CRYPTO) 03996 /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically 03997 * and skip the intermediate PMS. */ 03998 if( ssl_use_opaque_psk( ssl ) == 1 ) 03999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); 04000 else 04001 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 04002 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 04003 ciphersuite_info->key_exchange ) ) != 0 ) 04004 { 04005 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 04006 return( ret ); 04007 } 04008 } 04009 else 04010 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 04011 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 04012 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04013 { 04014 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 04015 if ( ssl->handshake->async_in_progress != 0 ) 04016 { 04017 /* There is an asynchronous operation in progress to 04018 * decrypt the encrypted premaster secret, so skip 04019 * directly to resuming this operation. */ 04020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) ); 04021 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms 04022 * won't actually use it, but maintain p anyway for robustness. */ 04023 p += ssl->conf->psk_identity_len + 2; 04024 } 04025 else 04026 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 04027 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 04028 { 04029 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 04030 return( ret ); 04031 } 04032 04033 #if defined(MBEDTLS_USE_PSA_CRYPTO) 04034 /* Opaque PSKs are currently only supported for PSK-only. */ 04035 if( ssl_use_opaque_psk( ssl ) == 1 ) 04036 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 04037 #endif 04038 04039 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 04040 { 04041 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 04042 return( ret ); 04043 } 04044 04045 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 04046 ciphersuite_info->key_exchange ) ) != 0 ) 04047 { 04048 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 04049 return( ret ); 04050 } 04051 } 04052 else 04053 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 04054 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 04055 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 04056 { 04057 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 04058 { 04059 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 04060 return( ret ); 04061 } 04062 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 04063 { 04064 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 04065 return( ret ); 04066 } 04067 04068 #if defined(MBEDTLS_USE_PSA_CRYPTO) 04069 /* Opaque PSKs are currently only supported for PSK-only. */ 04070 if( ssl_use_opaque_psk( ssl ) == 1 ) 04071 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 04072 #endif 04073 04074 if( p != end ) 04075 { 04076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 04077 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 04078 } 04079 04080 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 04081 ciphersuite_info->key_exchange ) ) != 0 ) 04082 { 04083 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 04084 return( ret ); 04085 } 04086 } 04087 else 04088 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 04089 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 04090 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 04091 { 04092 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 04093 { 04094 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 04095 return( ret ); 04096 } 04097 04098 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 04099 p, end - p ) ) != 0 ) 04100 { 04101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 04102 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 04103 } 04104 04105 #if defined(MBEDTLS_USE_PSA_CRYPTO) 04106 /* Opaque PSKs are currently only supported for PSK-only. */ 04107 if( ssl_use_opaque_psk( ssl ) == 1 ) 04108 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 04109 #endif 04110 04111 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 04112 MBEDTLS_DEBUG_ECDH_QP ); 04113 04114 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 04115 ciphersuite_info->key_exchange ) ) != 0 ) 04116 { 04117 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 04118 return( ret ); 04119 } 04120 } 04121 else 04122 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 04123 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 04124 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 04125 { 04126 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) 04127 { 04128 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 04129 return( ret ); 04130 } 04131 } 04132 else 04133 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 04134 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 04135 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04136 { 04137 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 04138 p, end - p ); 04139 if( ret != 0 ) 04140 { 04141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 04142 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 04143 } 04144 04145 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 04146 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 04147 ssl->conf->f_rng, ssl->conf->p_rng ); 04148 if( ret != 0 ) 04149 { 04150 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 04151 return( ret ); 04152 } 04153 } 04154 else 04155 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 04156 { 04157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04158 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04159 } 04160 04161 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 04162 { 04163 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 04164 return( ret ); 04165 } 04166 04167 ssl->state++; 04168 04169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 04170 04171 return( 0 ); 04172 } 04173 04174 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 04175 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 04176 { 04177 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 04178 ssl->handshake->ciphersuite_info; 04179 04180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 04181 04182 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 04183 { 04184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 04185 ssl->state++; 04186 return( 0 ); 04187 } 04188 04189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04191 } 04192 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 04193 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 04194 { 04195 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04196 size_t i, sig_len; 04197 unsigned char hash[48]; 04198 unsigned char *hash_start = hash; 04199 size_t hashlen; 04200 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04201 mbedtls_pk_type_t pk_alg; 04202 #endif 04203 mbedtls_md_type_t md_alg; 04204 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 04205 ssl->handshake->ciphersuite_info; 04206 mbedtls_pk_context * peer_pk; 04207 04208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 04209 04210 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 04211 { 04212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 04213 ssl->state++; 04214 return( 0 ); 04215 } 04216 04217 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 04218 if( ssl->session_negotiate->peer_cert == NULL ) 04219 { 04220 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 04221 ssl->state++; 04222 return( 0 ); 04223 } 04224 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 04225 if( ssl->session_negotiate->peer_cert_digest == NULL ) 04226 { 04227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 04228 ssl->state++; 04229 return( 0 ); 04230 } 04231 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 04232 04233 /* Read the message without adding it to the checksum */ 04234 ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ ); 04235 if( 0 != ret ) 04236 { 04237 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret ); 04238 return( ret ); 04239 } 04240 04241 ssl->state++; 04242 04243 /* Process the message contents */ 04244 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 04245 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) 04246 { 04247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 04248 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04249 } 04250 04251 i = mbedtls_ssl_hs_hdr_len( ssl ); 04252 04253 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 04254 peer_pk = &ssl->handshake->peer_pubkey; 04255 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 04256 if( ssl->session_negotiate->peer_cert == NULL ) 04257 { 04258 /* Should never happen */ 04259 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04260 } 04261 peer_pk = &ssl->session_negotiate->peer_cert->pk; 04262 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 04263 04264 /* 04265 * struct { 04266 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 04267 * opaque signature<0..2^16-1>; 04268 * } DigitallySigned; 04269 */ 04270 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04271 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04272 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 04273 { 04274 md_alg = MBEDTLS_MD_NONE; 04275 hashlen = 36; 04276 04277 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 04278 if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) ) 04279 { 04280 hash_start += 16; 04281 hashlen -= 16; 04282 md_alg = MBEDTLS_MD_SHA1; 04283 } 04284 } 04285 else 04286 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || 04287 MBEDTLS_SSL_PROTO_TLS1_1 */ 04288 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04289 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 04290 { 04291 if( i + 2 > ssl->in_hslen ) 04292 { 04293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 04294 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04295 } 04296 04297 /* 04298 * Hash 04299 */ 04300 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); 04301 04302 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) 04303 { 04304 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 04305 " for verify message" ) ); 04306 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04307 } 04308 04309 #if !defined(MBEDTLS_MD_SHA1) 04310 if( MBEDTLS_MD_SHA1 == md_alg ) 04311 hash_start += 16; 04312 #endif 04313 04314 /* Info from md_alg will be used instead */ 04315 hashlen = 0; 04316 04317 i++; 04318 04319 /* 04320 * Signature 04321 */ 04322 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) 04323 == MBEDTLS_PK_NONE ) 04324 { 04325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 04326 " for verify message" ) ); 04327 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04328 } 04329 04330 /* 04331 * Check the certificate's key type matches the signature alg 04332 */ 04333 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) 04334 { 04335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 04336 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04337 } 04338 04339 i++; 04340 } 04341 else 04342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04343 { 04344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04345 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04346 } 04347 04348 if( i + 2 > ssl->in_hslen ) 04349 { 04350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 04351 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04352 } 04353 04354 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; 04355 i += 2; 04356 04357 if( i + sig_len != ssl->in_hslen ) 04358 { 04359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 04360 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 04361 } 04362 04363 /* Calculate hash and verify signature */ 04364 { 04365 size_t dummy_hlen; 04366 ssl->handshake->calc_verify( ssl, hash, &dummy_hlen ); 04367 } 04368 04369 if( ( ret = mbedtls_pk_verify( peer_pk, 04370 md_alg, hash_start, hashlen, 04371 ssl->in_msg + i, sig_len ) ) != 0 ) 04372 { 04373 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 04374 return( ret ); 04375 } 04376 04377 mbedtls_ssl_update_handshake_status( ssl ); 04378 04379 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 04380 04381 return( ret ); 04382 } 04383 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 04384 04385 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04386 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) 04387 { 04388 int ret; 04389 size_t tlen; 04390 uint32_t lifetime; 04391 04392 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 04393 04394 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04395 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 04396 04397 /* 04398 * struct { 04399 * uint32 ticket_lifetime_hint; 04400 * opaque ticket<0..2^16-1>; 04401 * } NewSessionTicket; 04402 * 04403 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 04404 * 8 . 9 ticket_len (n) 04405 * 10 . 9+n ticket content 04406 */ 04407 04408 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, 04409 ssl->session_negotiate, 04410 ssl->out_msg + 10, 04411 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, 04412 &tlen, &lifetime ) ) != 0 ) 04413 { 04414 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); 04415 tlen = 0; 04416 } 04417 04418 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 04419 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 04420 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 04421 ssl->out_msg[7] = ( lifetime ) & 0xFF; 04422 04423 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 04424 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 04425 04426 ssl->out_msglen = 10 + tlen; 04427 04428 /* 04429 * Morally equivalent to updating ssl->state, but NewSessionTicket and 04430 * ChangeCipherSpec share the same state. 04431 */ 04432 ssl->handshake->new_session_ticket = 0; 04433 04434 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 04435 { 04436 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 04437 return( ret ); 04438 } 04439 04440 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 04441 04442 return( 0 ); 04443 } 04444 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 04445 04446 /* 04447 * SSL handshake -- server side -- single step 04448 */ 04449 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) 04450 { 04451 int ret = 0; 04452 04453 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 04454 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04455 04456 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 04457 04458 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 04459 return( ret ); 04460 04461 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04462 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04463 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 04464 { 04465 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 04466 return( ret ); 04467 } 04468 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04469 04470 switch( ssl->state ) 04471 { 04472 case MBEDTLS_SSL_HELLO_REQUEST: 04473 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 04474 break; 04475 04476 /* 04477 * <== ClientHello 04478 */ 04479 case MBEDTLS_SSL_CLIENT_HELLO: 04480 ret = ssl_parse_client_hello( ssl ); 04481 break; 04482 04483 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04484 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 04485 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 04486 #endif 04487 04488 /* 04489 * ==> ServerHello 04490 * Certificate 04491 * ( ServerKeyExchange ) 04492 * ( CertificateRequest ) 04493 * ServerHelloDone 04494 */ 04495 case MBEDTLS_SSL_SERVER_HELLO: 04496 ret = ssl_write_server_hello( ssl ); 04497 break; 04498 04499 case MBEDTLS_SSL_SERVER_CERTIFICATE: 04500 ret = mbedtls_ssl_write_certificate( ssl ); 04501 break; 04502 04503 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 04504 ret = ssl_write_server_key_exchange( ssl ); 04505 break; 04506 04507 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 04508 ret = ssl_write_certificate_request( ssl ); 04509 break; 04510 04511 case MBEDTLS_SSL_SERVER_HELLO_DONE: 04512 ret = ssl_write_server_hello_done( ssl ); 04513 break; 04514 04515 /* 04516 * <== ( Certificate/Alert ) 04517 * ClientKeyExchange 04518 * ( CertificateVerify ) 04519 * ChangeCipherSpec 04520 * Finished 04521 */ 04522 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 04523 ret = mbedtls_ssl_parse_certificate( ssl ); 04524 break; 04525 04526 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 04527 ret = ssl_parse_client_key_exchange( ssl ); 04528 break; 04529 04530 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 04531 ret = ssl_parse_certificate_verify( ssl ); 04532 break; 04533 04534 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 04535 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 04536 break; 04537 04538 case MBEDTLS_SSL_CLIENT_FINISHED: 04539 ret = mbedtls_ssl_parse_finished( ssl ); 04540 break; 04541 04542 /* 04543 * ==> ( NewSessionTicket ) 04544 * ChangeCipherSpec 04545 * Finished 04546 */ 04547 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 04548 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04549 if( ssl->handshake->new_session_ticket != 0 ) 04550 ret = ssl_write_new_session_ticket( ssl ); 04551 else 04552 #endif 04553 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 04554 break; 04555 04556 case MBEDTLS_SSL_SERVER_FINISHED: 04557 ret = mbedtls_ssl_write_finished( ssl ); 04558 break; 04559 04560 case MBEDTLS_SSL_FLUSH_BUFFERS: 04561 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 04562 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 04563 break; 04564 04565 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 04566 mbedtls_ssl_handshake_wrapup( ssl ); 04567 break; 04568 04569 default: 04570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 04571 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04572 } 04573 04574 return( ret ); 04575 } 04576 #endif /* MBEDTLS_SSL_SRV_C */
Generated on Tue Jul 12 2022 13:54:53 by
1.7.2