Jan Korycan
/
WNCInterface
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: WncControllerK64F
Fork of
WNCInterface
by 
Jan Korycan
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * struct { 00084 * NameType name_type; 00085 * select (name_type) { 00086 * case host_name: HostName; 00087 * } name; 00088 * } ServerName; 00089 * 00090 * enum { 00091 * host_name(0), (255) 00092 * } NameType; 00093 * 00094 * opaque HostName<1..2^16-1>; 00095 * 00096 * struct { 00097 * ServerName server_name_list<1..2^16-1> 00098 * } ServerNameList; 00099 */ 00100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00102 00103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00105 00106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00108 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00112 00113 memcpy( p, ssl->hostname, hostname_len ); 00114 00115 *olen = hostname_len + 9; 00116 } 00117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00118 00119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00121 unsigned char *buf, 00122 size_t *olen ) 00123 { 00124 unsigned char *p = buf; 00125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00126 00127 *olen = 0; 00128 00129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00130 return; 00131 00132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00133 00134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00135 { 00136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00137 return; 00138 } 00139 00140 /* 00141 * Secure renegotiation 00142 */ 00143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00145 00146 *p++ = 0x00; 00147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00148 *p++ = ssl->verify_data_len & 0xFF; 00149 00150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00151 00152 *olen = 5 + ssl->verify_data_len; 00153 } 00154 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00155 00156 /* 00157 * Only if we handle at least one key exchange that needs signatures. 00158 */ 00159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00162 unsigned char *buf, 00163 size_t *olen ) 00164 { 00165 unsigned char *p = buf; 00166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00167 size_t sig_alg_len = 0; 00168 const int *md; 00169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00170 unsigned char *sig_alg_list = buf + 6; 00171 #endif 00172 00173 *olen = 0; 00174 00175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00176 return; 00177 00178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00179 00180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00181 { 00182 #if defined(MBEDTLS_ECDSA_C) 00183 sig_alg_len += 2; 00184 #endif 00185 #if defined(MBEDTLS_RSA_C) 00186 sig_alg_len += 2; 00187 #endif 00188 } 00189 00190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00191 { 00192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00193 return; 00194 } 00195 00196 /* 00197 * Prepare signature_algorithms extension (TLS 1.2) 00198 */ 00199 sig_alg_len = 0; 00200 00201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00202 { 00203 #if defined(MBEDTLS_ECDSA_C) 00204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00206 #endif 00207 #if defined(MBEDTLS_RSA_C) 00208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00210 #endif 00211 } 00212 00213 /* 00214 * enum { 00215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00216 * sha512(6), (255) 00217 * } HashAlgorithm; 00218 * 00219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00220 * SignatureAlgorithm; 00221 * 00222 * struct { 00223 * HashAlgorithm hash; 00224 * SignatureAlgorithm signature; 00225 * } SignatureAndHashAlgorithm; 00226 * 00227 * SignatureAndHashAlgorithm 00228 * supported_signature_algorithms<2..2^16-2>; 00229 */ 00230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00232 00233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00235 00236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00238 00239 *olen = 6 + sig_alg_len; 00240 } 00241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00243 00244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00252 unsigned char *elliptic_curve_list = p + 6; 00253 size_t elliptic_curve_len = 0; 00254 const mbedtls_ecp_curve_info *info; 00255 #if defined(MBEDTLS_ECP_C) 00256 const mbedtls_ecp_group_id *grp_id; 00257 #else 00258 ((void) ssl); 00259 #endif 00260 00261 *olen = 0; 00262 00263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00264 00265 #if defined(MBEDTLS_ECP_C) 00266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00267 { 00268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00269 #else 00270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00271 { 00272 #endif 00273 if( info == NULL ) 00274 { 00275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00276 return; 00277 } 00278 00279 elliptic_curve_len += 2; 00280 } 00281 00282 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00283 { 00284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00285 return; 00286 } 00287 00288 elliptic_curve_len = 0; 00289 00290 #if defined(MBEDTLS_ECP_C) 00291 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00292 { 00293 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00294 #else 00295 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00296 { 00297 #endif 00298 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00299 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00300 } 00301 00302 if( elliptic_curve_len == 0 ) 00303 return; 00304 00305 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00306 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00307 00308 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00309 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00310 00311 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00312 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00313 00314 *olen = 6 + elliptic_curve_len; 00315 } 00316 00317 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00318 unsigned char *buf, 00319 size_t *olen ) 00320 { 00321 unsigned char *p = buf; 00322 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00323 00324 *olen = 0; 00325 00326 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00327 00328 if( end < p || (size_t)( end - p ) < 6 ) 00329 { 00330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00331 return; 00332 } 00333 00334 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00335 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00336 00337 *p++ = 0x00; 00338 *p++ = 2; 00339 00340 *p++ = 1; 00341 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00342 00343 *olen = 6; 00344 } 00345 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00346 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00347 00348 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00349 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00350 unsigned char *buf, 00351 size_t *olen ) 00352 { 00353 int ret; 00354 unsigned char *p = buf; 00355 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00356 size_t kkpp_len; 00357 00358 *olen = 0; 00359 00360 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00361 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00362 return; 00363 00364 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00365 00366 if( end - p < 4 ) 00367 { 00368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00369 return; 00370 } 00371 00372 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00373 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00374 00375 /* 00376 * We may need to send ClientHello multiple times for Hello verification. 00377 * We don't want to compute fresh values every time (both for performance 00378 * and consistency reasons), so cache the extension content. 00379 */ 00380 if( ssl->handshake->ecjpake_cache == NULL || 00381 ssl->handshake->ecjpake_cache_len == 0 ) 00382 { 00383 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00384 00385 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00386 p + 2, end - p - 2, &kkpp_len, 00387 ssl->conf->f_rng, ssl->conf->p_rng ); 00388 if( ret != 0 ) 00389 { 00390 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00391 return; 00392 } 00393 00394 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00395 if( ssl->handshake->ecjpake_cache == NULL ) 00396 { 00397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00398 return; 00399 } 00400 00401 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00402 ssl->handshake->ecjpake_cache_len = kkpp_len; 00403 } 00404 else 00405 { 00406 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00407 00408 kkpp_len = ssl->handshake->ecjpake_cache_len; 00409 00410 if( (size_t)( end - p - 2 ) < kkpp_len ) 00411 { 00412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00413 return; 00414 } 00415 00416 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00417 } 00418 00419 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00420 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00421 00422 *olen = kkpp_len + 4; 00423 } 00424 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00425 00426 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00427 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00428 unsigned char *buf, 00429 size_t *olen ) 00430 { 00431 unsigned char *p = buf; 00432 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00433 00434 *olen = 0; 00435 00436 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00437 return; 00438 } 00439 00440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00441 00442 if( end < p || (size_t)( end - p ) < 5 ) 00443 { 00444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00445 return; 00446 } 00447 00448 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00449 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00450 00451 *p++ = 0x00; 00452 *p++ = 1; 00453 00454 *p++ = ssl->conf->mfl_code; 00455 00456 *olen = 5; 00457 } 00458 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00459 00460 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00461 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00462 unsigned char *buf, size_t *olen ) 00463 { 00464 unsigned char *p = buf; 00465 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00466 00467 *olen = 0; 00468 00469 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00470 { 00471 return; 00472 } 00473 00474 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00475 00476 if( end < p || (size_t)( end - p ) < 4 ) 00477 { 00478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00479 return; 00480 } 00481 00482 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00483 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00484 00485 *p++ = 0x00; 00486 *p++ = 0x00; 00487 00488 *olen = 4; 00489 } 00490 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00491 00492 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00493 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00494 unsigned char *buf, size_t *olen ) 00495 { 00496 unsigned char *p = buf; 00497 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00498 00499 *olen = 0; 00500 00501 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00502 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00503 { 00504 return; 00505 } 00506 00507 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00508 "extension" ) ); 00509 00510 if( end < p || (size_t)( end - p ) < 4 ) 00511 { 00512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00513 return; 00514 } 00515 00516 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00517 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00518 00519 *p++ = 0x00; 00520 *p++ = 0x00; 00521 00522 *olen = 4; 00523 } 00524 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00525 00526 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00527 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00528 unsigned char *buf, size_t *olen ) 00529 { 00530 unsigned char *p = buf; 00531 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00532 00533 *olen = 0; 00534 00535 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00536 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00537 { 00538 return; 00539 } 00540 00541 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00542 "extension" ) ); 00543 00544 if( end < p || (size_t)( end - p ) < 4 ) 00545 { 00546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00547 return; 00548 } 00549 00550 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00551 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00552 00553 *p++ = 0x00; 00554 *p++ = 0x00; 00555 00556 *olen = 4; 00557 } 00558 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00559 00560 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00561 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00562 unsigned char *buf, size_t *olen ) 00563 { 00564 unsigned char *p = buf; 00565 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00566 size_t tlen = ssl->session_negotiate->ticket_len; 00567 00568 *olen = 0; 00569 00570 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00571 { 00572 return; 00573 } 00574 00575 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00576 00577 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00578 { 00579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00580 return; 00581 } 00582 00583 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00585 00586 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00587 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00588 00589 *olen = 4; 00590 00591 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00592 { 00593 return; 00594 } 00595 00596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00597 00598 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00599 00600 *olen += tlen; 00601 } 00602 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00603 00604 #if defined(MBEDTLS_SSL_ALPN) 00605 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00606 unsigned char *buf, size_t *olen ) 00607 { 00608 unsigned char *p = buf; 00609 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00610 size_t alpnlen = 0; 00611 const char **cur; 00612 00613 *olen = 0; 00614 00615 if( ssl->conf->alpn_list == NULL ) 00616 { 00617 return; 00618 } 00619 00620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00621 00622 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00623 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00624 00625 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00626 { 00627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00628 return; 00629 } 00630 00631 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00632 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00633 00634 /* 00635 * opaque ProtocolName<1..2^8-1>; 00636 * 00637 * struct { 00638 * ProtocolName protocol_name_list<2..2^16-1> 00639 * } ProtocolNameList; 00640 */ 00641 00642 /* Skip writing extension and list length for now */ 00643 p += 4; 00644 00645 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00646 { 00647 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00648 memcpy( p + 1, *cur, *p ); 00649 p += 1 + *p; 00650 } 00651 00652 *olen = p - buf; 00653 00654 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00655 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00656 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00657 00658 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00659 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00660 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00661 } 00662 #endif /* MBEDTLS_SSL_ALPN */ 00663 00664 /* 00665 * Generate random bytes for ClientHello 00666 */ 00667 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00668 { 00669 int ret; 00670 unsigned char *p = ssl->handshake->randbytes; 00671 #if defined(MBEDTLS_HAVE_TIME) 00672 mbedtls_time_t t; 00673 #endif 00674 00675 /* 00676 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00677 */ 00678 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00679 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00680 ssl->handshake->verify_cookie != NULL ) 00681 { 00682 return( 0 ); 00683 } 00684 #endif 00685 00686 #if defined(MBEDTLS_HAVE_TIME) 00687 t = mbedtls_time( NULL ); 00688 *p++ = (unsigned char)( t >> 24 ); 00689 *p++ = (unsigned char)( t >> 16 ); 00690 *p++ = (unsigned char)( t >> 8 ); 00691 *p++ = (unsigned char)( t ); 00692 00693 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00694 #else 00695 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00696 return( ret ); 00697 00698 p += 4; 00699 #endif /* MBEDTLS_HAVE_TIME */ 00700 00701 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00702 return( ret ); 00703 00704 return( 0 ); 00705 } 00706 00707 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00708 { 00709 int ret; 00710 size_t i, n, olen, ext_len = 0; 00711 unsigned char *buf; 00712 unsigned char *p, *q; 00713 unsigned char offer_compress; 00714 const int *ciphersuites; 00715 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00716 00717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00718 00719 if( ssl->conf->f_rng == NULL ) 00720 { 00721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00722 return( MBEDTLS_ERR_SSL_NO_RNG ); 00723 } 00724 00725 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00726 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00727 #endif 00728 { 00729 ssl->major_ver = ssl->conf->min_major_ver; 00730 ssl->minor_ver = ssl->conf->min_minor_ver; 00731 } 00732 00733 if( ssl->conf->max_major_ver == 0 ) 00734 { 00735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00736 "consider using mbedtls_ssl_config_defaults()" ) ); 00737 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00738 } 00739 00740 /* 00741 * 0 . 0 handshake type 00742 * 1 . 3 handshake length 00743 * 4 . 5 highest version supported 00744 * 6 . 9 current UNIX time 00745 * 10 . 37 random bytes 00746 */ 00747 buf = ssl->out_msg; 00748 p = buf + 4; 00749 00750 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00751 ssl->conf->transport, p ); 00752 p += 2; 00753 00754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00755 buf[4], buf[5] ) ); 00756 00757 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00758 { 00759 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00760 return( ret ); 00761 } 00762 00763 memcpy( p, ssl->handshake->randbytes, 32 ); 00764 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00765 p += 32; 00766 00767 /* 00768 * 38 . 38 session id length 00769 * 39 . 39+n session id 00770 * 39+n . 39+n DTLS only: cookie length (1 byte) 00771 * 40+n . .. DTSL only: cookie 00772 * .. . .. ciphersuitelist length (2 bytes) 00773 * .. . .. ciphersuitelist 00774 * .. . .. compression methods length (1 byte) 00775 * .. . .. compression methods 00776 * .. . .. extensions length (2 bytes) 00777 * .. . .. extensions 00778 */ 00779 n = ssl->session_negotiate->id_len; 00780 00781 if( n < 16 || n > 32 || 00782 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00783 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00784 #endif 00785 ssl->handshake->resume == 0 ) 00786 { 00787 n = 0; 00788 } 00789 00790 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00791 /* 00792 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00793 * generate and include a Session ID in the TLS ClientHello." 00794 */ 00795 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00796 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00797 #endif 00798 { 00799 if( ssl->session_negotiate->ticket != NULL && 00800 ssl->session_negotiate->ticket_len != 0 ) 00801 { 00802 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00803 00804 if( ret != 0 ) 00805 return( ret ); 00806 00807 ssl->session_negotiate->id_len = n = 32; 00808 } 00809 } 00810 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00811 00812 *p++ = (unsigned char) n; 00813 00814 for( i = 0; i < n; i++ ) 00815 *p++ = ssl->session_negotiate->id[i]; 00816 00817 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00818 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00819 00820 /* 00821 * DTLS cookie 00822 */ 00823 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00824 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00825 { 00826 if( ssl->handshake->verify_cookie == NULL ) 00827 { 00828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00829 *p++ = 0; 00830 } 00831 else 00832 { 00833 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00834 ssl->handshake->verify_cookie, 00835 ssl->handshake->verify_cookie_len ); 00836 00837 *p++ = ssl->handshake->verify_cookie_len; 00838 memcpy( p, ssl->handshake->verify_cookie, 00839 ssl->handshake->verify_cookie_len ); 00840 p += ssl->handshake->verify_cookie_len; 00841 } 00842 } 00843 #endif 00844 00845 /* 00846 * Ciphersuite list 00847 */ 00848 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00849 00850 /* Skip writing ciphersuite length for now */ 00851 n = 0; 00852 q = p; 00853 p += 2; 00854 00855 for( i = 0; ciphersuites[i] != 0; i++ ) 00856 { 00857 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00858 00859 if( ciphersuite_info == NULL ) 00860 continue; 00861 00862 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00863 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00864 continue; 00865 00866 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00867 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00868 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00869 continue; 00870 #endif 00871 00872 #if defined(MBEDTLS_ARC4_C) 00873 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00874 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00875 continue; 00876 #endif 00877 00878 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00879 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00880 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00881 continue; 00882 #endif 00883 00884 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00885 ciphersuites[i] ) ); 00886 00887 n++; 00888 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00889 *p++ = (unsigned char)( ciphersuites[i] ); 00890 } 00891 00892 /* 00893 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00894 */ 00895 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00896 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00897 #endif 00898 { 00899 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00900 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00901 n++; 00902 } 00903 00904 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00905 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00906 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00907 { 00908 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00909 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00910 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00911 n++; 00912 } 00913 #endif 00914 00915 *q++ = (unsigned char)( n >> 7 ); 00916 *q++ = (unsigned char)( n << 1 ); 00917 00918 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00919 00920 #if defined(MBEDTLS_ZLIB_SUPPORT) 00921 offer_compress = 1; 00922 #else 00923 offer_compress = 0; 00924 #endif 00925 00926 /* 00927 * We don't support compression with DTLS right now: is many records come 00928 * in the same datagram, uncompressing one could overwrite the next one. 00929 * We don't want to add complexity for handling that case unless there is 00930 * an actual need for it. 00931 */ 00932 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00933 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00934 offer_compress = 0; 00935 #endif 00936 00937 if( offer_compress ) 00938 { 00939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00941 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00942 00943 *p++ = 2; 00944 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00945 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00946 } 00947 else 00948 { 00949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00950 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00951 MBEDTLS_SSL_COMPRESS_NULL ) ); 00952 00953 *p++ = 1; 00954 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00955 } 00956 00957 // First write extensions, then the total length 00958 // 00959 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00960 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00961 ext_len += olen; 00962 #endif 00963 00964 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00965 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00966 ext_len += olen; 00967 #endif 00968 00969 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00970 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00971 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00972 ext_len += olen; 00973 #endif 00974 00975 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00976 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00977 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00978 ext_len += olen; 00979 00980 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00985 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 00986 ext_len += olen; 00987 #endif 00988 00989 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00990 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00991 ext_len += olen; 00992 #endif 00993 00994 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00995 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01000 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01005 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_ALPN) 01010 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01015 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01016 ext_len += olen; 01017 #endif 01018 01019 /* olen unused if all extensions are disabled */ 01020 ((void) olen); 01021 01022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01023 ext_len ) ); 01024 01025 if( ext_len > 0 ) 01026 { 01027 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01028 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01029 p += ext_len; 01030 } 01031 01032 ssl->out_msglen = p - buf; 01033 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01034 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01035 01036 ssl->state++; 01037 01038 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01039 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01040 mbedtls_ssl_send_flight_completed( ssl ); 01041 #endif 01042 01043 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01044 { 01045 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01046 return( ret ); 01047 } 01048 01049 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01050 01051 return( 0 ); 01052 } 01053 01054 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01055 const unsigned char *buf, 01056 size_t len ) 01057 { 01058 int ret; 01059 01060 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01061 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01062 { 01063 /* Check verify-data in constant-time. The length OTOH is no secret */ 01064 if( len != 1 + ssl->verify_data_len * 2 || 01065 buf[0] != ssl->verify_data_len * 2 || 01066 mbedtls_ssl_safer_memcmp( buf + 1, 01067 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01068 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01069 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01070 { 01071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01072 01073 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01074 return( ret ); 01075 01076 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01077 } 01078 } 01079 else 01080 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01081 { 01082 if( len != 1 || buf[0] != 0x00 ) 01083 { 01084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01085 01086 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01087 return( ret ); 01088 01089 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01090 } 01091 01092 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01093 } 01094 01095 return( 0 ); 01096 } 01097 01098 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01099 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01100 const unsigned char *buf, 01101 size_t len ) 01102 { 01103 /* 01104 * server should use the extension only if we did, 01105 * and if so the server's value should match ours (and len is always 1) 01106 */ 01107 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01108 len != 1 || 01109 buf[0] != ssl->conf->mfl_code ) 01110 { 01111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01112 } 01113 01114 return( 0 ); 01115 } 01116 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01117 01118 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01119 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01120 const unsigned char *buf, 01121 size_t len ) 01122 { 01123 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01124 len != 0 ) 01125 { 01126 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01127 } 01128 01129 ((void) buf); 01130 01131 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01132 01133 return( 0 ); 01134 } 01135 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01136 01137 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01138 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01139 const unsigned char *buf, 01140 size_t len ) 01141 { 01142 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01143 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01144 len != 0 ) 01145 { 01146 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01147 } 01148 01149 ((void) buf); 01150 01151 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01152 01153 return( 0 ); 01154 } 01155 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01156 01157 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01158 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01159 const unsigned char *buf, 01160 size_t len ) 01161 { 01162 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01163 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01164 len != 0 ) 01165 { 01166 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01167 } 01168 01169 ((void) buf); 01170 01171 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01172 01173 return( 0 ); 01174 } 01175 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01176 01177 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01178 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01179 const unsigned char *buf, 01180 size_t len ) 01181 { 01182 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01183 len != 0 ) 01184 { 01185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01186 } 01187 01188 ((void) buf); 01189 01190 ssl->handshake->new_session_ticket = 1; 01191 01192 return( 0 ); 01193 } 01194 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01195 01196 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01197 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01198 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01199 const unsigned char *buf, 01200 size_t len ) 01201 { 01202 size_t list_size; 01203 const unsigned char *p; 01204 01205 list_size = buf[0]; 01206 if( list_size + 1 != len ) 01207 { 01208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01209 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01210 } 01211 01212 p = buf + 1; 01213 while( list_size > 0 ) 01214 { 01215 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01216 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01217 { 01218 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01219 ssl->handshake->ecdh_ctx.point_format = p[0]; 01220 #endif 01221 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01222 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01223 #endif 01224 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01225 return( 0 ); 01226 } 01227 01228 list_size--; 01229 p++; 01230 } 01231 01232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01233 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01234 } 01235 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01236 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01237 01238 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01239 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01240 const unsigned char *buf, 01241 size_t len ) 01242 { 01243 int ret; 01244 01245 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01246 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01247 { 01248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01249 return( 0 ); 01250 } 01251 01252 /* If we got here, we no longer need our cached extension */ 01253 mbedtls_free( ssl->handshake->ecjpake_cache ); 01254 ssl->handshake->ecjpake_cache = NULL; 01255 ssl->handshake->ecjpake_cache_len = 0; 01256 01257 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01258 buf, len ) ) != 0 ) 01259 { 01260 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01261 return( ret ); 01262 } 01263 01264 return( 0 ); 01265 } 01266 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01267 01268 #if defined(MBEDTLS_SSL_ALPN) 01269 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01270 const unsigned char *buf, size_t len ) 01271 { 01272 size_t list_len, name_len; 01273 const char **p; 01274 01275 /* If we didn't send it, the server shouldn't send it */ 01276 if( ssl->conf->alpn_list == NULL ) 01277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01278 01279 /* 01280 * opaque ProtocolName<1..2^8-1>; 01281 * 01282 * struct { 01283 * ProtocolName protocol_name_list<2..2^16-1> 01284 * } ProtocolNameList; 01285 * 01286 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01287 */ 01288 01289 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01290 if( len < 4 ) 01291 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01292 01293 list_len = ( buf[0] << 8 ) | buf[1]; 01294 if( list_len != len - 2 ) 01295 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01296 01297 name_len = buf[2]; 01298 if( name_len != list_len - 1 ) 01299 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01300 01301 /* Check that the server chosen protocol was in our list and save it */ 01302 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01303 { 01304 if( name_len == strlen( *p ) && 01305 memcmp( buf + 3, *p, name_len ) == 0 ) 01306 { 01307 ssl->alpn_chosen = *p; 01308 return( 0 ); 01309 } 01310 } 01311 01312 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01313 } 01314 #endif /* MBEDTLS_SSL_ALPN */ 01315 01316 /* 01317 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01318 */ 01319 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01320 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01321 { 01322 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01323 int major_ver, minor_ver; 01324 unsigned char cookie_len; 01325 01326 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01327 01328 /* 01329 * struct { 01330 * ProtocolVersion server_version; 01331 * opaque cookie<0..2^8-1>; 01332 * } HelloVerifyRequest; 01333 */ 01334 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01335 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01336 p += 2; 01337 01338 /* 01339 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01340 * even is lower than our min version. 01341 */ 01342 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01343 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01344 major_ver > ssl->conf->max_major_ver || 01345 minor_ver > ssl->conf->max_minor_ver ) 01346 { 01347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01348 01349 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01350 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01351 01352 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01353 } 01354 01355 cookie_len = *p++; 01356 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01357 01358 mbedtls_free( ssl->handshake->verify_cookie ); 01359 01360 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01361 if( ssl->handshake->verify_cookie == NULL ) 01362 { 01363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01364 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01365 } 01366 01367 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01368 ssl->handshake->verify_cookie_len = cookie_len; 01369 01370 /* Start over at ClientHello */ 01371 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01372 mbedtls_ssl_reset_checksum( ssl ); 01373 01374 mbedtls_ssl_recv_flight_completed( ssl ); 01375 01376 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01377 01378 return( 0 ); 01379 } 01380 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01381 01382 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01383 { 01384 int ret, i; 01385 size_t n; 01386 size_t ext_len; 01387 unsigned char *buf, *ext; 01388 unsigned char comp; 01389 #if defined(MBEDTLS_ZLIB_SUPPORT) 01390 int accept_comp; 01391 #endif 01392 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01393 int renegotiation_info_seen = 0; 01394 #endif 01395 int handshake_failure = 0; 01396 const mbedtls_ssl_ciphersuite_t *suite_info; 01397 #if defined(MBEDTLS_DEBUG_C) 01398 uint32_t t; 01399 #endif 01400 01401 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01402 01403 buf = ssl->in_msg; 01404 01405 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01406 { 01407 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01408 return( ret ); 01409 } 01410 01411 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01412 { 01413 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01414 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01415 { 01416 ssl->renego_records_seen++; 01417 01418 if( ssl->conf->renego_max_records >= 0 && 01419 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01420 { 01421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01422 "but not honored by server" ) ); 01423 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01424 } 01425 01426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01427 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01428 } 01429 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01430 01431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01432 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01433 } 01434 01435 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01436 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01437 { 01438 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01439 { 01440 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01442 return( ssl_parse_hello_verify_request( ssl ) ); 01443 } 01444 else 01445 { 01446 /* We made it through the verification process */ 01447 mbedtls_free( ssl->handshake->verify_cookie ); 01448 ssl->handshake->verify_cookie = NULL; 01449 ssl->handshake->verify_cookie_len = 0; 01450 } 01451 } 01452 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01453 01454 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01455 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01456 { 01457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01458 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01459 } 01460 01461 /* 01462 * 0 . 1 server_version 01463 * 2 . 33 random (maybe including 4 bytes of Unix time) 01464 * 34 . 34 session_id length = n 01465 * 35 . 34+n session_id 01466 * 35+n . 36+n cipher_suite 01467 * 37+n . 37+n compression_method 01468 * 01469 * 38+n . 39+n extensions length (optional) 01470 * 40+n . .. extensions 01471 */ 01472 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01473 01474 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01475 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01476 ssl->conf->transport, buf + 0 ); 01477 01478 if( ssl->major_ver < ssl->conf->min_major_ver || 01479 ssl->minor_ver < ssl->conf->min_minor_ver || 01480 ssl->major_ver > ssl->conf->max_major_ver || 01481 ssl->minor_ver > ssl->conf->max_minor_ver ) 01482 { 01483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01484 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01485 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01486 ssl->major_ver, ssl->minor_ver, 01487 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01488 01489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01490 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01491 01492 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01493 } 01494 01495 #if defined(MBEDTLS_DEBUG_C) 01496 t = ( (uint32_t) buf[2] << 24 ) 01497 | ( (uint32_t) buf[3] << 16 ) 01498 | ( (uint32_t) buf[4] << 8 ) 01499 | ( (uint32_t) buf[5] ); 01500 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01501 #endif 01502 01503 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01504 01505 n = buf[34]; 01506 01507 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01508 01509 if( n > 32 ) 01510 { 01511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01512 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01513 } 01514 01515 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01516 { 01517 ext_len = ( ( buf[38 + n] << 8 ) 01518 | ( buf[39 + n] ) ); 01519 01520 if( ( ext_len > 0 && ext_len < 4 ) || 01521 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01522 { 01523 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01524 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01525 } 01526 } 01527 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01528 { 01529 ext_len = 0; 01530 } 01531 else 01532 { 01533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01534 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01535 } 01536 01537 /* ciphersuite (used later) */ 01538 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01539 01540 /* 01541 * Read and check compression 01542 */ 01543 comp = buf[37 + n]; 01544 01545 #if defined(MBEDTLS_ZLIB_SUPPORT) 01546 /* See comments in ssl_write_client_hello() */ 01547 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01548 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01549 accept_comp = 0; 01550 else 01551 #endif 01552 accept_comp = 1; 01553 01554 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01555 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01556 #else /* MBEDTLS_ZLIB_SUPPORT */ 01557 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01558 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01559 { 01560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01561 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01562 } 01563 01564 /* 01565 * Initialize update checksum functions 01566 */ 01567 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01568 01569 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01570 { 01571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01572 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01573 } 01574 01575 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01576 01577 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01578 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01579 01580 /* 01581 * Check if the session can be resumed 01582 */ 01583 if( ssl->handshake->resume == 0 || n == 0 || 01584 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01585 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01586 #endif 01587 ssl->session_negotiate->ciphersuite != i || 01588 ssl->session_negotiate->compression != comp || 01589 ssl->session_negotiate->id_len != n || 01590 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01591 { 01592 ssl->state++; 01593 ssl->handshake->resume = 0; 01594 #if defined(MBEDTLS_HAVE_TIME) 01595 ssl->session_negotiate->start = mbedtls_time( NULL ); 01596 #endif 01597 ssl->session_negotiate->ciphersuite = i; 01598 ssl->session_negotiate->compression = comp; 01599 ssl->session_negotiate->id_len = n; 01600 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01601 } 01602 else 01603 { 01604 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01605 01606 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01607 { 01608 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01609 return( ret ); 01610 } 01611 } 01612 01613 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01614 ssl->handshake->resume ? "a" : "no" ) ); 01615 01616 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01617 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01618 01619 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01620 if( suite_info == NULL 01621 #if defined(MBEDTLS_ARC4_C) 01622 || ( ssl->conf->arc4_disabled && 01623 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01624 #endif 01625 ) 01626 { 01627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01628 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01629 } 01630 01631 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01632 01633 i = 0; 01634 while( 1 ) 01635 { 01636 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01637 { 01638 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01639 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01640 } 01641 01642 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01643 ssl->session_negotiate->ciphersuite ) 01644 { 01645 break; 01646 } 01647 } 01648 01649 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01650 #if defined(MBEDTLS_ZLIB_SUPPORT) 01651 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01652 #endif 01653 ) 01654 { 01655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01656 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01657 } 01658 ssl->session_negotiate->compression = comp; 01659 01660 ext = buf + 40 + n; 01661 01662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01663 01664 while( ext_len ) 01665 { 01666 unsigned int ext_id = ( ( ext[0] << 8 ) 01667 | ( ext[1] ) ); 01668 unsigned int ext_size = ( ( ext[2] << 8 ) 01669 | ( ext[3] ) ); 01670 01671 if( ext_size + 4 > ext_len ) 01672 { 01673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01674 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01675 } 01676 01677 switch( ext_id ) 01678 { 01679 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01681 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01682 renegotiation_info_seen = 1; 01683 #endif 01684 01685 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01686 ext_size ) ) != 0 ) 01687 return( ret ); 01688 01689 break; 01690 01691 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01692 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01693 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01694 01695 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01696 ext + 4, ext_size ) ) != 0 ) 01697 { 01698 return( ret ); 01699 } 01700 01701 break; 01702 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01703 01704 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01705 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01707 01708 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01709 ext + 4, ext_size ) ) != 0 ) 01710 { 01711 return( ret ); 01712 } 01713 01714 break; 01715 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01716 01717 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01718 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01719 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01720 01721 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01722 ext + 4, ext_size ) ) != 0 ) 01723 { 01724 return( ret ); 01725 } 01726 01727 break; 01728 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01729 01730 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01731 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01733 01734 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01735 ext + 4, ext_size ) ) != 0 ) 01736 { 01737 return( ret ); 01738 } 01739 01740 break; 01741 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01742 01743 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01744 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01745 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01746 01747 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01748 ext + 4, ext_size ) ) != 0 ) 01749 { 01750 return( ret ); 01751 } 01752 01753 break; 01754 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01755 01756 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01757 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01758 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01759 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01760 01761 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01762 ext + 4, ext_size ) ) != 0 ) 01763 { 01764 return( ret ); 01765 } 01766 01767 break; 01768 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01769 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01770 01771 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01772 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01774 01775 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01776 ext + 4, ext_size ) ) != 0 ) 01777 { 01778 return( ret ); 01779 } 01780 01781 break; 01782 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01783 01784 #if defined(MBEDTLS_SSL_ALPN) 01785 case MBEDTLS_TLS_EXT_ALPN: 01786 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01787 01788 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01789 return( ret ); 01790 01791 break; 01792 #endif /* MBEDTLS_SSL_ALPN */ 01793 01794 default: 01795 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01796 ext_id ) ); 01797 } 01798 01799 ext_len -= 4 + ext_size; 01800 ext += 4 + ext_size; 01801 01802 if( ext_len > 0 && ext_len < 4 ) 01803 { 01804 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01805 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01806 } 01807 } 01808 01809 /* 01810 * Renegotiation security checks 01811 */ 01812 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01813 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01814 { 01815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01816 handshake_failure = 1; 01817 } 01818 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01819 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01820 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01821 renegotiation_info_seen == 0 ) 01822 { 01823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01824 handshake_failure = 1; 01825 } 01826 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01827 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01828 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01829 { 01830 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01831 handshake_failure = 1; 01832 } 01833 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01834 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01835 renegotiation_info_seen == 1 ) 01836 { 01837 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01838 handshake_failure = 1; 01839 } 01840 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01841 01842 if( handshake_failure == 1 ) 01843 { 01844 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01845 return( ret ); 01846 01847 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01848 } 01849 01850 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01851 01852 return( 0 ); 01853 } 01854 01855 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01856 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01857 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01858 unsigned char *end ) 01859 { 01860 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01861 01862 /* 01863 * Ephemeral DH parameters: 01864 * 01865 * struct { 01866 * opaque dh_p<1..2^16-1>; 01867 * opaque dh_g<1..2^16-1>; 01868 * opaque dh_Ys<1..2^16-1>; 01869 * } ServerDHParams; 01870 */ 01871 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01872 { 01873 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01874 return( ret ); 01875 } 01876 01877 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01878 { 01879 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01880 ssl->handshake->dhm_ctx.len * 8, 01881 ssl->conf->dhm_min_bitlen ) ); 01882 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01883 } 01884 01885 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01886 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01887 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01888 01889 return( ret ); 01890 } 01891 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01892 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01893 01894 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01895 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01896 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01897 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01898 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01899 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01900 { 01901 const mbedtls_ecp_curve_info *curve_info; 01902 01903 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01904 if( curve_info == NULL ) 01905 { 01906 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01907 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01908 } 01909 01910 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01911 01912 #if defined(MBEDTLS_ECP_C) 01913 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01914 #else 01915 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01916 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01917 #endif 01918 return( -1 ); 01919 01920 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01921 01922 return( 0 ); 01923 } 01924 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01925 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01926 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01927 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01928 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01929 01930 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01931 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01932 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01933 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 01934 unsigned char **p, 01935 unsigned char *end ) 01936 { 01937 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01938 01939 /* 01940 * Ephemeral ECDH parameters: 01941 * 01942 * struct { 01943 * ECParameters curve_params; 01944 * ECPoint public; 01945 * } ServerECDHParams; 01946 */ 01947 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 01948 (const unsigned char **) p, end ) ) != 0 ) 01949 { 01950 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 01951 return( ret ); 01952 } 01953 01954 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01955 { 01956 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01957 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01958 } 01959 01960 return( ret ); 01961 } 01962 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01963 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01964 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01965 01966 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01967 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 01968 unsigned char **p, 01969 unsigned char *end ) 01970 { 01971 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01972 size_t len; 01973 ((void) ssl); 01974 01975 /* 01976 * PSK parameters: 01977 * 01978 * opaque psk_identity_hint<0..2^16-1>; 01979 */ 01980 len = (*p)[0] << 8 | (*p)[1]; 01981 *p += 2; 01982 01983 if( (*p) + len > end ) 01984 { 01985 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01986 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01987 } 01988 01989 /* 01990 * Note: we currently ignore the PKS identity hint, as we only allow one 01991 * PSK to be provisionned on the client. This could be changed later if 01992 * someone needs that feature. 01993 */ 01994 *p += len; 01995 ret = 0; 01996 01997 return( ret ); 01998 } 01999 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02000 02001 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02002 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02003 /* 02004 * Generate a pre-master secret and encrypt it with the server's RSA key 02005 */ 02006 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02007 size_t offset, size_t *olen, 02008 size_t pms_offset ) 02009 { 02010 int ret; 02011 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02012 unsigned char *p = ssl->handshake->premaster + pms_offset; 02013 02014 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02015 { 02016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02017 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02018 } 02019 02020 /* 02021 * Generate (part of) the pre-master as 02022 * struct { 02023 * ProtocolVersion client_version; 02024 * opaque random[46]; 02025 * } PreMasterSecret; 02026 */ 02027 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02028 ssl->conf->transport, p ); 02029 02030 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02031 { 02032 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02033 return( ret ); 02034 } 02035 02036 ssl->handshake->pmslen = 48; 02037 02038 if( ssl->session_negotiate->peer_cert == NULL ) 02039 { 02040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02041 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02042 } 02043 02044 /* 02045 * Now write it out, encrypted 02046 */ 02047 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02048 MBEDTLS_PK_RSA ) ) 02049 { 02050 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02051 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02052 } 02053 02054 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02055 p, ssl->handshake->pmslen, 02056 ssl->out_msg + offset + len_bytes, olen, 02057 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02058 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02059 { 02060 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02061 return( ret ); 02062 } 02063 02064 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02065 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02066 if( len_bytes == 2 ) 02067 { 02068 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02069 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02070 *olen += 2; 02071 } 02072 #endif 02073 02074 return( 0 ); 02075 } 02076 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02077 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02078 02079 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02080 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02081 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02082 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02083 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02084 unsigned char **p, 02085 unsigned char *end, 02086 mbedtls_md_type_t *md_alg, 02087 mbedtls_pk_type_t *pk_alg ) 02088 { 02089 ((void) ssl); 02090 *md_alg = MBEDTLS_MD_NONE; 02091 *pk_alg = MBEDTLS_PK_NONE; 02092 02093 /* Only in TLS 1.2 */ 02094 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02095 { 02096 return( 0 ); 02097 } 02098 02099 if( (*p) + 2 > end ) 02100 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02101 02102 /* 02103 * Get hash algorithm 02104 */ 02105 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02106 { 02107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02108 "HashAlgorithm %d", *(p)[0] ) ); 02109 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02110 } 02111 02112 /* 02113 * Get signature algorithm 02114 */ 02115 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02116 { 02117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02118 "SignatureAlgorithm %d", (*p)[1] ) ); 02119 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02120 } 02121 02122 /* 02123 * Check if the hash is acceptable 02124 */ 02125 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02126 { 02127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm " 02128 "that was not offered" ) ); 02129 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02130 } 02131 02132 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02133 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02134 *p += 2; 02135 02136 return( 0 ); 02137 } 02138 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02139 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02140 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02141 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02142 02143 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02144 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02145 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02146 { 02147 int ret; 02148 const mbedtls_ecp_keypair *peer_key; 02149 02150 if( ssl->session_negotiate->peer_cert == NULL ) 02151 { 02152 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02153 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02154 } 02155 02156 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02157 MBEDTLS_PK_ECKEY ) ) 02158 { 02159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02160 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02161 } 02162 02163 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02164 02165 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02166 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02167 { 02168 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02169 return( ret ); 02170 } 02171 02172 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02173 { 02174 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02175 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02176 } 02177 02178 return( ret ); 02179 } 02180 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02181 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02182 02183 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02184 { 02185 int ret; 02186 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02187 unsigned char *p, *end; 02188 02189 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02190 02191 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02192 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02193 { 02194 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02195 ssl->state++; 02196 return( 0 ); 02197 } 02198 ((void) p); 02199 ((void) end); 02200 #endif 02201 02202 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02203 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02204 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02205 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02206 { 02207 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02208 { 02209 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02210 return( ret ); 02211 } 02212 02213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02214 ssl->state++; 02215 return( 0 ); 02216 } 02217 ((void) p); 02218 ((void) end); 02219 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02220 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02221 02222 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02223 { 02224 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02225 return( ret ); 02226 } 02227 02228 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02229 { 02230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02231 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02232 } 02233 02234 /* 02235 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02236 * doesn't use a psk_identity_hint 02237 */ 02238 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02239 { 02240 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02241 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02242 { 02243 ssl->record_read = 1; 02244 goto exit; 02245 } 02246 02247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02248 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02249 } 02250 02251 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02252 end = ssl->in_msg + ssl->in_hslen; 02253 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02254 02255 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02256 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02257 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02258 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02259 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02260 { 02261 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02262 { 02263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02264 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02265 } 02266 } /* FALLTROUGH */ 02267 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02268 02269 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02270 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02271 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02272 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02273 ; /* nothing more to do */ 02274 else 02275 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02276 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02277 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02278 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02279 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02280 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02281 { 02282 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02283 { 02284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02285 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02286 } 02287 } 02288 else 02289 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02290 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02291 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02292 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02293 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02294 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02295 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02296 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02297 { 02298 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02299 { 02300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02301 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02302 } 02303 } 02304 else 02305 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02306 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02307 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02308 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02309 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02310 { 02311 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02312 p, end - p ); 02313 if( ret != 0 ) 02314 { 02315 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02316 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02317 } 02318 } 02319 else 02320 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02321 { 02322 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02323 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02324 } 02325 02326 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02327 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02328 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02329 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02330 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02331 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02332 { 02333 size_t sig_len, hashlen; 02334 unsigned char hash[64]; 02335 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02336 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02337 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02338 size_t params_len = p - params; 02339 02340 /* 02341 * Handle the digitally-signed structure 02342 */ 02343 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02344 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02345 { 02346 if( ssl_parse_signature_algorithm( ssl, &p, end, 02347 &md_alg, &pk_alg ) != 0 ) 02348 { 02349 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02350 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02351 } 02352 02353 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02354 { 02355 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02356 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02357 } 02358 } 02359 else 02360 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02361 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02362 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02363 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02364 { 02365 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02366 02367 /* Default hash for ECDSA is SHA-1 */ 02368 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02369 md_alg = MBEDTLS_MD_SHA1; 02370 } 02371 else 02372 #endif 02373 { 02374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02375 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02376 } 02377 02378 /* 02379 * Read signature 02380 */ 02381 sig_len = ( p[0] << 8 ) | p[1]; 02382 p += 2; 02383 02384 if( end != p + sig_len ) 02385 { 02386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02387 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02388 } 02389 02390 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02391 02392 /* 02393 * Compute the hash that has been signed 02394 */ 02395 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02396 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02397 if( md_alg == MBEDTLS_MD_NONE ) 02398 { 02399 mbedtls_md5_context mbedtls_md5; 02400 mbedtls_sha1_context mbedtls_sha1; 02401 02402 mbedtls_md5_init( &mbedtls_md5 ); 02403 mbedtls_sha1_init( &mbedtls_sha1 ); 02404 02405 hashlen = 36; 02406 02407 /* 02408 * digitally-signed struct { 02409 * opaque md5_hash[16]; 02410 * opaque sha_hash[20]; 02411 * }; 02412 * 02413 * md5_hash 02414 * MD5(ClientHello.random + ServerHello.random 02415 * + ServerParams); 02416 * sha_hash 02417 * SHA(ClientHello.random + ServerHello.random 02418 * + ServerParams); 02419 */ 02420 mbedtls_md5_starts( &mbedtls_md5 ); 02421 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02422 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 02423 mbedtls_md5_finish( &mbedtls_md5, hash ); 02424 02425 mbedtls_sha1_starts( &mbedtls_sha1 ); 02426 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02427 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 02428 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02429 02430 mbedtls_md5_free( &mbedtls_md5 ); 02431 mbedtls_sha1_free( &mbedtls_sha1 ); 02432 } 02433 else 02434 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02435 MBEDTLS_SSL_PROTO_TLS1_1 */ 02436 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02437 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02438 if( md_alg != MBEDTLS_MD_NONE ) 02439 { 02440 mbedtls_md_context_t ctx; 02441 02442 mbedtls_md_init( &ctx ); 02443 02444 /* Info from md_alg will be used instead */ 02445 hashlen = 0; 02446 02447 /* 02448 * digitally-signed struct { 02449 * opaque client_random[32]; 02450 * opaque server_random[32]; 02451 * ServerDHParams params; 02452 * }; 02453 */ 02454 if( ( ret = mbedtls_md_setup( &ctx, 02455 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 02456 { 02457 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02458 return( ret ); 02459 } 02460 02461 mbedtls_md_starts( &ctx ); 02462 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02463 mbedtls_md_update( &ctx, params, params_len ); 02464 mbedtls_md_finish( &ctx, hash ); 02465 mbedtls_md_free( &ctx ); 02466 } 02467 else 02468 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02469 MBEDTLS_SSL_PROTO_TLS1_2 */ 02470 { 02471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02472 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02473 } 02474 02475 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02476 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02477 02478 if( ssl->session_negotiate->peer_cert == NULL ) 02479 { 02480 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02481 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02482 } 02483 02484 /* 02485 * Verify signature 02486 */ 02487 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02488 { 02489 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02490 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02491 } 02492 02493 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02494 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02495 { 02496 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02497 return( ret ); 02498 } 02499 } 02500 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02501 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02502 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02503 02504 exit: 02505 ssl->state++; 02506 02507 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02508 02509 return( 0 ); 02510 } 02511 02512 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02513 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02514 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02515 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02516 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02517 { 02518 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02519 02520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02521 02522 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02523 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02524 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02525 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02526 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02527 { 02528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02529 ssl->state++; 02530 return( 0 ); 02531 } 02532 02533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02534 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02535 } 02536 #else 02537 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02538 { 02539 int ret; 02540 unsigned char *buf; 02541 size_t n = 0; 02542 size_t cert_type_len = 0, dn_len = 0; 02543 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02544 02545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02546 02547 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02548 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02549 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02550 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02551 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02552 { 02553 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02554 ssl->state++; 02555 return( 0 ); 02556 } 02557 02558 if( ssl->record_read == 0 ) 02559 { 02560 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02561 { 02562 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02563 return( ret ); 02564 } 02565 02566 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02567 { 02568 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02569 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02570 } 02571 02572 ssl->record_read = 1; 02573 } 02574 02575 ssl->client_auth = 0; 02576 ssl->state++; 02577 02578 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) 02579 ssl->client_auth++; 02580 02581 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02582 ssl->client_auth ? "a" : "no" ) ); 02583 02584 if( ssl->client_auth == 0 ) 02585 goto exit; 02586 02587 ssl->record_read = 0; 02588 02589 /* 02590 * struct { 02591 * ClientCertificateType certificate_types<1..2^8-1>; 02592 * SignatureAndHashAlgorithm 02593 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02594 * DistinguishedName certificate_authorities<0..2^16-1>; 02595 * } CertificateRequest; 02596 * 02597 * Since we only support a single certificate on clients, let's just 02598 * ignore all the information that's supposed to help us pick a 02599 * certificate. 02600 * 02601 * We could check that our certificate matches the request, and bail out 02602 * if it doesn't, but it's simpler to just send the certificate anyway, 02603 * and give the server the opportunity to decide if it should terminate 02604 * the connection when it doesn't like our certificate. 02605 * 02606 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02607 * point we only have one hash available (see comments in 02608 * write_certificate_verify), so let's just use what we have. 02609 * 02610 * However, we still minimally parse the message to check it is at least 02611 * superficially sane. 02612 */ 02613 buf = ssl->in_msg; 02614 02615 /* certificate_types */ 02616 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02617 n = cert_type_len; 02618 02619 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02620 { 02621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02622 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02623 } 02624 02625 /* supported_signature_algorithms */ 02626 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02627 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02628 { 02629 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02630 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02631 02632 n += 2 + sig_alg_len; 02633 02634 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02635 { 02636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02637 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02638 } 02639 } 02640 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02641 02642 /* certificate_authorities */ 02643 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02644 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02645 02646 n += dn_len; 02647 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02648 { 02649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02650 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02651 } 02652 02653 exit: 02654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02655 02656 return( 0 ); 02657 } 02658 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02659 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02660 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02661 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02662 02663 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02664 { 02665 int ret; 02666 02667 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02668 02669 if( ssl->record_read == 0 ) 02670 { 02671 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02672 { 02673 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02674 return( ret ); 02675 } 02676 02677 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02678 { 02679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02680 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02681 } 02682 } 02683 ssl->record_read = 0; 02684 02685 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02686 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02687 { 02688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02689 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02690 } 02691 02692 ssl->state++; 02693 02694 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02695 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02696 mbedtls_ssl_recv_flight_completed( ssl ); 02697 #endif 02698 02699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02700 02701 return( 0 ); 02702 } 02703 02704 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02705 { 02706 int ret; 02707 size_t i, n; 02708 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02709 02710 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02711 02712 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02713 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02714 { 02715 /* 02716 * DHM key exchange -- send G^X mod P 02717 */ 02718 n = ssl->handshake->dhm_ctx.len; 02719 02720 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02721 ssl->out_msg[5] = (unsigned char)( n ); 02722 i = 6; 02723 02724 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02725 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02726 &ssl->out_msg[i], n, 02727 ssl->conf->f_rng, ssl->conf->p_rng ); 02728 if( ret != 0 ) 02729 { 02730 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02731 return( ret ); 02732 } 02733 02734 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02735 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02736 02737 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02738 ssl->handshake->premaster, 02739 MBEDTLS_PREMASTER_SIZE, 02740 &ssl->handshake->pmslen, 02741 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02742 { 02743 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02744 return( ret ); 02745 } 02746 02747 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02748 } 02749 else 02750 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02751 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02752 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02753 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02754 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02755 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02756 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02757 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02758 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02759 { 02760 /* 02761 * ECDH key exchange -- send client public value 02762 */ 02763 i = 4; 02764 02765 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02766 &n, 02767 &ssl->out_msg[i], 1000, 02768 ssl->conf->f_rng, ssl->conf->p_rng ); 02769 if( ret != 0 ) 02770 { 02771 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02772 return( ret ); 02773 } 02774 02775 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02776 02777 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02778 &ssl->handshake->pmslen, 02779 ssl->handshake->premaster, 02780 MBEDTLS_MPI_MAX_SIZE, 02781 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02782 { 02783 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02784 return( ret ); 02785 } 02786 02787 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02788 } 02789 else 02790 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02791 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02792 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02793 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02794 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02795 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02796 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02797 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02798 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02799 { 02800 /* 02801 * opaque psk_identity<0..2^16-1>; 02802 */ 02803 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02804 { 02805 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02806 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02807 } 02808 02809 i = 4; 02810 n = ssl->conf->psk_identity_len; 02811 02812 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02813 { 02814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02815 "SSL buffer too short" ) ); 02816 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02817 } 02818 02819 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02820 ssl->out_msg[i++] = (unsigned char)( n ); 02821 02822 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02823 i += ssl->conf->psk_identity_len; 02824 02825 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02826 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02827 { 02828 n = 0; 02829 } 02830 else 02831 #endif 02832 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02833 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02834 { 02835 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02836 return( ret ); 02837 } 02838 else 02839 #endif 02840 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02841 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02842 { 02843 /* 02844 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02845 */ 02846 n = ssl->handshake->dhm_ctx.len; 02847 02848 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02849 { 02850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02851 " or SSL buffer too short" ) ); 02852 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02853 } 02854 02855 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02856 ssl->out_msg[i++] = (unsigned char)( n ); 02857 02858 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02859 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02860 &ssl->out_msg[i], n, 02861 ssl->conf->f_rng, ssl->conf->p_rng ); 02862 if( ret != 0 ) 02863 { 02864 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02865 return( ret ); 02866 } 02867 } 02868 else 02869 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02870 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02871 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02872 { 02873 /* 02874 * ClientECDiffieHellmanPublic public; 02875 */ 02876 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02877 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02878 ssl->conf->f_rng, ssl->conf->p_rng ); 02879 if( ret != 0 ) 02880 { 02881 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02882 return( ret ); 02883 } 02884 02885 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02886 } 02887 else 02888 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02889 { 02890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02891 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02892 } 02893 02894 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02895 ciphersuite_info->key_exchange ) ) != 0 ) 02896 { 02897 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02898 return( ret ); 02899 } 02900 } 02901 else 02902 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02903 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02904 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02905 { 02906 i = 4; 02907 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02908 return( ret ); 02909 } 02910 else 02911 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02912 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02913 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02914 { 02915 i = 4; 02916 02917 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02918 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02919 ssl->conf->f_rng, ssl->conf->p_rng ); 02920 if( ret != 0 ) 02921 { 02922 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02923 return( ret ); 02924 } 02925 02926 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02927 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02928 ssl->conf->f_rng, ssl->conf->p_rng ); 02929 if( ret != 0 ) 02930 { 02931 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02932 return( ret ); 02933 } 02934 } 02935 else 02936 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02937 { 02938 ((void) ciphersuite_info); 02939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02940 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02941 } 02942 02943 ssl->out_msglen = i + n; 02944 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02945 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 02946 02947 ssl->state++; 02948 02949 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02950 { 02951 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02952 return( ret ); 02953 } 02954 02955 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02956 02957 return( 0 ); 02958 } 02959 02960 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02961 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02962 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02963 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02964 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 02965 { 02966 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02967 int ret; 02968 02969 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02970 02971 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02972 { 02973 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02974 return( ret ); 02975 } 02976 02977 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02978 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02979 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02980 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02981 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02982 { 02983 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02984 ssl->state++; 02985 return( 0 ); 02986 } 02987 02988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02989 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02990 } 02991 #else 02992 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 02993 { 02994 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02995 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02996 size_t n = 0, offset = 0; 02997 unsigned char hash[48]; 02998 unsigned char *hash_start = hash; 02999 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03000 unsigned int hashlen; 03001 03002 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03003 03004 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03005 { 03006 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03007 return( ret ); 03008 } 03009 03010 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03011 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03012 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03013 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03014 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03015 { 03016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03017 ssl->state++; 03018 return( 0 ); 03019 } 03020 03021 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03022 { 03023 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03024 ssl->state++; 03025 return( 0 ); 03026 } 03027 03028 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03029 { 03030 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03031 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03032 } 03033 03034 /* 03035 * Make an RSA signature of the handshake digests 03036 */ 03037 ssl->handshake->calc_verify( ssl, hash ); 03038 03039 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03040 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03041 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03042 { 03043 /* 03044 * digitally-signed struct { 03045 * opaque md5_hash[16]; 03046 * opaque sha_hash[20]; 03047 * }; 03048 * 03049 * md5_hash 03050 * MD5(handshake_messages); 03051 * 03052 * sha_hash 03053 * SHA(handshake_messages); 03054 */ 03055 hashlen = 36; 03056 md_alg = MBEDTLS_MD_NONE; 03057 03058 /* 03059 * For ECDSA, default hash is SHA-1 only 03060 */ 03061 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03062 { 03063 hash_start += 16; 03064 hashlen -= 16; 03065 md_alg = MBEDTLS_MD_SHA1; 03066 } 03067 } 03068 else 03069 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03070 MBEDTLS_SSL_PROTO_TLS1_1 */ 03071 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03072 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03073 { 03074 /* 03075 * digitally-signed struct { 03076 * opaque handshake_messages[handshake_messages_length]; 03077 * }; 03078 * 03079 * Taking shortcut here. We assume that the server always allows the 03080 * PRF Hash function and has sent it in the allowed signature 03081 * algorithms list received in the Certificate Request message. 03082 * 03083 * Until we encounter a server that does not, we will take this 03084 * shortcut. 03085 * 03086 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03087 * in order to satisfy 'weird' needs from the server side. 03088 */ 03089 if( ssl->transform_negotiate->ciphersuite_info->mac == 03090 MBEDTLS_MD_SHA384 ) 03091 { 03092 md_alg = MBEDTLS_MD_SHA384; 03093 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03094 } 03095 else 03096 { 03097 md_alg = MBEDTLS_MD_SHA256; 03098 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03099 } 03100 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03101 03102 /* Info from md_alg will be used instead */ 03103 hashlen = 0; 03104 offset = 2; 03105 } 03106 else 03107 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03108 { 03109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03110 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03111 } 03112 03113 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03114 ssl->out_msg + 6 + offset, &n, 03115 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03116 { 03117 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03118 return( ret ); 03119 } 03120 03121 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03122 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03123 03124 ssl->out_msglen = 6 + n + offset; 03125 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03126 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03127 03128 ssl->state++; 03129 03130 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03131 { 03132 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03133 return( ret ); 03134 } 03135 03136 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03137 03138 return( ret ); 03139 } 03140 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03141 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03142 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 03143 03144 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03145 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03146 { 03147 int ret; 03148 uint32_t lifetime; 03149 size_t ticket_len; 03150 unsigned char *ticket; 03151 const unsigned char *msg; 03152 03153 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03154 03155 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03156 { 03157 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03158 return( ret ); 03159 } 03160 03161 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03162 { 03163 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03164 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03165 } 03166 03167 /* 03168 * struct { 03169 * uint32 ticket_lifetime_hint; 03170 * opaque ticket<0..2^16-1>; 03171 * } NewSessionTicket; 03172 * 03173 * 0 . 3 ticket_lifetime_hint 03174 * 4 . 5 ticket_len (n) 03175 * 6 . 5+n ticket content 03176 */ 03177 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03178 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03179 { 03180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03181 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03182 } 03183 03184 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03185 03186 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03187 ( msg[2] << 8 ) | ( msg[3] ); 03188 03189 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03190 03191 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03192 { 03193 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03194 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03195 } 03196 03197 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03198 03199 /* We're not waiting for a NewSessionTicket message any more */ 03200 ssl->handshake->new_session_ticket = 0; 03201 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03202 03203 /* 03204 * Zero-length ticket means the server changed his mind and doesn't want 03205 * to send a ticket after all, so just forget it 03206 */ 03207 if( ticket_len == 0 ) 03208 return( 0 ); 03209 03210 mbedtls_zeroize( ssl->session_negotiate->ticket, 03211 ssl->session_negotiate->ticket_len ); 03212 mbedtls_free( ssl->session_negotiate->ticket ); 03213 ssl->session_negotiate->ticket = NULL; 03214 ssl->session_negotiate->ticket_len = 0; 03215 03216 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03217 { 03218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03219 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03220 } 03221 03222 memcpy( ticket, msg + 6, ticket_len ); 03223 03224 ssl->session_negotiate->ticket = ticket; 03225 ssl->session_negotiate->ticket_len = ticket_len; 03226 ssl->session_negotiate->ticket_lifetime = lifetime; 03227 03228 /* 03229 * RFC 5077 section 3.4: 03230 * "If the client receives a session ticket from the server, then it 03231 * discards any Session ID that was sent in the ServerHello." 03232 */ 03233 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03234 ssl->session_negotiate->id_len = 0; 03235 03236 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03237 03238 return( 0 ); 03239 } 03240 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03241 03242 /* 03243 * SSL handshake -- client side -- single step 03244 */ 03245 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03246 { 03247 int ret = 0; 03248 03249 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03250 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03251 03252 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03253 03254 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03255 return( ret ); 03256 03257 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03258 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03259 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03260 { 03261 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03262 return( ret ); 03263 } 03264 #endif 03265 03266 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03267 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03268 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03269 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03270 ssl->handshake->new_session_ticket != 0 ) 03271 { 03272 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03273 } 03274 #endif 03275 03276 switch( ssl->state ) 03277 { 03278 case MBEDTLS_SSL_HELLO_REQUEST: 03279 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03280 break; 03281 03282 /* 03283 * ==> ClientHello 03284 */ 03285 case MBEDTLS_SSL_CLIENT_HELLO: 03286 ret = ssl_write_client_hello( ssl ); 03287 break; 03288 03289 /* 03290 * <== ServerHello 03291 * Certificate 03292 * ( ServerKeyExchange ) 03293 * ( CertificateRequest ) 03294 * ServerHelloDone 03295 */ 03296 case MBEDTLS_SSL_SERVER_HELLO: 03297 ret = ssl_parse_server_hello( ssl ); 03298 break; 03299 03300 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03301 ret = mbedtls_ssl_parse_certificate( ssl ); 03302 break; 03303 03304 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03305 ret = ssl_parse_server_key_exchange( ssl ); 03306 break; 03307 03308 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03309 ret = ssl_parse_certificate_request( ssl ); 03310 break; 03311 03312 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03313 ret = ssl_parse_server_hello_done( ssl ); 03314 break; 03315 03316 /* 03317 * ==> ( Certificate/Alert ) 03318 * ClientKeyExchange 03319 * ( CertificateVerify ) 03320 * ChangeCipherSpec 03321 * Finished 03322 */ 03323 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03324 ret = mbedtls_ssl_write_certificate( ssl ); 03325 break; 03326 03327 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03328 ret = ssl_write_client_key_exchange( ssl ); 03329 break; 03330 03331 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03332 ret = ssl_write_certificate_verify( ssl ); 03333 break; 03334 03335 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03336 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03337 break; 03338 03339 case MBEDTLS_SSL_CLIENT_FINISHED: 03340 ret = mbedtls_ssl_write_finished( ssl ); 03341 break; 03342 03343 /* 03344 * <== ( NewSessionTicket ) 03345 * ChangeCipherSpec 03346 * Finished 03347 */ 03348 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03349 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03350 ret = ssl_parse_new_session_ticket( ssl ); 03351 break; 03352 #endif 03353 03354 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03355 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03356 break; 03357 03358 case MBEDTLS_SSL_SERVER_FINISHED: 03359 ret = mbedtls_ssl_parse_finished( ssl ); 03360 break; 03361 03362 case MBEDTLS_SSL_FLUSH_BUFFERS: 03363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03364 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03365 break; 03366 03367 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03368 mbedtls_ssl_handshake_wrapup( ssl ); 03369 break; 03370 03371 default: 03372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03373 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03374 } 03375 03376 return( ret ); 03377 } 03378 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 20:52:41 by
1.7.2