Jan Korycan
/
WNCInterface
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: WncControllerK64F
Fork of
WNCInterface
by 
Jan Korycan
Embed:
(wiki syntax)
Show/hide line numbers
ssl_tls.c
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The SSL 3.0 specification was drafted by Netscape in 1996, 00023 * and became an IETF standard in 1999. 00024 * 00025 * http://wp.netscape.com/eng/ssl3/ 00026 * http://www.ietf.org/rfc/rfc2246.txt 00027 * http://www.ietf.org/rfc/rfc4346.txt 00028 */ 00029 00030 #if !defined(MBEDTLS_CONFIG_FILE) 00031 #include "mbedtls/config.h" 00032 #else 00033 #include MBEDTLS_CONFIG_FILE 00034 #endif 00035 00036 #if defined(MBEDTLS_SSL_TLS_C) 00037 00038 #if defined(MBEDTLS_PLATFORM_C) 00039 #include "mbedtls/platform.h" 00040 #else 00041 #include <stdlib.h> 00042 #define mbedtls_calloc calloc 00043 #define mbedtls_free free 00044 #endif 00045 00046 #include "mbedtls/debug.h" 00047 #include "mbedtls/ssl.h" 00048 #include "mbedtls/ssl_internal.h" 00049 00050 #include <string.h> 00051 00052 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 00053 defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00054 #include "mbedtls/oid.h" 00055 #endif 00056 00057 /* Implementation that should never be optimized out by the compiler */ 00058 static void mbedtls_zeroize( void *v, size_t n ) { 00059 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00060 } 00061 00062 /* Length of the "epoch" field in the record header */ 00063 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) 00064 { 00065 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00066 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00067 return( 2 ); 00068 #else 00069 ((void) ssl); 00070 #endif 00071 return( 0 ); 00072 } 00073 00074 /* 00075 * Start a timer. 00076 * Passing millisecs = 0 cancels a running timer. 00077 */ 00078 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 00079 { 00080 if( ssl->f_set_timer == NULL ) 00081 return; 00082 00083 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 00084 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 00085 } 00086 00087 /* 00088 * Return -1 is timer is expired, 0 if it isn't. 00089 */ 00090 static int ssl_check_timer( mbedtls_ssl_context *ssl ) 00091 { 00092 if( ssl->f_get_timer == NULL ) 00093 return( 0 ); 00094 00095 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 00096 { 00097 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 00098 return( -1 ); 00099 } 00100 00101 return( 0 ); 00102 } 00103 00104 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00105 /* 00106 * Double the retransmit timeout value, within the allowed range, 00107 * returning -1 if the maximum value has already been reached. 00108 */ 00109 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 00110 { 00111 uint32_t new_timeout; 00112 00113 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 00114 return( -1 ); 00115 00116 new_timeout = 2 * ssl->handshake->retransmit_timeout; 00117 00118 /* Avoid arithmetic overflow and range overflow */ 00119 if( new_timeout < ssl->handshake->retransmit_timeout || 00120 new_timeout > ssl->conf->hs_timeout_max ) 00121 { 00122 new_timeout = ssl->conf->hs_timeout_max; 00123 } 00124 00125 ssl->handshake->retransmit_timeout = new_timeout; 00126 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00127 ssl->handshake->retransmit_timeout ) ); 00128 00129 return( 0 ); 00130 } 00131 00132 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 00133 { 00134 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 00135 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00136 ssl->handshake->retransmit_timeout ) ); 00137 } 00138 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00139 00140 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00141 /* 00142 * Convert max_fragment_length codes to length. 00143 * RFC 6066 says: 00144 * enum{ 00145 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 00146 * } MaxFragmentLength; 00147 * and we add 0 -> extension unused 00148 */ 00149 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] = 00150 { 00151 MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */ 00152 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */ 00153 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */ 00154 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */ 00155 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */ 00156 }; 00157 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00158 00159 #if defined(MBEDTLS_SSL_CLI_C) 00160 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) 00161 { 00162 mbedtls_ssl_session_free( dst ); 00163 memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); 00164 00165 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00166 if( src->peer_cert != NULL ) 00167 { 00168 int ret; 00169 00170 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); 00171 if( dst->peer_cert == NULL ) 00172 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00173 00174 mbedtls_x509_crt_init( dst->peer_cert ); 00175 00176 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, 00177 src->peer_cert->raw.len ) ) != 0 ) 00178 { 00179 mbedtls_free( dst->peer_cert ); 00180 dst->peer_cert = NULL; 00181 return( ret ); 00182 } 00183 } 00184 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00185 00186 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 00187 if( src->ticket != NULL ) 00188 { 00189 dst->ticket = mbedtls_calloc( 1, src->ticket_len ); 00190 if( dst->ticket == NULL ) 00191 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00192 00193 memcpy( dst->ticket, src->ticket, src->ticket_len ); 00194 } 00195 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 00196 00197 return( 0 ); 00198 } 00199 #endif /* MBEDTLS_SSL_CLI_C */ 00200 00201 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00202 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 00203 const unsigned char *key_enc, const unsigned char *key_dec, 00204 size_t keylen, 00205 const unsigned char *iv_enc, const unsigned char *iv_dec, 00206 size_t ivlen, 00207 const unsigned char *mac_enc, const unsigned char *mac_dec, 00208 size_t maclen ) = NULL; 00209 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 00210 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 00211 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 00212 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 00213 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 00214 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00215 00216 /* 00217 * Key material generation 00218 */ 00219 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00220 static int ssl3_prf( const unsigned char *secret, size_t slen, 00221 const char *label, 00222 const unsigned char *random, size_t rlen, 00223 unsigned char *dstbuf, size_t dlen ) 00224 { 00225 size_t i; 00226 mbedtls_md5_context md5; 00227 mbedtls_sha1_context sha1; 00228 unsigned char padding[16]; 00229 unsigned char sha1sum[20]; 00230 ((void)label); 00231 00232 mbedtls_md5_init( &md5 ); 00233 mbedtls_sha1_init( &sha1 ); 00234 00235 /* 00236 * SSLv3: 00237 * block = 00238 * MD5( secret + SHA1( 'A' + secret + random ) ) + 00239 * MD5( secret + SHA1( 'BB' + secret + random ) ) + 00240 * MD5( secret + SHA1( 'CCC' + secret + random ) ) + 00241 * ... 00242 */ 00243 for( i = 0; i < dlen / 16; i++ ) 00244 { 00245 memset( padding, (unsigned char) ('A' + i), 1 + i ); 00246 00247 mbedtls_sha1_starts( &sha1 ); 00248 mbedtls_sha1_update( &sha1, padding, 1 + i ); 00249 mbedtls_sha1_update( &sha1, secret, slen ); 00250 mbedtls_sha1_update( &sha1, random, rlen ); 00251 mbedtls_sha1_finish( &sha1, sha1sum ); 00252 00253 mbedtls_md5_starts( &md5 ); 00254 mbedtls_md5_update( &md5, secret, slen ); 00255 mbedtls_md5_update( &md5, sha1sum, 20 ); 00256 mbedtls_md5_finish( &md5, dstbuf + i * 16 ); 00257 } 00258 00259 mbedtls_md5_free( &md5 ); 00260 mbedtls_sha1_free( &sha1 ); 00261 00262 mbedtls_zeroize( padding, sizeof( padding ) ); 00263 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 00264 00265 return( 0 ); 00266 } 00267 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00268 00269 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00270 static int tls1_prf( const unsigned char *secret, size_t slen, 00271 const char *label, 00272 const unsigned char *random, size_t rlen, 00273 unsigned char *dstbuf, size_t dlen ) 00274 { 00275 size_t nb, hs; 00276 size_t i, j, k; 00277 const unsigned char *S1, *S2; 00278 unsigned char tmp[128]; 00279 unsigned char h_i[20]; 00280 const mbedtls_md_info_t *md_info; 00281 mbedtls_md_context_t md_ctx; 00282 int ret; 00283 00284 mbedtls_md_init( &md_ctx ); 00285 00286 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00287 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00288 00289 hs = ( slen + 1 ) / 2; 00290 S1 = secret; 00291 S2 = secret + slen - hs; 00292 00293 nb = strlen( label ); 00294 memcpy( tmp + 20, label, nb ); 00295 memcpy( tmp + 20 + nb, random, rlen ); 00296 nb += rlen; 00297 00298 /* 00299 * First compute P_md5(secret,label+random)[0..dlen] 00300 */ 00301 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) 00302 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00303 00304 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00305 return( ret ); 00306 00307 mbedtls_md_hmac_starts( &md_ctx, S1, hs ); 00308 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00309 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00310 00311 for( i = 0; i < dlen; i += 16 ) 00312 { 00313 mbedtls_md_hmac_reset ( &md_ctx ); 00314 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); 00315 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00316 00317 mbedtls_md_hmac_reset ( &md_ctx ); 00318 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); 00319 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00320 00321 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00322 00323 for( j = 0; j < k; j++ ) 00324 dstbuf[i + j] = h_i[j]; 00325 } 00326 00327 mbedtls_md_free( &md_ctx ); 00328 00329 /* 00330 * XOR out with P_sha1(secret,label+random)[0..dlen] 00331 */ 00332 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) 00333 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00334 00335 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00336 return( ret ); 00337 00338 mbedtls_md_hmac_starts( &md_ctx, S2, hs ); 00339 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00340 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00341 00342 for( i = 0; i < dlen; i += 20 ) 00343 { 00344 mbedtls_md_hmac_reset ( &md_ctx ); 00345 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); 00346 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00347 00348 mbedtls_md_hmac_reset ( &md_ctx ); 00349 mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); 00350 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00351 00352 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00353 00354 for( j = 0; j < k; j++ ) 00355 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00356 } 00357 00358 mbedtls_md_free( &md_ctx ); 00359 00360 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00361 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00362 00363 return( 0 ); 00364 } 00365 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ 00366 00367 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00368 static int tls_prf_generic( mbedtls_md_type_t md_type, 00369 const unsigned char *secret, size_t slen, 00370 const char *label, 00371 const unsigned char *random, size_t rlen, 00372 unsigned char *dstbuf, size_t dlen ) 00373 { 00374 size_t nb; 00375 size_t i, j, k, md_len; 00376 unsigned char tmp[128]; 00377 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 00378 const mbedtls_md_info_t *md_info; 00379 mbedtls_md_context_t md_ctx; 00380 int ret; 00381 00382 mbedtls_md_init( &md_ctx ); 00383 00384 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL ) 00385 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00386 00387 md_len = mbedtls_md_get_size( md_info ); 00388 00389 if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) 00390 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00391 00392 nb = strlen( label ); 00393 memcpy( tmp + md_len, label, nb ); 00394 memcpy( tmp + md_len + nb, random, rlen ); 00395 nb += rlen; 00396 00397 /* 00398 * Compute P_<hash>(secret, label + random)[0..dlen] 00399 */ 00400 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00401 return( ret ); 00402 00403 mbedtls_md_hmac_starts( &md_ctx, secret, slen ); 00404 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); 00405 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00406 00407 for( i = 0; i < dlen; i += md_len ) 00408 { 00409 mbedtls_md_hmac_reset ( &md_ctx ); 00410 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); 00411 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00412 00413 mbedtls_md_hmac_reset ( &md_ctx ); 00414 mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); 00415 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00416 00417 k = ( i + md_len > dlen ) ? dlen % md_len : md_len; 00418 00419 for( j = 0; j < k; j++ ) 00420 dstbuf[i + j] = h_i[j]; 00421 } 00422 00423 mbedtls_md_free( &md_ctx ); 00424 00425 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00426 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00427 00428 return( 0 ); 00429 } 00430 00431 #if defined(MBEDTLS_SHA256_C) 00432 static int tls_prf_sha256( const unsigned char *secret, size_t slen, 00433 const char *label, 00434 const unsigned char *random, size_t rlen, 00435 unsigned char *dstbuf, size_t dlen ) 00436 { 00437 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, 00438 label, random, rlen, dstbuf, dlen ) ); 00439 } 00440 #endif /* MBEDTLS_SHA256_C */ 00441 00442 #if defined(MBEDTLS_SHA512_C) 00443 static int tls_prf_sha384( const unsigned char *secret, size_t slen, 00444 const char *label, 00445 const unsigned char *random, size_t rlen, 00446 unsigned char *dstbuf, size_t dlen ) 00447 { 00448 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, 00449 label, random, rlen, dstbuf, dlen ) ); 00450 } 00451 #endif /* MBEDTLS_SHA512_C */ 00452 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00453 00454 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); 00455 00456 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00457 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00458 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); 00459 #endif 00460 00461 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00462 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * ); 00463 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int ); 00464 #endif 00465 00466 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00467 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * ); 00468 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); 00469 #endif 00470 00471 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00472 #if defined(MBEDTLS_SHA256_C) 00473 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); 00474 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * ); 00475 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); 00476 #endif 00477 00478 #if defined(MBEDTLS_SHA512_C) 00479 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); 00480 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * ); 00481 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); 00482 #endif 00483 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00484 00485 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) 00486 { 00487 int ret = 0; 00488 unsigned char tmp[64]; 00489 unsigned char keyblk[256]; 00490 unsigned char *key1; 00491 unsigned char *key2; 00492 unsigned char *mac_enc; 00493 unsigned char *mac_dec; 00494 size_t iv_copy_len; 00495 const mbedtls_cipher_info_t *cipher_info; 00496 const mbedtls_md_info_t *md_info; 00497 00498 mbedtls_ssl_session *session = ssl->session_negotiate; 00499 mbedtls_ssl_transform *transform = ssl->transform_negotiate; 00500 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 00501 00502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00503 00504 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); 00505 if( cipher_info == NULL ) 00506 { 00507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", 00508 transform->ciphersuite_info->cipher ) ); 00509 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00510 } 00511 00512 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); 00513 if( md_info == NULL ) 00514 { 00515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", 00516 transform->ciphersuite_info->mac ) ); 00517 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00518 } 00519 00520 /* 00521 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions 00522 */ 00523 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00524 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00525 { 00526 handshake->tls_prf = ssl3_prf; 00527 handshake->calc_verify = ssl_calc_verify_ssl; 00528 handshake->calc_finished = ssl_calc_finished_ssl; 00529 } 00530 else 00531 #endif 00532 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00533 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 00534 { 00535 handshake->tls_prf = tls1_prf; 00536 handshake->calc_verify = ssl_calc_verify_tls; 00537 handshake->calc_finished = ssl_calc_finished_tls; 00538 } 00539 else 00540 #endif 00541 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00542 #if defined(MBEDTLS_SHA512_C) 00543 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 00544 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 00545 { 00546 handshake->tls_prf = tls_prf_sha384; 00547 handshake->calc_verify = ssl_calc_verify_tls_sha384; 00548 handshake->calc_finished = ssl_calc_finished_tls_sha384; 00549 } 00550 else 00551 #endif 00552 #if defined(MBEDTLS_SHA256_C) 00553 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00554 { 00555 handshake->tls_prf = tls_prf_sha256; 00556 handshake->calc_verify = ssl_calc_verify_tls_sha256; 00557 handshake->calc_finished = ssl_calc_finished_tls_sha256; 00558 } 00559 else 00560 #endif 00561 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00562 { 00563 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00564 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00565 } 00566 00567 /* 00568 * SSLv3: 00569 * master = 00570 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00571 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00572 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00573 * 00574 * TLSv1+: 00575 * master = PRF( premaster, "master secret", randbytes )[0..47] 00576 */ 00577 if( handshake->resume == 0 ) 00578 { 00579 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, 00580 handshake->pmslen ); 00581 00582 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00583 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) 00584 { 00585 unsigned char session_hash[48]; 00586 size_t hash_len; 00587 00588 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) ); 00589 00590 ssl->handshake->calc_verify( ssl, session_hash ); 00591 00592 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00593 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00594 { 00595 #if defined(MBEDTLS_SHA512_C) 00596 if( ssl->transform_negotiate->ciphersuite_info->mac == 00597 MBEDTLS_MD_SHA384 ) 00598 { 00599 hash_len = 48; 00600 } 00601 else 00602 #endif 00603 hash_len = 32; 00604 } 00605 else 00606 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00607 hash_len = 36; 00608 00609 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len ); 00610 00611 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00612 "extended master secret", 00613 session_hash, hash_len, 00614 session->master, 48 ); 00615 if( ret != 0 ) 00616 { 00617 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00618 return( ret ); 00619 } 00620 00621 } 00622 else 00623 #endif 00624 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00625 "master secret", 00626 handshake->randbytes, 64, 00627 session->master, 48 ); 00628 if( ret != 0 ) 00629 { 00630 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00631 return( ret ); 00632 } 00633 00634 mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) ); 00635 } 00636 else 00637 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00638 00639 /* 00640 * Swap the client and server random values. 00641 */ 00642 memcpy( tmp, handshake->randbytes, 64 ); 00643 memcpy( handshake->randbytes, tmp + 32, 32 ); 00644 memcpy( handshake->randbytes + 32, tmp, 32 ); 00645 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00646 00647 /* 00648 * SSLv3: 00649 * key block = 00650 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00651 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00652 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00653 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00654 * ... 00655 * 00656 * TLSv1: 00657 * key block = PRF( master, "key expansion", randbytes ) 00658 */ 00659 ret = handshake->tls_prf( session->master, 48, "key expansion", 00660 handshake->randbytes, 64, keyblk, 256 ); 00661 if( ret != 0 ) 00662 { 00663 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00664 return( ret ); 00665 } 00666 00667 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", 00668 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) ); 00669 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 ); 00670 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); 00671 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00672 00673 mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) ); 00674 00675 /* 00676 * Determine the appropriate key, IV and MAC length. 00677 */ 00678 00679 transform->keylen = cipher_info->key_bitlen / 8; 00680 00681 if( cipher_info->mode == MBEDTLS_MODE_GCM || 00682 cipher_info->mode == MBEDTLS_MODE_CCM ) 00683 { 00684 transform->maclen = 0; 00685 00686 transform->ivlen = 12; 00687 transform->fixed_ivlen = 4; 00688 00689 /* Minimum length is expicit IV + tag */ 00690 transform->minlen = transform->ivlen - transform->fixed_ivlen 00691 + ( transform->ciphersuite_info->flags & 00692 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); 00693 } 00694 else 00695 { 00696 /* Initialize HMAC contexts */ 00697 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || 00698 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) 00699 { 00700 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 00701 return( ret ); 00702 } 00703 00704 /* Get MAC length */ 00705 transform->maclen = mbedtls_md_get_size( md_info ); 00706 00707 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00708 /* 00709 * If HMAC is to be truncated, we shall keep the leftmost bytes, 00710 * (rfc 6066 page 13 or rfc 2104 section 4), 00711 * so we only need to adjust the length here. 00712 */ 00713 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00714 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; 00715 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00716 00717 /* IV length */ 00718 transform->ivlen = cipher_info->iv_size; 00719 00720 /* Minimum length */ 00721 if( cipher_info->mode == MBEDTLS_MODE_STREAM ) 00722 transform->minlen = transform->maclen; 00723 else 00724 { 00725 /* 00726 * GenericBlockCipher: 00727 * 1. if EtM is in use: one block plus MAC 00728 * otherwise: * first multiple of blocklen greater than maclen 00729 * 2. IV except for SSL3 and TLS 1.0 00730 */ 00731 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00732 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 00733 { 00734 transform->minlen = transform->maclen 00735 + cipher_info->block_size; 00736 } 00737 else 00738 #endif 00739 { 00740 transform->minlen = transform->maclen 00741 + cipher_info->block_size 00742 - transform->maclen % cipher_info->block_size; 00743 } 00744 00745 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 00746 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 00747 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) 00748 ; /* No need to adjust minlen */ 00749 else 00750 #endif 00751 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 00752 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || 00753 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00754 { 00755 transform->minlen += transform->ivlen; 00756 } 00757 else 00758 #endif 00759 { 00760 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00761 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00762 } 00763 } 00764 } 00765 00766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00767 transform->keylen, transform->minlen, transform->ivlen, 00768 transform->maclen ) ); 00769 00770 /* 00771 * Finally setup the cipher contexts, IVs and MAC secrets. 00772 */ 00773 #if defined(MBEDTLS_SSL_CLI_C) 00774 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 00775 { 00776 key1 = keyblk + transform->maclen * 2; 00777 key2 = keyblk + transform->maclen * 2 + transform->keylen; 00778 00779 mac_enc = keyblk; 00780 mac_dec = keyblk + transform->maclen; 00781 00782 /* 00783 * This is not used in TLS v1.1. 00784 */ 00785 iv_copy_len = ( transform->fixed_ivlen ) ? 00786 transform->fixed_ivlen : transform->ivlen; 00787 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len ); 00788 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len, 00789 iv_copy_len ); 00790 } 00791 else 00792 #endif /* MBEDTLS_SSL_CLI_C */ 00793 #if defined(MBEDTLS_SSL_SRV_C) 00794 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 00795 { 00796 key1 = keyblk + transform->maclen * 2 + transform->keylen; 00797 key2 = keyblk + transform->maclen * 2; 00798 00799 mac_enc = keyblk + transform->maclen; 00800 mac_dec = keyblk; 00801 00802 /* 00803 * This is not used in TLS v1.1. 00804 */ 00805 iv_copy_len = ( transform->fixed_ivlen ) ? 00806 transform->fixed_ivlen : transform->ivlen; 00807 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len ); 00808 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len, 00809 iv_copy_len ); 00810 } 00811 else 00812 #endif /* MBEDTLS_SSL_SRV_C */ 00813 { 00814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00815 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00816 } 00817 00818 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00819 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00820 { 00821 if( transform->maclen > sizeof transform->mac_enc ) 00822 { 00823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00824 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00825 } 00826 00827 memcpy( transform->mac_enc, mac_enc, transform->maclen ); 00828 memcpy( transform->mac_dec, mac_dec, transform->maclen ); 00829 } 00830 else 00831 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00832 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 00833 defined(MBEDTLS_SSL_PROTO_TLS1_2) 00834 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 00835 { 00836 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); 00837 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); 00838 } 00839 else 00840 #endif 00841 { 00842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00843 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00844 } 00845 00846 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00847 if( mbedtls_ssl_hw_record_init != NULL ) 00848 { 00849 int ret = 0; 00850 00851 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) ); 00852 00853 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen, 00854 transform->iv_enc, transform->iv_dec, 00855 iv_copy_len, 00856 mac_enc, mac_dec, 00857 transform->maclen ) ) != 0 ) 00858 { 00859 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); 00860 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 00861 } 00862 } 00863 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00864 00865 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 00866 if( ssl->conf->f_export_keys != NULL ) 00867 { 00868 ssl->conf->f_export_keys( ssl->conf->p_export_keys, 00869 session->master, keyblk, 00870 transform->maclen, transform->keylen, 00871 iv_copy_len ); 00872 } 00873 #endif 00874 00875 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, 00876 cipher_info ) ) != 0 ) 00877 { 00878 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00879 return( ret ); 00880 } 00881 00882 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, 00883 cipher_info ) ) != 0 ) 00884 { 00885 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00886 return( ret ); 00887 } 00888 00889 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, 00890 cipher_info->key_bitlen, 00891 MBEDTLS_ENCRYPT ) ) != 0 ) 00892 { 00893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00894 return( ret ); 00895 } 00896 00897 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, 00898 cipher_info->key_bitlen, 00899 MBEDTLS_DECRYPT ) ) != 0 ) 00900 { 00901 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00902 return( ret ); 00903 } 00904 00905 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00906 if( cipher_info->mode == MBEDTLS_MODE_CBC ) 00907 { 00908 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, 00909 MBEDTLS_PADDING_NONE ) ) != 0 ) 00910 { 00911 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00912 return( ret ); 00913 } 00914 00915 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, 00916 MBEDTLS_PADDING_NONE ) ) != 0 ) 00917 { 00918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00919 return( ret ); 00920 } 00921 } 00922 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00923 00924 mbedtls_zeroize( keyblk, sizeof( keyblk ) ); 00925 00926 #if defined(MBEDTLS_ZLIB_SUPPORT) 00927 // Initialize compression 00928 // 00929 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 00930 { 00931 if( ssl->compress_buf == NULL ) 00932 { 00933 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) ); 00934 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN ); 00935 if( ssl->compress_buf == NULL ) 00936 { 00937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 00938 MBEDTLS_SSL_BUFFER_LEN ) ); 00939 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00940 } 00941 } 00942 00943 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) ); 00944 00945 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) ); 00946 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) ); 00947 00948 if( deflateInit( &transform->ctx_deflate, 00949 Z_DEFAULT_COMPRESSION ) != Z_OK || 00950 inflateInit( &transform->ctx_inflate ) != Z_OK ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); 00953 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 00954 } 00955 } 00956 #endif /* MBEDTLS_ZLIB_SUPPORT */ 00957 00958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00959 00960 return( 0 ); 00961 } 00962 00963 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00964 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 00965 { 00966 mbedtls_md5_context md5; 00967 mbedtls_sha1_context sha1; 00968 unsigned char pad_1[48]; 00969 unsigned char pad_2[48]; 00970 00971 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) ); 00972 00973 mbedtls_md5_init( &md5 ); 00974 mbedtls_sha1_init( &sha1 ); 00975 00976 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 00977 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 00978 00979 memset( pad_1, 0x36, 48 ); 00980 memset( pad_2, 0x5C, 48 ); 00981 00982 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00983 mbedtls_md5_update( &md5, pad_1, 48 ); 00984 mbedtls_md5_finish( &md5, hash ); 00985 00986 mbedtls_md5_starts( &md5 ); 00987 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00988 mbedtls_md5_update( &md5, pad_2, 48 ); 00989 mbedtls_md5_update( &md5, hash, 16 ); 00990 mbedtls_md5_finish( &md5, hash ); 00991 00992 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00993 mbedtls_sha1_update( &sha1, pad_1, 40 ); 00994 mbedtls_sha1_finish( &sha1, hash + 16 ); 00995 00996 mbedtls_sha1_starts( &sha1 ); 00997 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00998 mbedtls_sha1_update( &sha1, pad_2, 40 ); 00999 mbedtls_sha1_update( &sha1, hash + 16, 20 ); 01000 mbedtls_sha1_finish( &sha1, hash + 16 ); 01001 01002 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01003 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01004 01005 mbedtls_md5_free( &md5 ); 01006 mbedtls_sha1_free( &sha1 ); 01007 01008 return; 01009 } 01010 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01011 01012 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 01013 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 01014 { 01015 mbedtls_md5_context md5; 01016 mbedtls_sha1_context sha1; 01017 01018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); 01019 01020 mbedtls_md5_init( &md5 ); 01021 mbedtls_sha1_init( &sha1 ); 01022 01023 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01024 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01025 01026 mbedtls_md5_finish( &md5, hash ); 01027 mbedtls_sha1_finish( &sha1, hash + 16 ); 01028 01029 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01031 01032 mbedtls_md5_free( &md5 ); 01033 mbedtls_sha1_free( &sha1 ); 01034 01035 return; 01036 } 01037 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 01038 01039 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 01040 #if defined(MBEDTLS_SHA256_C) 01041 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) 01042 { 01043 mbedtls_sha256_context sha256; 01044 01045 mbedtls_sha256_init( &sha256 ); 01046 01047 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); 01048 01049 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 01050 mbedtls_sha256_finish( &sha256, hash ); 01051 01052 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); 01053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01054 01055 mbedtls_sha256_free( &sha256 ); 01056 01057 return; 01058 } 01059 #endif /* MBEDTLS_SHA256_C */ 01060 01061 #if defined(MBEDTLS_SHA512_C) 01062 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) 01063 { 01064 mbedtls_sha512_context sha512; 01065 01066 mbedtls_sha512_init( &sha512 ); 01067 01068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); 01069 01070 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 01071 mbedtls_sha512_finish( &sha512, hash ); 01072 01073 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); 01074 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01075 01076 mbedtls_sha512_free( &sha512 ); 01077 01078 return; 01079 } 01080 #endif /* MBEDTLS_SHA512_C */ 01081 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 01082 01083 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01084 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) 01085 { 01086 unsigned char *p = ssl->handshake->premaster; 01087 unsigned char *end = p + sizeof( ssl->handshake->premaster ); 01088 const unsigned char *psk = ssl->conf->psk; 01089 size_t psk_len = ssl->conf->psk_len; 01090 01091 /* If the psk callback was called, use its result */ 01092 if( ssl->handshake->psk != NULL ) 01093 { 01094 psk = ssl->handshake->psk; 01095 psk_len = ssl->handshake->psk_len; 01096 } 01097 01098 /* 01099 * PMS = struct { 01100 * opaque other_secret<0..2^16-1>; 01101 * opaque psk<0..2^16-1>; 01102 * }; 01103 * with "other_secret" depending on the particular key exchange 01104 */ 01105 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 01106 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) 01107 { 01108 if( end - p < 2 ) 01109 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01110 01111 *(p++) = (unsigned char)( psk_len >> 8 ); 01112 *(p++) = (unsigned char)( psk_len ); 01113 01114 if( end < p || (size_t)( end - p ) < psk_len ) 01115 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01116 01117 memset( p, 0, psk_len ); 01118 p += psk_len; 01119 } 01120 else 01121 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 01122 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01123 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 01124 { 01125 /* 01126 * other_secret already set by the ClientKeyExchange message, 01127 * and is 48 bytes long 01128 */ 01129 *p++ = 0; 01130 *p++ = 48; 01131 p += 48; 01132 } 01133 else 01134 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01135 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01136 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 01137 { 01138 int ret; 01139 size_t len; 01140 01141 /* Write length only when we know the actual value */ 01142 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 01143 p + 2, end - ( p + 2 ), &len, 01144 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01145 { 01146 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 01147 return( ret ); 01148 } 01149 *(p++) = (unsigned char)( len >> 8 ); 01150 *(p++) = (unsigned char)( len ); 01151 p += len; 01152 01153 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 01154 } 01155 else 01156 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01157 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01158 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 01159 { 01160 int ret; 01161 size_t zlen; 01162 01163 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, 01164 p + 2, end - ( p + 2 ), 01165 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01166 { 01167 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 01168 return( ret ); 01169 } 01170 01171 *(p++) = (unsigned char)( zlen >> 8 ); 01172 *(p++) = (unsigned char)( zlen ); 01173 p += zlen; 01174 01175 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 01176 } 01177 else 01178 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01179 { 01180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01181 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01182 } 01183 01184 /* opaque psk<0..2^16-1>; */ 01185 if( end - p < 2 ) 01186 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01187 01188 *(p++) = (unsigned char)( psk_len >> 8 ); 01189 *(p++) = (unsigned char)( psk_len ); 01190 01191 if( end < p || (size_t)( end - p ) < psk_len ) 01192 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01193 01194 memcpy( p, psk, psk_len ); 01195 p += psk_len; 01196 01197 ssl->handshake->pmslen = p - ssl->handshake->premaster; 01198 01199 return( 0 ); 01200 } 01201 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01202 01203 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01204 /* 01205 * SSLv3.0 MAC functions 01206 */ 01207 static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret, 01208 unsigned char *buf, size_t len, 01209 unsigned char *ctr, int type ) 01210 { 01211 unsigned char header[11]; 01212 unsigned char padding[48]; 01213 int padlen; 01214 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 01215 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 01216 01217 /* Only MD5 and SHA-1 supported */ 01218 if( md_type == MBEDTLS_MD_MD5 ) 01219 padlen = 48; 01220 else 01221 padlen = 40; 01222 01223 memcpy( header, ctr, 8 ); 01224 header[ 8] = (unsigned char) type; 01225 header[ 9] = (unsigned char)( len >> 8 ); 01226 header[10] = (unsigned char)( len ); 01227 01228 memset( padding, 0x36, padlen ); 01229 mbedtls_md_starts( md_ctx ); 01230 mbedtls_md_update( md_ctx, secret, md_size ); 01231 mbedtls_md_update( md_ctx, padding, padlen ); 01232 mbedtls_md_update( md_ctx, header, 11 ); 01233 mbedtls_md_update( md_ctx, buf, len ); 01234 mbedtls_md_finish( md_ctx, buf + len ); 01235 01236 memset( padding, 0x5C, padlen ); 01237 mbedtls_md_starts( md_ctx ); 01238 mbedtls_md_update( md_ctx, secret, md_size ); 01239 mbedtls_md_update( md_ctx, padding, padlen ); 01240 mbedtls_md_update( md_ctx, buf + len, md_size ); 01241 mbedtls_md_finish( md_ctx, buf + len ); 01242 } 01243 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01244 01245 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 01246 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01247 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) ) 01248 #define SSL_SOME_MODES_USE_MAC 01249 #endif 01250 01251 /* 01252 * Encryption/decryption functions 01253 */ 01254 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) 01255 { 01256 mbedtls_cipher_mode_t mode; 01257 int auth_done = 0; 01258 01259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 01260 01261 if( ssl->session_out == NULL || ssl->transform_out == NULL ) 01262 { 01263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01264 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01265 } 01266 01267 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); 01268 01269 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 01270 ssl->out_msg, ssl->out_msglen ); 01271 01272 /* 01273 * Add MAC before if needed 01274 */ 01275 #if defined(SSL_SOME_MODES_USE_MAC) 01276 if( mode == MBEDTLS_MODE_STREAM || 01277 ( mode == MBEDTLS_MODE_CBC 01278 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01279 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 01280 #endif 01281 ) ) 01282 { 01283 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01284 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01285 { 01286 ssl_mac( &ssl->transform_out->md_ctx_enc, 01287 ssl->transform_out->mac_enc, 01288 ssl->out_msg, ssl->out_msglen, 01289 ssl->out_ctr, ssl->out_msgtype ); 01290 } 01291 else 01292 #endif 01293 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01294 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01295 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 01296 { 01297 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); 01298 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); 01299 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); 01300 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01301 ssl->out_msg, ssl->out_msglen ); 01302 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01303 ssl->out_msg + ssl->out_msglen ); 01304 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01305 } 01306 else 01307 #endif 01308 { 01309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01310 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01311 } 01312 01313 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", 01314 ssl->out_msg + ssl->out_msglen, 01315 ssl->transform_out->maclen ); 01316 01317 ssl->out_msglen += ssl->transform_out->maclen; 01318 auth_done++; 01319 } 01320 #endif /* AEAD not the only option */ 01321 01322 /* 01323 * Encrypt 01324 */ 01325 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01326 if( mode == MBEDTLS_MODE_STREAM ) 01327 { 01328 int ret; 01329 size_t olen = 0; 01330 01331 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01332 "including %d bytes of padding", 01333 ssl->out_msglen, 0 ) ); 01334 01335 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01336 ssl->transform_out->iv_enc, 01337 ssl->transform_out->ivlen, 01338 ssl->out_msg, ssl->out_msglen, 01339 ssl->out_msg, &olen ) ) != 0 ) 01340 { 01341 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01342 return( ret ); 01343 } 01344 01345 if( ssl->out_msglen != olen ) 01346 { 01347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01348 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01349 } 01350 } 01351 else 01352 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01353 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01354 if( mode == MBEDTLS_MODE_GCM || 01355 mode == MBEDTLS_MODE_CCM ) 01356 { 01357 int ret; 01358 size_t enc_msglen, olen; 01359 unsigned char *enc_msg; 01360 unsigned char add_data[13]; 01361 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & 01362 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01363 01364 memcpy( add_data, ssl->out_ctr, 8 ); 01365 add_data[8] = ssl->out_msgtype; 01366 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01367 ssl->conf->transport, add_data + 9 ); 01368 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; 01369 add_data[12] = ssl->out_msglen & 0xFF; 01370 01371 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01372 add_data, 13 ); 01373 01374 /* 01375 * Generate IV 01376 */ 01377 #if defined(MBEDTLS_SSL_AEAD_RANDOM_IV) 01378 ret = ssl->conf->f_rng( ssl->conf->p_rng, 01379 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01380 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01381 if( ret != 0 ) 01382 return( ret ); 01383 01384 memcpy( ssl->out_iv, 01385 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01386 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01387 #else 01388 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) 01389 { 01390 /* Reminder if we ever add an AEAD mode with a different size */ 01391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01392 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01393 } 01394 01395 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01396 ssl->out_ctr, 8 ); 01397 memcpy( ssl->out_iv, ssl->out_ctr, 8 ); 01398 #endif 01399 01400 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, 01401 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01402 01403 /* 01404 * Fix pointer positions and message length with added IV 01405 */ 01406 enc_msg = ssl->out_msg; 01407 enc_msglen = ssl->out_msglen; 01408 ssl->out_msglen += ssl->transform_out->ivlen - 01409 ssl->transform_out->fixed_ivlen; 01410 01411 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01412 "including %d bytes of padding", 01413 ssl->out_msglen, 0 ) ); 01414 01415 /* 01416 * Encrypt and authenticate 01417 */ 01418 if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, 01419 ssl->transform_out->iv_enc, 01420 ssl->transform_out->ivlen, 01421 add_data, 13, 01422 enc_msg, enc_msglen, 01423 enc_msg, &olen, 01424 enc_msg + enc_msglen, taglen ) ) != 0 ) 01425 { 01426 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 01427 return( ret ); 01428 } 01429 01430 if( olen != enc_msglen ) 01431 { 01432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01433 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01434 } 01435 01436 ssl->out_msglen += taglen; 01437 auth_done++; 01438 01439 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen ); 01440 } 01441 else 01442 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01443 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01444 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01445 if( mode == MBEDTLS_MODE_CBC ) 01446 { 01447 int ret; 01448 unsigned char *enc_msg; 01449 size_t enc_msglen, padlen, olen = 0, i; 01450 01451 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) % 01452 ssl->transform_out->ivlen; 01453 if( padlen == ssl->transform_out->ivlen ) 01454 padlen = 0; 01455 01456 for( i = 0; i <= padlen; i++ ) 01457 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 01458 01459 ssl->out_msglen += padlen + 1; 01460 01461 enc_msglen = ssl->out_msglen; 01462 enc_msg = ssl->out_msg; 01463 01464 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01465 /* 01466 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 01467 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 01468 */ 01469 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01470 { 01471 /* 01472 * Generate IV 01473 */ 01474 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, 01475 ssl->transform_out->ivlen ); 01476 if( ret != 0 ) 01477 return( ret ); 01478 01479 memcpy( ssl->out_iv, ssl->transform_out->iv_enc, 01480 ssl->transform_out->ivlen ); 01481 01482 /* 01483 * Fix pointer positions and message length with added IV 01484 */ 01485 enc_msg = ssl->out_msg; 01486 enc_msglen = ssl->out_msglen; 01487 ssl->out_msglen += ssl->transform_out->ivlen; 01488 } 01489 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01490 01491 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01492 "including %d bytes of IV and %d bytes of padding", 01493 ssl->out_msglen, ssl->transform_out->ivlen, 01494 padlen + 1 ) ); 01495 01496 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01497 ssl->transform_out->iv_enc, 01498 ssl->transform_out->ivlen, 01499 enc_msg, enc_msglen, 01500 enc_msg, &olen ) ) != 0 ) 01501 { 01502 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01503 return( ret ); 01504 } 01505 01506 if( enc_msglen != olen ) 01507 { 01508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01509 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01510 } 01511 01512 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01513 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01514 { 01515 /* 01516 * Save IV in SSL3 and TLS1 01517 */ 01518 memcpy( ssl->transform_out->iv_enc, 01519 ssl->transform_out->cipher_ctx_enc.iv, 01520 ssl->transform_out->ivlen ); 01521 } 01522 #endif 01523 01524 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01525 if( auth_done == 0 ) 01526 { 01527 /* 01528 * MAC(MAC_write_key, seq_num + 01529 * TLSCipherText.type + 01530 * TLSCipherText.version + 01531 * length_of( (IV +) ENC(...) ) + 01532 * IV + // except for TLS 1.0 01533 * ENC(content + padding + padding_length)); 01534 */ 01535 unsigned char pseudo_hdr[13]; 01536 01537 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01538 01539 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 ); 01540 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 ); 01541 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF ); 01542 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF ); 01543 01544 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01545 01546 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 ); 01547 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01548 ssl->out_iv, ssl->out_msglen ); 01549 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01550 ssl->out_iv + ssl->out_msglen ); 01551 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01552 01553 ssl->out_msglen += ssl->transform_out->maclen; 01554 auth_done++; 01555 } 01556 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01557 } 01558 else 01559 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01560 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01561 { 01562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01563 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01564 } 01565 01566 /* Make extra sure authentication was performed, exactly once */ 01567 if( auth_done != 1 ) 01568 { 01569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01570 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01571 } 01572 01573 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 01574 01575 return( 0 ); 01576 } 01577 01578 #define SSL_MAX_MAC_SIZE 48 01579 01580 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) 01581 { 01582 size_t i; 01583 mbedtls_cipher_mode_t mode; 01584 int auth_done = 0; 01585 #if defined(SSL_SOME_MODES_USE_MAC) 01586 size_t padlen = 0, correct = 1; 01587 #endif 01588 01589 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 01590 01591 if( ssl->session_in == NULL || ssl->transform_in == NULL ) 01592 { 01593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01594 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01595 } 01596 01597 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); 01598 01599 if( ssl->in_msglen < ssl->transform_in->minlen ) 01600 { 01601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 01602 ssl->in_msglen, ssl->transform_in->minlen ) ); 01603 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01604 } 01605 01606 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01607 if( mode == MBEDTLS_MODE_STREAM ) 01608 { 01609 int ret; 01610 size_t olen = 0; 01611 01612 padlen = 0; 01613 01614 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01615 ssl->transform_in->iv_dec, 01616 ssl->transform_in->ivlen, 01617 ssl->in_msg, ssl->in_msglen, 01618 ssl->in_msg, &olen ) ) != 0 ) 01619 { 01620 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01621 return( ret ); 01622 } 01623 01624 if( ssl->in_msglen != olen ) 01625 { 01626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01627 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01628 } 01629 } 01630 else 01631 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01632 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01633 if( mode == MBEDTLS_MODE_GCM || 01634 mode == MBEDTLS_MODE_CCM ) 01635 { 01636 int ret; 01637 size_t dec_msglen, olen; 01638 unsigned char *dec_msg; 01639 unsigned char *dec_msg_result; 01640 unsigned char add_data[13]; 01641 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & 01642 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01643 size_t explicit_iv_len = ssl->transform_in->ivlen - 01644 ssl->transform_in->fixed_ivlen; 01645 01646 if( ssl->in_msglen < explicit_iv_len + taglen ) 01647 { 01648 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " 01649 "+ taglen (%d)", ssl->in_msglen, 01650 explicit_iv_len, taglen ) ); 01651 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01652 } 01653 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; 01654 01655 dec_msg = ssl->in_msg; 01656 dec_msg_result = ssl->in_msg; 01657 ssl->in_msglen = dec_msglen; 01658 01659 memcpy( add_data, ssl->in_ctr, 8 ); 01660 add_data[8] = ssl->in_msgtype; 01661 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01662 ssl->conf->transport, add_data + 9 ); 01663 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; 01664 add_data[12] = ssl->in_msglen & 0xFF; 01665 01666 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01667 add_data, 13 ); 01668 01669 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, 01670 ssl->in_iv, 01671 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); 01672 01673 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, 01674 ssl->transform_in->ivlen ); 01675 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); 01676 01677 /* 01678 * Decrypt and authenticate 01679 */ 01680 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, 01681 ssl->transform_in->iv_dec, 01682 ssl->transform_in->ivlen, 01683 add_data, 13, 01684 dec_msg, dec_msglen, 01685 dec_msg_result, &olen, 01686 dec_msg + dec_msglen, taglen ) ) != 0 ) 01687 { 01688 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 01689 01690 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 01691 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01692 01693 return( ret ); 01694 } 01695 auth_done++; 01696 01697 if( olen != dec_msglen ) 01698 { 01699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01700 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01701 } 01702 } 01703 else 01704 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01705 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01706 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01707 if( mode == MBEDTLS_MODE_CBC ) 01708 { 01709 /* 01710 * Decrypt and check the padding 01711 */ 01712 int ret; 01713 unsigned char *dec_msg; 01714 unsigned char *dec_msg_result; 01715 size_t dec_msglen; 01716 size_t minlen = 0; 01717 size_t olen = 0; 01718 01719 /* 01720 * Check immediate ciphertext sanity 01721 */ 01722 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01723 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01724 minlen += ssl->transform_in->ivlen; 01725 #endif 01726 01727 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen || 01728 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 ) 01729 { 01730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) " 01731 "+ 1 ) ( + expl IV )", ssl->in_msglen, 01732 ssl->transform_in->ivlen, 01733 ssl->transform_in->maclen ) ); 01734 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01735 } 01736 01737 dec_msglen = ssl->in_msglen; 01738 dec_msg = ssl->in_msg; 01739 dec_msg_result = ssl->in_msg; 01740 01741 /* 01742 * Authenticate before decrypt if enabled 01743 */ 01744 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01745 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 01746 { 01747 unsigned char computed_mac[SSL_MAX_MAC_SIZE]; 01748 unsigned char pseudo_hdr[13]; 01749 01750 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01751 01752 dec_msglen -= ssl->transform_in->maclen; 01753 ssl->in_msglen -= ssl->transform_in->maclen; 01754 01755 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 ); 01756 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 ); 01757 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF ); 01758 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF ); 01759 01760 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01761 01762 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); 01763 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, 01764 ssl->in_iv, ssl->in_msglen ); 01765 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac ); 01766 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01767 01768 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, 01769 ssl->transform_in->maclen ); 01770 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac, 01771 ssl->transform_in->maclen ); 01772 01773 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac, 01774 ssl->transform_in->maclen ) != 0 ) 01775 { 01776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01777 01778 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01779 } 01780 auth_done++; 01781 } 01782 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01783 01784 /* 01785 * Check length sanity 01786 */ 01787 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 ) 01788 { 01789 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 01790 ssl->in_msglen, ssl->transform_in->ivlen ) ); 01791 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01792 } 01793 01794 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01795 /* 01796 * Initialize for prepended IV for block cipher in TLS v1.1 and up 01797 */ 01798 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01799 { 01800 dec_msglen -= ssl->transform_in->ivlen; 01801 ssl->in_msglen -= ssl->transform_in->ivlen; 01802 01803 for( i = 0; i < ssl->transform_in->ivlen; i++ ) 01804 ssl->transform_in->iv_dec[i] = ssl->in_iv[i]; 01805 } 01806 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01807 01808 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01809 ssl->transform_in->iv_dec, 01810 ssl->transform_in->ivlen, 01811 dec_msg, dec_msglen, 01812 dec_msg_result, &olen ) ) != 0 ) 01813 { 01814 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01815 return( ret ); 01816 } 01817 01818 if( dec_msglen != olen ) 01819 { 01820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01821 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01822 } 01823 01824 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01825 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01826 { 01827 /* 01828 * Save IV in SSL3 and TLS1 01829 */ 01830 memcpy( ssl->transform_in->iv_dec, 01831 ssl->transform_in->cipher_ctx_dec.iv, 01832 ssl->transform_in->ivlen ); 01833 } 01834 #endif 01835 01836 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 01837 01838 if( ssl->in_msglen < ssl->transform_in->maclen + padlen && 01839 auth_done == 0 ) 01840 { 01841 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 01843 ssl->in_msglen, ssl->transform_in->maclen, padlen ) ); 01844 #endif 01845 padlen = 0; 01846 correct = 0; 01847 } 01848 01849 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01850 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01851 { 01852 if( padlen > ssl->transform_in->ivlen ) 01853 { 01854 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 01856 "should be no more than %d", 01857 padlen, ssl->transform_in->ivlen ) ); 01858 #endif 01859 correct = 0; 01860 } 01861 } 01862 else 01863 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01864 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01865 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01866 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01867 { 01868 /* 01869 * TLSv1+: always check the padding up to the first failure 01870 * and fake check up to 256 bytes of padding 01871 */ 01872 size_t pad_count = 0, real_count = 1; 01873 size_t padding_idx = ssl->in_msglen - padlen - 1; 01874 01875 /* 01876 * Padding is guaranteed to be incorrect if: 01877 * 1. padlen >= ssl->in_msglen 01878 * 01879 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN + 01880 * ssl->transform_in->maclen 01881 * 01882 * In both cases we reset padding_idx to a safe value (0) to 01883 * prevent out-of-buffer reads. 01884 */ 01885 correct &= ( ssl->in_msglen >= padlen + 1 ); 01886 correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN + 01887 ssl->transform_in->maclen ); 01888 01889 padding_idx *= correct; 01890 01891 for( i = 1; i <= 256; i++ ) 01892 { 01893 real_count &= ( i <= padlen ); 01894 pad_count += real_count * 01895 ( ssl->in_msg[padding_idx + i] == padlen - 1 ); 01896 } 01897 01898 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ 01899 01900 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01901 if( padlen > 0 && correct == 0 ) 01902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 01903 #endif 01904 padlen &= correct * 0x1FF; 01905 } 01906 else 01907 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01908 MBEDTLS_SSL_PROTO_TLS1_2 */ 01909 { 01910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01911 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01912 } 01913 01914 ssl->in_msglen -= padlen; 01915 } 01916 else 01917 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01918 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01919 { 01920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01921 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01922 } 01923 01924 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 01925 ssl->in_msg, ssl->in_msglen ); 01926 01927 /* 01928 * Authenticate if not done yet. 01929 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 01930 */ 01931 #if defined(SSL_SOME_MODES_USE_MAC) 01932 if( auth_done == 0 ) 01933 { 01934 unsigned char tmp[SSL_MAX_MAC_SIZE]; 01935 01936 ssl->in_msglen -= ssl->transform_in->maclen; 01937 01938 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 01939 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 01940 01941 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen ); 01942 01943 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01944 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01945 { 01946 ssl_mac( &ssl->transform_in->md_ctx_dec, 01947 ssl->transform_in->mac_dec, 01948 ssl->in_msg, ssl->in_msglen, 01949 ssl->in_ctr, ssl->in_msgtype ); 01950 } 01951 else 01952 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01953 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01954 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01955 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01956 { 01957 /* 01958 * Process MAC and always update for padlen afterwards to make 01959 * total time independent of padlen 01960 * 01961 * extra_run compensates MAC check for padlen 01962 * 01963 * Known timing attacks: 01964 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 01965 * 01966 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values 01967 * correctly. (We round down instead of up, so -56 is the correct 01968 * value for our calculations instead of -55) 01969 */ 01970 size_t j, extra_run = 0; 01971 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 - 01972 ( 13 + ssl->in_msglen + 8 ) / 64; 01973 01974 extra_run &= correct * 0xFF; 01975 01976 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 ); 01977 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 ); 01978 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); 01979 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, 01980 ssl->in_msglen ); 01981 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, 01982 ssl->in_msg + ssl->in_msglen ); 01983 /* Call mbedtls_md_process at least once due to cache attacks */ 01984 for( j = 0; j < extra_run + 1; j++ ) 01985 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); 01986 01987 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01988 } 01989 else 01990 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01991 MBEDTLS_SSL_PROTO_TLS1_2 */ 01992 { 01993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01995 } 01996 01997 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen ); 01998 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, 01999 ssl->transform_in->maclen ); 02000 02001 if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen, 02002 ssl->transform_in->maclen ) != 0 ) 02003 { 02004 #if defined(MBEDTLS_SSL_DEBUG_ALL) 02005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 02006 #endif 02007 correct = 0; 02008 } 02009 auth_done++; 02010 02011 /* 02012 * Finally check the correct flag 02013 */ 02014 if( correct == 0 ) 02015 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02016 } 02017 #endif /* SSL_SOME_MODES_USE_MAC */ 02018 02019 /* Make extra sure authentication was performed, exactly once */ 02020 if( auth_done != 1 ) 02021 { 02022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02023 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02024 } 02025 02026 if( ssl->in_msglen == 0 ) 02027 { 02028 ssl->nb_zero++; 02029 02030 /* 02031 * Three or more empty messages may be a DoS attack 02032 * (excessive CPU consumption). 02033 */ 02034 if( ssl->nb_zero > 3 ) 02035 { 02036 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 02037 "messages, possible DoS attack" ) ); 02038 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02039 } 02040 } 02041 else 02042 ssl->nb_zero = 0; 02043 02044 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02045 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02046 { 02047 ; /* in_ctr read from peer, not maintained internally */ 02048 } 02049 else 02050 #endif 02051 { 02052 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02053 if( ++ssl->in_ctr[i - 1] != 0 ) 02054 break; 02055 02056 /* The loop goes to its end iff the counter is wrapping */ 02057 if( i == ssl_ep_len( ssl ) ) 02058 { 02059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 02060 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02061 } 02062 } 02063 02064 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 02065 02066 return( 0 ); 02067 } 02068 02069 #undef MAC_NONE 02070 #undef MAC_PLAINTEXT 02071 #undef MAC_CIPHERTEXT 02072 02073 #if defined(MBEDTLS_ZLIB_SUPPORT) 02074 /* 02075 * Compression/decompression functions 02076 */ 02077 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 02078 { 02079 int ret; 02080 unsigned char *msg_post = ssl->out_msg; 02081 size_t len_pre = ssl->out_msglen; 02082 unsigned char *msg_pre = ssl->compress_buf; 02083 02084 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 02085 02086 if( len_pre == 0 ) 02087 return( 0 ); 02088 02089 memcpy( msg_pre, ssl->out_msg, len_pre ); 02090 02091 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ", 02092 ssl->out_msglen ) ); 02093 02094 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 02095 ssl->out_msg, ssl->out_msglen ); 02096 02097 ssl->transform_out->ctx_deflate.next_in = msg_pre; 02098 ssl->transform_out->ctx_deflate.avail_in = len_pre; 02099 ssl->transform_out->ctx_deflate.next_out = msg_post; 02100 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN; 02101 02102 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 02103 if( ret != Z_OK ) 02104 { 02105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 02106 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02107 } 02108 02109 ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - 02110 ssl->transform_out->ctx_deflate.avail_out; 02111 02112 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", 02113 ssl->out_msglen ) ); 02114 02115 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 02116 ssl->out_msg, ssl->out_msglen ); 02117 02118 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 02119 02120 return( 0 ); 02121 } 02122 02123 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 02124 { 02125 int ret; 02126 unsigned char *msg_post = ssl->in_msg; 02127 size_t len_pre = ssl->in_msglen; 02128 unsigned char *msg_pre = ssl->compress_buf; 02129 02130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 02131 02132 if( len_pre == 0 ) 02133 return( 0 ); 02134 02135 memcpy( msg_pre, ssl->in_msg, len_pre ); 02136 02137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ", 02138 ssl->in_msglen ) ); 02139 02140 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 02141 ssl->in_msg, ssl->in_msglen ); 02142 02143 ssl->transform_in->ctx_inflate.next_in = msg_pre; 02144 ssl->transform_in->ctx_inflate.avail_in = len_pre; 02145 ssl->transform_in->ctx_inflate.next_out = msg_post; 02146 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN; 02147 02148 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 02149 if( ret != Z_OK ) 02150 { 02151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 02152 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02153 } 02154 02155 ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN - 02156 ssl->transform_in->ctx_inflate.avail_out; 02157 02158 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", 02159 ssl->in_msglen ) ); 02160 02161 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 02162 ssl->in_msg, ssl->in_msglen ); 02163 02164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 02165 02166 return( 0 ); 02167 } 02168 #endif /* MBEDTLS_ZLIB_SUPPORT */ 02169 02170 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02171 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); 02172 02173 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02174 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) 02175 { 02176 /* If renegotiation is not enforced, retransmit until we would reach max 02177 * timeout if we were using the usual handshake doubling scheme */ 02178 if( ssl->conf->renego_max_records < 0 ) 02179 { 02180 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 02181 unsigned char doublings = 1; 02182 02183 while( ratio != 0 ) 02184 { 02185 ++doublings; 02186 ratio >>= 1; 02187 } 02188 02189 if( ++ssl->renego_records_seen > doublings ) 02190 { 02191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) ); 02192 return( 0 ); 02193 } 02194 } 02195 02196 return( ssl_write_hello_request( ssl ) ); 02197 } 02198 #endif 02199 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02200 02201 /* 02202 * Fill the input message buffer by appending data to it. 02203 * The amount of data already fetched is in ssl->in_left. 02204 * 02205 * If we return 0, is it guaranteed that (at least) nb_want bytes are 02206 * available (from this read and/or a previous one). Otherwise, an error code 02207 * is returned (possibly EOF or WANT_READ). 02208 * 02209 * With stream transport (TLS) on success ssl->in_left == nb_want, but 02210 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 02211 * since we always read a whole datagram at once. 02212 * 02213 * For DTLS, it is up to the caller to set ssl->next_record_offset when 02214 * they're done reading a record. 02215 */ 02216 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 02217 { 02218 int ret; 02219 size_t len; 02220 02221 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 02222 02223 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 02224 { 02225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02226 "or mbedtls_ssl_set_bio()" ) ); 02227 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02228 } 02229 02230 if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 02231 { 02232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 02233 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02234 } 02235 02236 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02237 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02238 { 02239 uint32_t timeout; 02240 02241 /* Just to be sure */ 02242 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) 02243 { 02244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " 02245 "mbedtls_ssl_set_timer_cb() for DTLS" ) ); 02246 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02247 } 02248 02249 /* 02250 * The point is, we need to always read a full datagram at once, so we 02251 * sometimes read more then requested, and handle the additional data. 02252 * It could be the rest of the current record (while fetching the 02253 * header) and/or some other records in the same datagram. 02254 */ 02255 02256 /* 02257 * Move to the next record in the already read datagram if applicable 02258 */ 02259 if( ssl->next_record_offset != 0 ) 02260 { 02261 if( ssl->in_left < ssl->next_record_offset ) 02262 { 02263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02264 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02265 } 02266 02267 ssl->in_left -= ssl->next_record_offset; 02268 02269 if( ssl->in_left != 0 ) 02270 { 02271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", 02272 ssl->next_record_offset ) ); 02273 memmove( ssl->in_hdr, 02274 ssl->in_hdr + ssl->next_record_offset, 02275 ssl->in_left ); 02276 } 02277 02278 ssl->next_record_offset = 0; 02279 } 02280 02281 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02282 ssl->in_left, nb_want ) ); 02283 02284 /* 02285 * Done if we already have enough data. 02286 */ 02287 if( nb_want <= ssl->in_left) 02288 { 02289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02290 return( 0 ); 02291 } 02292 02293 /* 02294 * A record can't be split accross datagrams. If we need to read but 02295 * are not at the beginning of a new record, the caller did something 02296 * wrong. 02297 */ 02298 if( ssl->in_left != 0 ) 02299 { 02300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02301 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02302 } 02303 02304 /* 02305 * Don't even try to read if time's out already. 02306 * This avoids by-passing the timer when repeatedly receiving messages 02307 * that will end up being dropped. 02308 */ 02309 if( ssl_check_timer( ssl ) != 0 ) 02310 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02311 else 02312 { 02313 len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); 02314 02315 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02316 timeout = ssl->handshake->retransmit_timeout; 02317 else 02318 timeout = ssl->conf->read_timeout; 02319 02320 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); 02321 02322 if( ssl->f_recv_timeout != NULL ) 02323 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 02324 timeout ); 02325 else 02326 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 02327 02328 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02329 02330 if( ret == 0 ) 02331 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02332 } 02333 02334 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 02335 { 02336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 02337 ssl_set_timer( ssl, 0 ); 02338 02339 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02340 { 02341 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 02342 { 02343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 02344 return( MBEDTLS_ERR_SSL_TIMEOUT ); 02345 } 02346 02347 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 02348 { 02349 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 02350 return( ret ); 02351 } 02352 02353 return( MBEDTLS_ERR_SSL_WANT_READ ); 02354 } 02355 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02356 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 02357 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 02358 { 02359 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 02360 { 02361 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 02362 return( ret ); 02363 } 02364 02365 return( MBEDTLS_ERR_SSL_WANT_READ ); 02366 } 02367 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02368 } 02369 02370 if( ret < 0 ) 02371 return( ret ); 02372 02373 ssl->in_left = ret; 02374 } 02375 else 02376 #endif 02377 { 02378 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02379 ssl->in_left, nb_want ) ); 02380 02381 while( ssl->in_left < nb_want ) 02382 { 02383 len = nb_want - ssl->in_left; 02384 02385 if( ssl_check_timer( ssl ) != 0 ) 02386 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02387 else 02388 { 02389 if( ssl->f_recv_timeout != NULL ) 02390 { 02391 ret = ssl->f_recv_timeout( ssl->p_bio, 02392 ssl->in_hdr + ssl->in_left, len, 02393 ssl->conf->read_timeout ); 02394 } 02395 else 02396 { 02397 ret = ssl->f_recv( ssl->p_bio, 02398 ssl->in_hdr + ssl->in_left, len ); 02399 } 02400 } 02401 02402 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02403 ssl->in_left, nb_want ) ); 02404 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02405 02406 if( ret == 0 ) 02407 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02408 02409 if( ret < 0 ) 02410 return( ret ); 02411 02412 ssl->in_left += ret; 02413 } 02414 } 02415 02416 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02417 02418 return( 0 ); 02419 } 02420 02421 /* 02422 * Flush any data not yet written 02423 */ 02424 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 02425 { 02426 int ret; 02427 unsigned char *buf, i; 02428 02429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 02430 02431 if( ssl->f_send == NULL ) 02432 { 02433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02434 "or mbedtls_ssl_set_bio()" ) ); 02435 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02436 } 02437 02438 /* Avoid incrementing counter if data is flushed */ 02439 if( ssl->out_left == 0 ) 02440 { 02441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02442 return( 0 ); 02443 } 02444 02445 while( ssl->out_left > 0 ) 02446 { 02447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 02448 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 02449 02450 buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) + 02451 ssl->out_msglen - ssl->out_left; 02452 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 02453 02454 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 02455 02456 if( ret <= 0 ) 02457 return( ret ); 02458 02459 ssl->out_left -= ret; 02460 } 02461 02462 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02463 if( ++ssl->out_ctr[i - 1] != 0 ) 02464 break; 02465 02466 /* The loop goes to its end iff the counter is wrapping */ 02467 if( i == ssl_ep_len( ssl ) ) 02468 { 02469 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 02470 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02471 } 02472 02473 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02474 02475 return( 0 ); 02476 } 02477 02478 /* 02479 * Functions to handle the DTLS retransmission state machine 02480 */ 02481 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02482 /* 02483 * Append current handshake message to current outgoing flight 02484 */ 02485 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 02486 { 02487 mbedtls_ssl_flight_item *msg; 02488 02489 /* Allocate space for current message */ 02490 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 02491 { 02492 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", 02493 sizeof( mbedtls_ssl_flight_item ) ) ); 02494 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02495 } 02496 02497 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 02498 { 02499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) ); 02500 mbedtls_free( msg ); 02501 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02502 } 02503 02504 /* Copy current handshake message with headers */ 02505 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 02506 msg->len = ssl->out_msglen; 02507 msg->type = ssl->out_msgtype; 02508 msg->next = NULL; 02509 02510 /* Append to the current flight */ 02511 if( ssl->handshake->flight == NULL ) 02512 ssl->handshake->flight = msg; 02513 else 02514 { 02515 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 02516 while( cur->next != NULL ) 02517 cur = cur->next; 02518 cur->next = msg; 02519 } 02520 02521 return( 0 ); 02522 } 02523 02524 /* 02525 * Free the current flight of handshake messages 02526 */ 02527 static void ssl_flight_free( mbedtls_ssl_flight_item *flight ) 02528 { 02529 mbedtls_ssl_flight_item *cur = flight; 02530 mbedtls_ssl_flight_item *next; 02531 02532 while( cur != NULL ) 02533 { 02534 next = cur->next; 02535 02536 mbedtls_free( cur->p ); 02537 mbedtls_free( cur ); 02538 02539 cur = next; 02540 } 02541 } 02542 02543 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 02544 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); 02545 #endif 02546 02547 /* 02548 * Swap transform_out and out_ctr with the alternative ones 02549 */ 02550 static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) 02551 { 02552 mbedtls_ssl_transform *tmp_transform; 02553 unsigned char tmp_out_ctr[8]; 02554 02555 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 02556 { 02557 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 02558 return; 02559 } 02560 02561 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 02562 02563 /* Swap transforms */ 02564 tmp_transform = ssl->transform_out; 02565 ssl->transform_out = ssl->handshake->alt_transform_out; 02566 ssl->handshake->alt_transform_out = tmp_transform; 02567 02568 /* Swap epoch + sequence_number */ 02569 memcpy( tmp_out_ctr, ssl->out_ctr, 8 ); 02570 memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 ); 02571 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 02572 02573 /* Adjust to the newly activated transform */ 02574 if( ssl->transform_out != NULL && 02575 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 02576 { 02577 ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - 02578 ssl->transform_out->fixed_ivlen; 02579 } 02580 else 02581 ssl->out_msg = ssl->out_iv; 02582 02583 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02584 if( mbedtls_ssl_hw_record_activate != NULL ) 02585 { 02586 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 02587 { 02588 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 02589 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02590 } 02591 } 02592 #endif 02593 } 02594 02595 /* 02596 * Retransmit the current flight of messages. 02597 * 02598 * Need to remember the current message in case flush_output returns 02599 * WANT_WRITE, causing us to exit this function and come back later. 02600 * This function must be called until state is no longer SENDING. 02601 */ 02602 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 02603 { 02604 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 02605 02606 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 02607 { 02608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) ); 02609 02610 ssl->handshake->cur_msg = ssl->handshake->flight; 02611 ssl_swap_epochs( ssl ); 02612 02613 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 02614 } 02615 02616 while( ssl->handshake->cur_msg != NULL ) 02617 { 02618 int ret; 02619 mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg; 02620 02621 /* Swap epochs before sending Finished: we can't do it after 02622 * sending ChangeCipherSpec, in case write returns WANT_READ. 02623 * Must be done before copying, may change out_msg pointer */ 02624 if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 02625 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ) 02626 { 02627 ssl_swap_epochs( ssl ); 02628 } 02629 02630 memcpy( ssl->out_msg, cur->p, cur->len ); 02631 ssl->out_msglen = cur->len; 02632 ssl->out_msgtype = cur->type; 02633 02634 ssl->handshake->cur_msg = cur->next; 02635 02636 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 ); 02637 02638 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02639 { 02640 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02641 return( ret ); 02642 } 02643 } 02644 02645 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 02646 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02647 else 02648 { 02649 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02650 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02651 } 02652 02653 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 02654 02655 return( 0 ); 02656 } 02657 02658 /* 02659 * To be called when the last message of an incoming flight is received. 02660 */ 02661 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 02662 { 02663 /* We won't need to resend that one any more */ 02664 ssl_flight_free( ssl->handshake->flight ); 02665 ssl->handshake->flight = NULL; 02666 ssl->handshake->cur_msg = NULL; 02667 02668 /* The next incoming flight will start with this msg_seq */ 02669 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 02670 02671 /* Cancel timer */ 02672 ssl_set_timer( ssl, 0 ); 02673 02674 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02675 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02676 { 02677 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02678 } 02679 else 02680 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 02681 } 02682 02683 /* 02684 * To be called when the last message of an outgoing flight is send. 02685 */ 02686 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 02687 { 02688 ssl_reset_retransmit_timeout( ssl ); 02689 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02690 02691 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02692 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02693 { 02694 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02695 } 02696 else 02697 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02698 } 02699 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02700 02701 /* 02702 * Record layer functions 02703 */ 02704 02705 /* 02706 * Write current record. 02707 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. 02708 */ 02709 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) 02710 { 02711 int ret, done = 0, out_msg_type; 02712 size_t len = ssl->out_msglen; 02713 02714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 02715 02716 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02717 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02718 ssl->handshake != NULL && 02719 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 02720 { 02721 ; /* Skip special handshake treatment when resending */ 02722 } 02723 else 02724 #endif 02725 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 02726 { 02727 out_msg_type = ssl->out_msg[0]; 02728 02729 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST && 02730 ssl->handshake == NULL ) 02731 { 02732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02733 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02734 } 02735 02736 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 02737 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 02738 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 02739 02740 /* 02741 * DTLS has additional fields in the Handshake layer, 02742 * between the length field and the actual payload: 02743 * uint16 message_seq; 02744 * uint24 fragment_offset; 02745 * uint24 fragment_length; 02746 */ 02747 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02748 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02749 { 02750 /* Make room for the additional DTLS fields */ 02751 memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); 02752 ssl->out_msglen += 8; 02753 len += 8; 02754 02755 /* Write message_seq and update it, except for HelloRequest */ 02756 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02757 { 02758 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 02759 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 02760 ++( ssl->handshake->out_msg_seq ); 02761 } 02762 else 02763 { 02764 ssl->out_msg[4] = 0; 02765 ssl->out_msg[5] = 0; 02766 } 02767 02768 /* We don't fragment, so frag_offset = 0 and frag_len = len */ 02769 memset( ssl->out_msg + 6, 0x00, 3 ); 02770 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 02771 } 02772 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02773 02774 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02775 ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); 02776 } 02777 02778 /* Save handshake and CCS messages for resending */ 02779 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02780 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02781 ssl->handshake != NULL && 02782 ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && 02783 ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || 02784 ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) 02785 { 02786 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 02787 { 02788 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 02789 return( ret ); 02790 } 02791 } 02792 #endif 02793 02794 #if defined(MBEDTLS_ZLIB_SUPPORT) 02795 if( ssl->transform_out != NULL && 02796 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 02797 { 02798 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 02799 { 02800 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 02801 return( ret ); 02802 } 02803 02804 len = ssl->out_msglen; 02805 } 02806 #endif /*MBEDTLS_ZLIB_SUPPORT */ 02807 02808 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02809 if( mbedtls_ssl_hw_record_write != NULL ) 02810 { 02811 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 02812 02813 ret = mbedtls_ssl_hw_record_write( ssl ); 02814 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 02815 { 02816 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 02817 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02818 } 02819 02820 if( ret == 0 ) 02821 done = 1; 02822 } 02823 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 02824 if( !done ) 02825 { 02826 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 02827 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02828 ssl->conf->transport, ssl->out_hdr + 1 ); 02829 02830 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02831 ssl->out_len[1] = (unsigned char)( len ); 02832 02833 if( ssl->transform_out != NULL ) 02834 { 02835 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 02836 { 02837 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 02838 return( ret ); 02839 } 02840 02841 len = ssl->out_msglen; 02842 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02843 ssl->out_len[1] = (unsigned char)( len ); 02844 } 02845 02846 ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen; 02847 02848 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 02849 "version = [%d:%d], msglen = %d", 02850 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 02851 ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); 02852 02853 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 02854 ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen ); 02855 } 02856 02857 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 02858 { 02859 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 02860 return( ret ); 02861 } 02862 02863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 02864 02865 return( 0 ); 02866 } 02867 02868 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02869 /* 02870 * Mark bits in bitmask (used for DTLS HS reassembly) 02871 */ 02872 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 02873 { 02874 unsigned int start_bits, end_bits; 02875 02876 start_bits = 8 - ( offset % 8 ); 02877 if( start_bits != 8 ) 02878 { 02879 size_t first_byte_idx = offset / 8; 02880 02881 /* Special case */ 02882 if( len <= start_bits ) 02883 { 02884 for( ; len != 0; len-- ) 02885 mask[first_byte_idx] |= 1 << ( start_bits - len ); 02886 02887 /* Avoid potential issues with offset or len becoming invalid */ 02888 return; 02889 } 02890 02891 offset += start_bits; /* Now offset % 8 == 0 */ 02892 len -= start_bits; 02893 02894 for( ; start_bits != 0; start_bits-- ) 02895 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 02896 } 02897 02898 end_bits = len % 8; 02899 if( end_bits != 0 ) 02900 { 02901 size_t last_byte_idx = ( offset + len ) / 8; 02902 02903 len -= end_bits; /* Now len % 8 == 0 */ 02904 02905 for( ; end_bits != 0; end_bits-- ) 02906 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 02907 } 02908 02909 memset( mask + offset / 8, 0xFF, len / 8 ); 02910 } 02911 02912 /* 02913 * Check that bitmask is full 02914 */ 02915 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 02916 { 02917 size_t i; 02918 02919 for( i = 0; i < len / 8; i++ ) 02920 if( mask[i] != 0xFF ) 02921 return( -1 ); 02922 02923 for( i = 0; i < len % 8; i++ ) 02924 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 02925 return( -1 ); 02926 02927 return( 0 ); 02928 } 02929 02930 /* 02931 * Reassemble fragmented DTLS handshake messages. 02932 * 02933 * Use a temporary buffer for reassembly, divided in two parts: 02934 * - the first holds the reassembled message (including handshake header), 02935 * - the second holds a bitmask indicating which parts of the message 02936 * (excluding headers) have been received so far. 02937 */ 02938 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) 02939 { 02940 unsigned char *msg, *bitmask; 02941 size_t frag_len, frag_off; 02942 size_t msg_len = ssl->in_hslen - 12; /* Without headers */ 02943 02944 if( ssl->handshake == NULL ) 02945 { 02946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); 02947 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02948 } 02949 02950 /* 02951 * For first fragment, check size and allocate buffer 02952 */ 02953 if( ssl->handshake->hs_msg == NULL ) 02954 { 02955 size_t alloc_len; 02956 02957 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", 02958 msg_len ) ); 02959 02960 if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02961 { 02962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) ); 02963 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02964 } 02965 02966 /* The bitmask needs one bit per byte of message excluding header */ 02967 alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 ); 02968 02969 ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); 02970 if( ssl->handshake->hs_msg == NULL ) 02971 { 02972 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); 02973 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02974 } 02975 02976 /* Prepare final header: copy msg_type, length and message_seq, 02977 * then add standardised fragment_offset and fragment_length */ 02978 memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 ); 02979 memset( ssl->handshake->hs_msg + 6, 0, 3 ); 02980 memcpy( ssl->handshake->hs_msg + 9, 02981 ssl->handshake->hs_msg + 1, 3 ); 02982 } 02983 else 02984 { 02985 /* Make sure msg_type and length are consistent */ 02986 if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 ) 02987 { 02988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) ); 02989 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 02990 } 02991 } 02992 02993 msg = ssl->handshake->hs_msg + 12; 02994 bitmask = msg + msg_len; 02995 02996 /* 02997 * Check and copy current fragment 02998 */ 02999 frag_off = ( ssl->in_msg[6] << 16 ) | 03000 ( ssl->in_msg[7] << 8 ) | 03001 ssl->in_msg[8]; 03002 frag_len = ( ssl->in_msg[9] << 16 ) | 03003 ( ssl->in_msg[10] << 8 ) | 03004 ssl->in_msg[11]; 03005 03006 if( frag_off + frag_len > msg_len ) 03007 { 03008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", 03009 frag_off, frag_len, msg_len ) ); 03010 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03011 } 03012 03013 if( frag_len + 12 > ssl->in_msglen ) 03014 { 03015 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", 03016 frag_len, ssl->in_msglen ) ); 03017 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03018 } 03019 03020 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", 03021 frag_off, frag_len ) ); 03022 03023 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 03024 ssl_bitmask_set( bitmask, frag_off, frag_len ); 03025 03026 /* 03027 * Do we have the complete message by now? 03028 * If yes, finalize it, else ask to read the next record. 03029 */ 03030 if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) 03031 { 03032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); 03033 return( MBEDTLS_ERR_SSL_WANT_READ ); 03034 } 03035 03036 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); 03037 03038 if( frag_len + 12 < ssl->in_msglen ) 03039 { 03040 /* 03041 * We'got more handshake messages in the same record. 03042 * This case is not handled now because no know implementation does 03043 * that and it's hard to test, so we prefer to fail cleanly for now. 03044 */ 03045 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) ); 03046 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03047 } 03048 03049 if( ssl->in_left > ssl->next_record_offset ) 03050 { 03051 /* 03052 * We've got more data in the buffer after the current record, 03053 * that we don't want to overwrite. Move it before writing the 03054 * reassembled message, and adjust in_left and next_record_offset. 03055 */ 03056 unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset; 03057 unsigned char *new_remain = ssl->in_msg + ssl->in_hslen; 03058 size_t remain_len = ssl->in_left - ssl->next_record_offset; 03059 03060 /* First compute and check new lengths */ 03061 ssl->next_record_offset = new_remain - ssl->in_hdr; 03062 ssl->in_left = ssl->next_record_offset + remain_len; 03063 03064 if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - 03065 (size_t)( ssl->in_hdr - ssl->in_buf ) ) 03066 { 03067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); 03068 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03069 } 03070 03071 memmove( new_remain, cur_remain, remain_len ); 03072 } 03073 03074 memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen ); 03075 03076 mbedtls_free( ssl->handshake->hs_msg ); 03077 ssl->handshake->hs_msg = NULL; 03078 03079 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", 03080 ssl->in_msg, ssl->in_hslen ); 03081 03082 return( 0 ); 03083 } 03084 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03085 03086 static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 03087 { 03088 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 03089 { 03090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", 03091 ssl->in_msglen ) ); 03092 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03093 } 03094 03095 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( 03096 ( ssl->in_msg[1] << 16 ) | 03097 ( ssl->in_msg[2] << 8 ) | 03098 ssl->in_msg[3] ); 03099 03100 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 03101 " %d, type = %d, hslen = %d", 03102 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 03103 03104 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03105 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03106 { 03107 int ret; 03108 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 03109 03110 /* ssl->handshake is NULL when receiving ClientHello for renego */ 03111 if( ssl->handshake != NULL && 03112 recv_msg_seq != ssl->handshake->in_msg_seq ) 03113 { 03114 /* Retransmit only on last message from previous flight, to avoid 03115 * too many retransmissions. 03116 * Besides, No sane server ever retransmits HelloVerifyRequest */ 03117 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 03118 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 03119 { 03120 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 03121 "message_seq = %d, start_of_flight = %d", 03122 recv_msg_seq, 03123 ssl->handshake->in_flight_start_seq ) ); 03124 03125 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03126 { 03127 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03128 return( ret ); 03129 } 03130 } 03131 else 03132 { 03133 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 03134 "message_seq = %d, expected = %d", 03135 recv_msg_seq, 03136 ssl->handshake->in_msg_seq ) ); 03137 } 03138 03139 return( MBEDTLS_ERR_SSL_WANT_READ ); 03140 } 03141 /* Wait until message completion to increment in_msg_seq */ 03142 03143 /* Reassemble if current message is fragmented or reassembly is 03144 * already in progress */ 03145 if( ssl->in_msglen < ssl->in_hslen || 03146 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 03147 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 || 03148 ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) ) 03149 { 03150 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 03151 03152 if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 ) 03153 { 03154 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret ); 03155 return( ret ); 03156 } 03157 } 03158 } 03159 else 03160 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03161 /* With TLS we don't handle fragmentation (for now) */ 03162 if( ssl->in_msglen < ssl->in_hslen ) 03163 { 03164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 03165 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03166 } 03167 03168 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03169 ssl->handshake != NULL ) 03170 { 03171 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 03172 } 03173 03174 /* Handshake message is complete, increment counter */ 03175 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03176 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03177 ssl->handshake != NULL ) 03178 { 03179 ssl->handshake->in_msg_seq++; 03180 } 03181 #endif 03182 03183 return( 0 ); 03184 } 03185 03186 /* 03187 * DTLS anti-replay: RFC 6347 4.1.2.6 03188 * 03189 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 03190 * Bit n is set iff record number in_window_top - n has been seen. 03191 * 03192 * Usually, in_window_top is the last record number seen and the lsb of 03193 * in_window is set. The only exception is the initial state (record number 0 03194 * not seen yet). 03195 */ 03196 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03197 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 03198 { 03199 ssl->in_window_top = 0; 03200 ssl->in_window = 0; 03201 } 03202 03203 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 03204 { 03205 return( ( (uint64_t) buf[0] << 40 ) | 03206 ( (uint64_t) buf[1] << 32 ) | 03207 ( (uint64_t) buf[2] << 24 ) | 03208 ( (uint64_t) buf[3] << 16 ) | 03209 ( (uint64_t) buf[4] << 8 ) | 03210 ( (uint64_t) buf[5] ) ); 03211 } 03212 03213 /* 03214 * Return 0 if sequence number is acceptable, -1 otherwise 03215 */ 03216 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) 03217 { 03218 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03219 uint64_t bit; 03220 03221 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03222 return( 0 ); 03223 03224 if( rec_seqnum > ssl->in_window_top ) 03225 return( 0 ); 03226 03227 bit = ssl->in_window_top - rec_seqnum; 03228 03229 if( bit >= 64 ) 03230 return( -1 ); 03231 03232 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 03233 return( -1 ); 03234 03235 return( 0 ); 03236 } 03237 03238 /* 03239 * Update replay window on new validated record 03240 */ 03241 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 03242 { 03243 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03244 03245 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03246 return; 03247 03248 if( rec_seqnum > ssl->in_window_top ) 03249 { 03250 /* Update window_top and the contents of the window */ 03251 uint64_t shift = rec_seqnum - ssl->in_window_top; 03252 03253 if( shift >= 64 ) 03254 ssl->in_window = 1; 03255 else 03256 { 03257 ssl->in_window <<= shift; 03258 ssl->in_window |= 1; 03259 } 03260 03261 ssl->in_window_top = rec_seqnum; 03262 } 03263 else 03264 { 03265 /* Mark that number as seen in the current window */ 03266 uint64_t bit = ssl->in_window_top - rec_seqnum; 03267 03268 if( bit < 64 ) /* Always true, but be extra sure */ 03269 ssl->in_window |= (uint64_t) 1 << bit; 03270 } 03271 } 03272 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 03273 03274 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03275 /* Forward declaration */ 03276 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); 03277 03278 /* 03279 * Without any SSL context, check if a datagram looks like a ClientHello with 03280 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 03281 * Both input and output include full DTLS headers. 03282 * 03283 * - if cookie is valid, return 0 03284 * - if ClientHello looks superficially valid but cookie is not, 03285 * fill obuf and set olen, then 03286 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03287 * - otherwise return a specific error code 03288 */ 03289 static int ssl_check_dtls_clihlo_cookie( 03290 mbedtls_ssl_cookie_write_t *f_cookie_write, 03291 mbedtls_ssl_cookie_check_t *f_cookie_check, 03292 void *p_cookie, 03293 const unsigned char *cli_id, size_t cli_id_len, 03294 const unsigned char *in, size_t in_len, 03295 unsigned char *obuf, size_t buf_len, size_t *olen ) 03296 { 03297 size_t sid_len, cookie_len; 03298 unsigned char *p; 03299 03300 if( f_cookie_write == NULL || f_cookie_check == NULL ) 03301 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03302 03303 /* 03304 * Structure of ClientHello with record and handshake headers, 03305 * and expected values. We don't need to check a lot, more checks will be 03306 * done when actually parsing the ClientHello - skipping those checks 03307 * avoids code duplication and does not make cookie forging any easier. 03308 * 03309 * 0-0 ContentType type; copied, must be handshake 03310 * 1-2 ProtocolVersion version; copied 03311 * 3-4 uint16 epoch; copied, must be 0 03312 * 5-10 uint48 sequence_number; copied 03313 * 11-12 uint16 length; (ignored) 03314 * 03315 * 13-13 HandshakeType msg_type; (ignored) 03316 * 14-16 uint24 length; (ignored) 03317 * 17-18 uint16 message_seq; copied 03318 * 19-21 uint24 fragment_offset; copied, must be 0 03319 * 22-24 uint24 fragment_length; (ignored) 03320 * 03321 * 25-26 ProtocolVersion client_version; (ignored) 03322 * 27-58 Random random; (ignored) 03323 * 59-xx SessionID session_id; 1 byte len + sid_len content 03324 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 03325 * ... 03326 * 03327 * Minimum length is 61 bytes. 03328 */ 03329 if( in_len < 61 || 03330 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 03331 in[3] != 0 || in[4] != 0 || 03332 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 03333 { 03334 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03335 } 03336 03337 sid_len = in[59]; 03338 if( sid_len > in_len - 61 ) 03339 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03340 03341 cookie_len = in[60 + sid_len]; 03342 if( cookie_len > in_len - 60 ) 03343 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03344 03345 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 03346 cli_id, cli_id_len ) == 0 ) 03347 { 03348 /* Valid cookie */ 03349 return( 0 ); 03350 } 03351 03352 /* 03353 * If we get here, we've got an invalid cookie, let's prepare HVR. 03354 * 03355 * 0-0 ContentType type; copied 03356 * 1-2 ProtocolVersion version; copied 03357 * 3-4 uint16 epoch; copied 03358 * 5-10 uint48 sequence_number; copied 03359 * 11-12 uint16 length; olen - 13 03360 * 03361 * 13-13 HandshakeType msg_type; hello_verify_request 03362 * 14-16 uint24 length; olen - 25 03363 * 17-18 uint16 message_seq; copied 03364 * 19-21 uint24 fragment_offset; copied 03365 * 22-24 uint24 fragment_length; olen - 25 03366 * 03367 * 25-26 ProtocolVersion server_version; 0xfe 0xff 03368 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 03369 * 03370 * Minimum length is 28. 03371 */ 03372 if( buf_len < 28 ) 03373 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03374 03375 /* Copy most fields and adapt others */ 03376 memcpy( obuf, in, 25 ); 03377 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 03378 obuf[25] = 0xfe; 03379 obuf[26] = 0xff; 03380 03381 /* Generate and write actual cookie */ 03382 p = obuf + 28; 03383 if( f_cookie_write( p_cookie, 03384 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 03385 { 03386 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03387 } 03388 03389 *olen = p - obuf; 03390 03391 /* Go back and fill length fields */ 03392 obuf[27] = (unsigned char)( *olen - 28 ); 03393 03394 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 03395 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 03396 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 03397 03398 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 03399 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 03400 03401 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03402 } 03403 03404 /* 03405 * Handle possible client reconnect with the same UDP quadruplet 03406 * (RFC 6347 Section 4.2.8). 03407 * 03408 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 03409 * that looks like a ClientHello. 03410 * 03411 * - if the input looks like a ClientHello without cookies, 03412 * send back HelloVerifyRequest, then 03413 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03414 * - if the input looks like a ClientHello with a valid cookie, 03415 * reset the session of the current context, and 03416 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 03417 * - if anything goes wrong, return a specific error code 03418 * 03419 * mbedtls_ssl_read_record() will ignore the record if anything else than 03420 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function 03421 * cannot not return 0. 03422 */ 03423 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 03424 { 03425 int ret; 03426 size_t len; 03427 03428 ret = ssl_check_dtls_clihlo_cookie( 03429 ssl->conf->f_cookie_write, 03430 ssl->conf->f_cookie_check, 03431 ssl->conf->p_cookie, 03432 ssl->cli_id, ssl->cli_id_len, 03433 ssl->in_buf, ssl->in_left, 03434 ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); 03435 03436 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 03437 03438 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 03439 { 03440 /* Dont check write errors as we can't do anything here. 03441 * If the error is permanent we'll catch it later, 03442 * if it's not, then hopefully it'll work next time. */ 03443 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 03444 03445 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03446 } 03447 03448 if( ret == 0 ) 03449 { 03450 /* Got a valid cookie, partially reset context */ 03451 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) 03452 { 03453 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 03454 return( ret ); 03455 } 03456 03457 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 03458 } 03459 03460 return( ret ); 03461 } 03462 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03463 03464 /* 03465 * ContentType type; 03466 * ProtocolVersion version; 03467 * uint16 epoch; // DTLS only 03468 * uint48 sequence_number; // DTLS only 03469 * uint16 length; 03470 * 03471 * Return 0 if header looks sane (and, for DTLS, the record is expected) 03472 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, 03473 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. 03474 * 03475 * With DTLS, mbedtls_ssl_read_record() will: 03476 * 1. proceed with the record if this function returns 0 03477 * 2. drop only the current record if this function returns UNEXPECTED_RECORD 03478 * 3. return CLIENT_RECONNECT if this function return that value 03479 * 4. drop the whole datagram if this function returns anything else. 03480 * Point 2 is needed when the peer is resending, and we have already received 03481 * the first record from a datagram but are still waiting for the others. 03482 */ 03483 static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) 03484 { 03485 int ret; 03486 int major_ver, minor_ver; 03487 03488 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) ); 03489 03490 ssl->in_msgtype = ssl->in_hdr[0]; 03491 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 03492 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); 03493 03494 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 03495 "version = [%d:%d], msglen = %d", 03496 ssl->in_msgtype, 03497 major_ver, minor_ver, ssl->in_msglen ) ); 03498 03499 /* Check record type */ 03500 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 03501 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && 03502 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03503 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 03504 { 03505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 03506 03507 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03508 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03509 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 ) 03510 { 03511 return( ret ); 03512 } 03513 03514 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03515 } 03516 03517 /* Check version */ 03518 if( major_ver != ssl->major_ver ) 03519 { 03520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 03521 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03522 } 03523 03524 if( minor_ver > ssl->conf->max_minor_ver ) 03525 { 03526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 03527 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03528 } 03529 03530 /* Check length against the size of our buffer */ 03531 if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN 03532 - (size_t)( ssl->in_msg - ssl->in_buf ) ) 03533 { 03534 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03535 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03536 } 03537 03538 /* Check length against bounds of the current transform and version */ 03539 if( ssl->transform_in == NULL ) 03540 { 03541 if( ssl->in_msglen < 1 || 03542 ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03543 { 03544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03545 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03546 } 03547 } 03548 else 03549 { 03550 if( ssl->in_msglen < ssl->transform_in->minlen ) 03551 { 03552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03553 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03554 } 03555 03556 #if defined(MBEDTLS_SSL_PROTO_SSL3) 03557 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03558 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) 03559 { 03560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03561 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03562 } 03563 #endif 03564 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03565 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03566 /* 03567 * TLS encrypted messages can have up to 256 bytes of padding 03568 */ 03569 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && 03570 ssl->in_msglen > ssl->transform_in->minlen + 03571 MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) 03572 { 03573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03574 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03575 } 03576 #endif 03577 } 03578 03579 /* 03580 * DTLS-related tests done last, because most of them may result in 03581 * silently dropping the record (but not the whole datagram), and we only 03582 * want to consider that after ensuring that the "basic" fields (type, 03583 * version, length) are sane. 03584 */ 03585 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03586 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03587 { 03588 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 03589 03590 /* Drop unexpected ChangeCipherSpec messages */ 03591 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03592 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 03593 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 03594 { 03595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); 03596 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03597 } 03598 03599 /* Drop unexpected ApplicationData records, 03600 * except at the beginning of renegotiations */ 03601 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 03602 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 03603 #if defined(MBEDTLS_SSL_RENEGOTIATION) 03604 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 03605 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 03606 #endif 03607 ) 03608 { 03609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 03610 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03611 } 03612 03613 /* Check epoch (and sequence number) with DTLS */ 03614 if( rec_epoch != ssl->in_epoch ) 03615 { 03616 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 03617 "expected %d, received %d", 03618 ssl->in_epoch, rec_epoch ) ); 03619 03620 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03621 /* 03622 * Check for an epoch 0 ClientHello. We can't use in_msg here to 03623 * access the first byte of record content (handshake type), as we 03624 * have an active transform (possibly iv_len != 0), so use the 03625 * fact that the record header len is 13 instead. 03626 */ 03627 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03628 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03629 rec_epoch == 0 && 03630 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03631 ssl->in_left > 13 && 03632 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 03633 { 03634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 03635 "from the same port" ) ); 03636 return( ssl_handle_possible_reconnect( ssl ) ); 03637 } 03638 else 03639 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03640 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03641 } 03642 03643 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03644 /* Replay detection only works for the current epoch */ 03645 if( rec_epoch == ssl->in_epoch && 03646 mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 03647 { 03648 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 03649 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03650 } 03651 #endif 03652 } 03653 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03654 03655 return( 0 ); 03656 } 03657 03658 /* 03659 * If applicable, decrypt (and decompress) record content 03660 */ 03661 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) 03662 { 03663 int ret, done = 0; 03664 03665 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 03666 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ); 03667 03668 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 03669 if( mbedtls_ssl_hw_record_read != NULL ) 03670 { 03671 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 03672 03673 ret = mbedtls_ssl_hw_record_read( ssl ); 03674 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 03675 { 03676 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 03677 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03678 } 03679 03680 if( ret == 0 ) 03681 done = 1; 03682 } 03683 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 03684 if( !done && ssl->transform_in != NULL ) 03685 { 03686 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 03687 { 03688 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 03689 return( ret ); 03690 } 03691 03692 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 03693 ssl->in_msg, ssl->in_msglen ); 03694 03695 if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03696 { 03697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03698 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03699 } 03700 } 03701 03702 #if defined(MBEDTLS_ZLIB_SUPPORT) 03703 if( ssl->transform_in != NULL && 03704 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 03705 { 03706 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 03707 { 03708 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 03709 return( ret ); 03710 } 03711 } 03712 #endif /* MBEDTLS_ZLIB_SUPPORT */ 03713 03714 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03715 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03716 { 03717 mbedtls_ssl_dtls_replay_update( ssl ); 03718 } 03719 #endif 03720 03721 return( 0 ); 03722 } 03723 03724 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); 03725 03726 /* 03727 * Read a record. 03728 * 03729 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 03730 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 03731 * 03732 */ 03733 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) 03734 { 03735 int ret; 03736 03737 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 03738 03739 if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen ) 03740 { 03741 /* 03742 * Get next Handshake message in the current record 03743 */ 03744 ssl->in_msglen -= ssl->in_hslen; 03745 03746 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 03747 ssl->in_msglen ); 03748 03749 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 03750 ssl->in_msg, ssl->in_msglen ); 03751 03752 if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) 03753 return( ret ); 03754 03755 return( 0 ); 03756 } 03757 03758 ssl->in_hslen = 0; 03759 03760 /* 03761 * Read the record header and parse it 03762 */ 03763 read_record_header: 03764 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 ) 03765 { 03766 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03767 return( ret ); 03768 } 03769 03770 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) 03771 { 03772 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03773 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03774 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) 03775 { 03776 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) 03777 { 03778 /* Skip unexpected record (but not whole datagram) */ 03779 ssl->next_record_offset = ssl->in_msglen 03780 + mbedtls_ssl_hdr_len( ssl ); 03781 03782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " 03783 "(header)" ) ); 03784 } 03785 else 03786 { 03787 /* Skip invalid record and the rest of the datagram */ 03788 ssl->next_record_offset = 0; 03789 ssl->in_left = 0; 03790 03791 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " 03792 "(header)" ) ); 03793 } 03794 03795 /* Get next record */ 03796 goto read_record_header; 03797 } 03798 #endif 03799 return( ret ); 03800 } 03801 03802 /* 03803 * Read and optionally decrypt the message contents 03804 */ 03805 if( ( ret = mbedtls_ssl_fetch_input( ssl, 03806 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) 03807 { 03808 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03809 return( ret ); 03810 } 03811 03812 /* Done reading this record, get ready for the next one */ 03813 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03814 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03815 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); 03816 else 03817 #endif 03818 ssl->in_left = 0; 03819 03820 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) 03821 { 03822 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03823 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03824 { 03825 /* Silently discard invalid records */ 03826 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || 03827 ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03828 { 03829 /* Except when waiting for Finished as a bad mac here 03830 * probably means something went wrong in the handshake 03831 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 03832 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 03833 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 03834 { 03835 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03836 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03837 { 03838 mbedtls_ssl_send_alert_message( ssl, 03839 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03840 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03841 } 03842 #endif 03843 return( ret ); 03844 } 03845 03846 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 03847 if( ssl->conf->badmac_limit != 0 && 03848 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 03849 { 03850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 03851 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 03852 } 03853 #endif 03854 03855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 03856 goto read_record_header; 03857 } 03858 03859 return( ret ); 03860 } 03861 else 03862 #endif 03863 { 03864 /* Error out (and send alert) on invalid records */ 03865 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03866 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03867 { 03868 mbedtls_ssl_send_alert_message( ssl, 03869 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03870 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03871 } 03872 #endif 03873 return( ret ); 03874 } 03875 } 03876 03877 /* 03878 * When we sent the last flight of the handshake, we MUST respond to a 03879 * retransmit of the peer's previous flight with a retransmit. (In 03880 * practice, only the Finished message will make it, other messages 03881 * including CCS use the old transform so they're dropped as invalid.) 03882 * 03883 * If the record we received is not a handshake message, however, it 03884 * means the peer received our last flight so we can clean up 03885 * handshake info. 03886 * 03887 * This check needs to be done before prepare_handshake() due to an edge 03888 * case: if the client immediately requests renegotiation, this 03889 * finishes the current handshake first, avoiding the new ClientHello 03890 * being mistaken for an ancient message in the current handshake. 03891 */ 03892 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03893 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03894 ssl->handshake != NULL && 03895 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 03896 { 03897 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03898 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 03899 { 03900 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) ); 03901 03902 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03903 { 03904 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03905 return( ret ); 03906 } 03907 03908 return( MBEDTLS_ERR_SSL_WANT_READ ); 03909 } 03910 else 03911 { 03912 ssl_handshake_wrapup_free_hs_transform( ssl ); 03913 } 03914 } 03915 #endif 03916 03917 /* 03918 * Handle particular types of records 03919 */ 03920 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 03921 { 03922 if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) 03923 return( ret ); 03924 } 03925 03926 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 03927 { 03928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 03929 ssl->in_msg[0], ssl->in_msg[1] ) ); 03930 03931 /* 03932 * Ignore non-fatal alerts, except close_notify and no_renegotiation 03933 */ 03934 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 03935 { 03936 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 03937 ssl->in_msg[1] ) ); 03938 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 03939 } 03940 03941 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03942 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 03943 { 03944 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 03945 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 03946 } 03947 03948 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 03949 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03950 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 03951 { 03952 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 03953 /* Will be handled when trying to parse ServerHello */ 03954 return( 0 ); 03955 } 03956 #endif 03957 03958 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 03959 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03960 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03961 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 03962 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 03963 { 03964 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 03965 /* Will be handled in mbedtls_ssl_parse_certificate() */ 03966 return( 0 ); 03967 } 03968 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 03969 03970 /* Silently ignore: fetch new message */ 03971 goto read_record_header; 03972 } 03973 03974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 03975 03976 return( 0 ); 03977 } 03978 03979 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 03980 { 03981 int ret; 03982 03983 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 03984 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03985 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) 03986 { 03987 return( ret ); 03988 } 03989 03990 return( 0 ); 03991 } 03992 03993 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 03994 unsigned char level, 03995 unsigned char message ) 03996 { 03997 int ret; 03998 03999 if( ssl == NULL || ssl->conf == NULL ) 04000 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04001 04002 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 04003 04004 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04005 ssl->out_msglen = 2; 04006 ssl->out_msg[0] = level; 04007 ssl->out_msg[1] = message; 04008 04009 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04010 { 04011 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04012 return( ret ); 04013 } 04014 04015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 04016 04017 return( 0 ); 04018 } 04019 04020 /* 04021 * Handshake functions 04022 */ 04023 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 04024 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ 04025 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 04026 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 04027 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ 04028 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 04029 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 04030 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04031 { 04032 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04033 04034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04035 04036 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04037 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04038 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04039 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04040 { 04041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04042 ssl->state++; 04043 return( 0 ); 04044 } 04045 04046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04047 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04048 } 04049 04050 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04051 { 04052 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04053 04054 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04055 04056 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04057 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04058 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04059 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04060 { 04061 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04062 ssl->state++; 04063 return( 0 ); 04064 } 04065 04066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04067 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04068 } 04069 #else 04070 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04071 { 04072 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04073 size_t i, n; 04074 const mbedtls_x509_crt *crt; 04075 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04076 04077 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04078 04079 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04080 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04081 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04082 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04083 { 04084 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04085 ssl->state++; 04086 return( 0 ); 04087 } 04088 04089 #if defined(MBEDTLS_SSL_CLI_C) 04090 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 04091 { 04092 if( ssl->client_auth == 0 ) 04093 { 04094 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04095 ssl->state++; 04096 return( 0 ); 04097 } 04098 04099 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04100 /* 04101 * If using SSLv3 and got no cert, send an Alert message 04102 * (otherwise an empty Certificate message will be sent). 04103 */ 04104 if( mbedtls_ssl_own_cert( ssl ) == NULL && 04105 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04106 { 04107 ssl->out_msglen = 2; 04108 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04109 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 04110 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT; 04111 04112 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 04113 goto write_msg; 04114 } 04115 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04116 } 04117 #endif /* MBEDTLS_SSL_CLI_C */ 04118 #if defined(MBEDTLS_SSL_SRV_C) 04119 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 04120 { 04121 if( mbedtls_ssl_own_cert( ssl ) == NULL ) 04122 { 04123 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 04124 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); 04125 } 04126 } 04127 #endif 04128 04129 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); 04130 04131 /* 04132 * 0 . 0 handshake type 04133 * 1 . 3 handshake length 04134 * 4 . 6 length of all certs 04135 * 7 . 9 length of cert. 1 04136 * 10 . n-1 peer certificate 04137 * n . n+2 length of cert. 2 04138 * n+3 . ... upper level cert, etc. 04139 */ 04140 i = 7; 04141 crt = mbedtls_ssl_own_cert( ssl ); 04142 04143 while( crt != NULL ) 04144 { 04145 n = crt->raw.len; 04146 if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) 04147 { 04148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 04149 i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 04150 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); 04151 } 04152 04153 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 04154 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 04155 ssl->out_msg[i + 2] = (unsigned char)( n ); 04156 04157 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 04158 i += n; crt = crt->next; 04159 } 04160 04161 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 04162 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 04163 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 04164 04165 ssl->out_msglen = i; 04166 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04167 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 04168 04169 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 04170 write_msg: 04171 #endif 04172 04173 ssl->state++; 04174 04175 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04176 { 04177 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04178 return( ret ); 04179 } 04180 04181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 04182 04183 return( ret ); 04184 } 04185 04186 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04187 { 04188 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04189 size_t i, n; 04190 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04191 int authmode = ssl->conf->authmode; 04192 04193 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04194 04195 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04196 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04198 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04199 { 04200 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04201 ssl->state++; 04202 return( 0 ); 04203 } 04204 04205 #if defined(MBEDTLS_SSL_SRV_C) 04206 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04207 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04208 { 04209 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04210 ssl->state++; 04211 return( 0 ); 04212 } 04213 04214 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04215 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 04216 authmode = ssl->handshake->sni_authmode; 04217 #endif 04218 04219 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04220 authmode == MBEDTLS_SSL_VERIFY_NONE ) 04221 { 04222 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 04223 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04224 ssl->state++; 04225 return( 0 ); 04226 } 04227 #endif 04228 04229 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04230 { 04231 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04232 return( ret ); 04233 } 04234 04235 ssl->state++; 04236 04237 #if defined(MBEDTLS_SSL_SRV_C) 04238 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04239 /* 04240 * Check if the client sent an empty certificate 04241 */ 04242 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04243 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04244 { 04245 if( ssl->in_msglen == 2 && 04246 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && 04247 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04248 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04249 { 04250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 04251 04252 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04253 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04254 return( 0 ); 04255 else 04256 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04257 } 04258 } 04259 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04260 04261 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 04262 defined(MBEDTLS_SSL_PROTO_TLS1_2) 04263 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04264 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 04265 { 04266 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && 04267 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04268 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 04269 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) 04270 { 04271 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 04272 04273 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04274 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04275 return( 0 ); 04276 else 04277 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04278 } 04279 } 04280 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 04281 MBEDTLS_SSL_PROTO_TLS1_2 */ 04282 #endif /* MBEDTLS_SSL_SRV_C */ 04283 04284 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 04285 { 04286 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04287 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04288 } 04289 04290 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || 04291 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) 04292 { 04293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04294 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04295 } 04296 04297 i = mbedtls_ssl_hs_hdr_len( ssl ); 04298 04299 /* 04300 * Same message structure as in mbedtls_ssl_write_certificate() 04301 */ 04302 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2]; 04303 04304 if( ssl->in_msg[i] != 0 || 04305 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) ) 04306 { 04307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04308 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04309 } 04310 04311 /* In case we tried to reuse a session but it failed */ 04312 if( ssl->session_negotiate->peer_cert != NULL ) 04313 { 04314 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); 04315 mbedtls_free( ssl->session_negotiate->peer_cert ); 04316 } 04317 04318 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, 04319 sizeof( mbedtls_x509_crt ) ) ) == NULL ) 04320 { 04321 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 04322 sizeof( mbedtls_x509_crt ) ) ); 04323 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 04324 } 04325 04326 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); 04327 04328 i += 3; 04329 04330 while( i < ssl->in_hslen ) 04331 { 04332 if( ssl->in_msg[i] != 0 ) 04333 { 04334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04335 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04336 } 04337 04338 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 04339 | (unsigned int) ssl->in_msg[i + 2]; 04340 i += 3; 04341 04342 if( n < 128 || i + n > ssl->in_hslen ) 04343 { 04344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04345 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04346 } 04347 04348 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, 04349 ssl->in_msg + i, n ); 04350 if( ret != 0 ) 04351 { 04352 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); 04353 return( ret ); 04354 } 04355 04356 i += n; 04357 } 04358 04359 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); 04360 04361 /* 04362 * On client, make sure the server cert doesn't change during renego to 04363 * avoid "triple handshake" attack: https://secure-resumption.com/ 04364 */ 04365 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 04366 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 04367 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04368 { 04369 if( ssl->session->peer_cert == NULL ) 04370 { 04371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); 04372 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04373 } 04374 04375 if( ssl->session->peer_cert->raw.len != 04376 ssl->session_negotiate->peer_cert->raw.len || 04377 memcmp( ssl->session->peer_cert->raw.p, 04378 ssl->session_negotiate->peer_cert->raw.p, 04379 ssl->session->peer_cert->raw.len ) != 0 ) 04380 { 04381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) ); 04382 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04383 } 04384 } 04385 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 04386 04387 if( authmode != MBEDTLS_SSL_VERIFY_NONE ) 04388 { 04389 mbedtls_x509_crt *ca_chain; 04390 mbedtls_x509_crl *ca_crl; 04391 04392 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04393 if( ssl->handshake->sni_ca_chain != NULL ) 04394 { 04395 ca_chain = ssl->handshake->sni_ca_chain; 04396 ca_crl = ssl->handshake->sni_ca_crl; 04397 } 04398 else 04399 #endif 04400 { 04401 ca_chain = ssl->conf->ca_chain; 04402 ca_crl = ssl->conf->ca_crl; 04403 } 04404 04405 if( ca_chain == NULL ) 04406 { 04407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 04408 return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED ); 04409 } 04410 04411 /* 04412 * Main check: verify certificate 04413 */ 04414 ret = mbedtls_x509_crt_verify_with_profile( 04415 ssl->session_negotiate->peer_cert, 04416 ca_chain, ca_crl, 04417 ssl->conf->cert_profile, 04418 ssl->hostname, 04419 &ssl->session_negotiate->verify_result, 04420 ssl->conf->f_vrfy, ssl->conf->p_vrfy ); 04421 04422 if( ret != 0 ) 04423 { 04424 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 04425 } 04426 04427 /* 04428 * Secondary checks: always done, but change 'ret' only if it was 0 04429 */ 04430 04431 #if defined(MBEDTLS_ECP_C) 04432 { 04433 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; 04434 04435 /* If certificate uses an EC key, make sure the curve is OK */ 04436 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && 04437 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id ) != 0 ) 04438 { 04439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); 04440 if( ret == 0 ) 04441 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04442 } 04443 } 04444 #endif /* MBEDTLS_ECP_C */ 04445 04446 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, 04447 ciphersuite_info, 04448 ! ssl->conf->endpoint, 04449 &ssl->session_negotiate->verify_result ) != 0 ) 04450 { 04451 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); 04452 if( ret == 0 ) 04453 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04454 } 04455 04456 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04457 ret = 0; 04458 } 04459 04460 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 04461 04462 return( ret ); 04463 } 04464 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 04465 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 04466 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 04467 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 04468 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 04469 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 04470 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 04471 04472 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 04473 { 04474 int ret; 04475 04476 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 04477 04478 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 04479 ssl->out_msglen = 1; 04480 ssl->out_msg[0] = 1; 04481 04482 ssl->state++; 04483 04484 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04485 { 04486 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04487 return( ret ); 04488 } 04489 04490 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 04491 04492 return( 0 ); 04493 } 04494 04495 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 04496 { 04497 int ret; 04498 04499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 04500 04501 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04502 { 04503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04504 return( ret ); 04505 } 04506 04507 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 04508 { 04509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04510 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04511 } 04512 04513 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 04514 { 04515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04516 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 04517 } 04518 04519 /* 04520 * Switch to our negotiated transform and session parameters for inbound 04521 * data. 04522 */ 04523 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 04524 ssl->transform_in = ssl->transform_negotiate; 04525 ssl->session_in = ssl->session_negotiate; 04526 04527 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04528 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04529 { 04530 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 04531 ssl_dtls_replay_reset( ssl ); 04532 #endif 04533 04534 /* Increment epoch */ 04535 if( ++ssl->in_epoch == 0 ) 04536 { 04537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 04538 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 04539 } 04540 } 04541 else 04542 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04543 memset( ssl->in_ctr, 0, 8 ); 04544 04545 /* 04546 * Set the in_msg pointer to the correct location based on IV length 04547 */ 04548 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04549 { 04550 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen - 04551 ssl->transform_negotiate->fixed_ivlen; 04552 } 04553 else 04554 ssl->in_msg = ssl->in_iv; 04555 04556 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 04557 if( mbedtls_ssl_hw_record_activate != NULL ) 04558 { 04559 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 04560 { 04561 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 04562 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 04563 } 04564 } 04565 #endif 04566 04567 ssl->state++; 04568 04569 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 04570 04571 return( 0 ); 04572 } 04573 04574 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 04575 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) 04576 { 04577 ((void) ciphersuite_info); 04578 04579 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04580 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04581 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 04582 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; 04583 else 04584 #endif 04585 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04586 #if defined(MBEDTLS_SHA512_C) 04587 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 04588 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 04589 else 04590 #endif 04591 #if defined(MBEDTLS_SHA256_C) 04592 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) 04593 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 04594 else 04595 #endif 04596 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04597 { 04598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04599 return; 04600 } 04601 } 04602 04603 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) 04604 { 04605 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04606 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04607 mbedtls_md5_starts( &ssl->handshake->fin_md5 ); 04608 mbedtls_sha1_starts( &ssl->handshake->fin_sha1 ); 04609 #endif 04610 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04611 #if defined(MBEDTLS_SHA256_C) 04612 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); 04613 #endif 04614 #if defined(MBEDTLS_SHA512_C) 04615 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); 04616 #endif 04617 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04618 } 04619 04620 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, 04621 const unsigned char *buf, size_t len ) 04622 { 04623 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04624 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04625 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04626 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04627 #endif 04628 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04629 #if defined(MBEDTLS_SHA256_C) 04630 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04631 #endif 04632 #if defined(MBEDTLS_SHA512_C) 04633 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04634 #endif 04635 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04636 } 04637 04638 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04639 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04640 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, 04641 const unsigned char *buf, size_t len ) 04642 { 04643 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04644 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04645 } 04646 #endif 04647 04648 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04649 #if defined(MBEDTLS_SHA256_C) 04650 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, 04651 const unsigned char *buf, size_t len ) 04652 { 04653 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04654 } 04655 #endif 04656 04657 #if defined(MBEDTLS_SHA512_C) 04658 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, 04659 const unsigned char *buf, size_t len ) 04660 { 04661 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04662 } 04663 #endif 04664 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04665 04666 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04667 static void ssl_calc_finished_ssl( 04668 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04669 { 04670 const char *sender; 04671 mbedtls_md5_context md5; 04672 mbedtls_sha1_context sha1; 04673 04674 unsigned char padbuf[48]; 04675 unsigned char md5sum[16]; 04676 unsigned char sha1sum[20]; 04677 04678 mbedtls_ssl_session *session = ssl->session_negotiate; 04679 if( !session ) 04680 session = ssl->session; 04681 04682 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) ); 04683 04684 mbedtls_md5_init( &md5 ); 04685 mbedtls_sha1_init( &sha1 ); 04686 04687 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04688 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04689 04690 /* 04691 * SSLv3: 04692 * hash = 04693 * MD5( master + pad2 + 04694 * MD5( handshake + sender + master + pad1 ) ) 04695 * + SHA1( master + pad2 + 04696 * SHA1( handshake + sender + master + pad1 ) ) 04697 */ 04698 04699 #if !defined(MBEDTLS_MD5_ALT) 04700 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04701 md5.state , sizeof( md5.state ) ); 04702 #endif 04703 04704 #if !defined(MBEDTLS_SHA1_ALT) 04705 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04706 sha1.state , sizeof( sha1.state ) ); 04707 #endif 04708 04709 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT" 04710 : "SRVR"; 04711 04712 memset( padbuf, 0x36, 48 ); 04713 04714 mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 ); 04715 mbedtls_md5_update( &md5, session->master, 48 ); 04716 mbedtls_md5_update( &md5, padbuf, 48 ); 04717 mbedtls_md5_finish( &md5, md5sum ); 04718 04719 mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 ); 04720 mbedtls_sha1_update( &sha1, session->master, 48 ); 04721 mbedtls_sha1_update( &sha1, padbuf, 40 ); 04722 mbedtls_sha1_finish( &sha1, sha1sum ); 04723 04724 memset( padbuf, 0x5C, 48 ); 04725 04726 mbedtls_md5_starts( &md5 ); 04727 mbedtls_md5_update( &md5, session->master, 48 ); 04728 mbedtls_md5_update( &md5, padbuf, 48 ); 04729 mbedtls_md5_update( &md5, md5sum, 16 ); 04730 mbedtls_md5_finish( &md5, buf ); 04731 04732 mbedtls_sha1_starts( &sha1 ); 04733 mbedtls_sha1_update( &sha1, session->master, 48 ); 04734 mbedtls_sha1_update( &sha1, padbuf , 40 ); 04735 mbedtls_sha1_update( &sha1, sha1sum, 20 ); 04736 mbedtls_sha1_finish( &sha1, buf + 16 ); 04737 04738 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); 04739 04740 mbedtls_md5_free( &md5 ); 04741 mbedtls_sha1_free( &sha1 ); 04742 04743 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04744 mbedtls_zeroize( md5sum, sizeof( md5sum ) ); 04745 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 04746 04747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04748 } 04749 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04750 04751 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 04752 static void ssl_calc_finished_tls( 04753 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04754 { 04755 int len = 12; 04756 const char *sender; 04757 mbedtls_md5_context md5; 04758 mbedtls_sha1_context sha1; 04759 unsigned char padbuf[36]; 04760 04761 mbedtls_ssl_session *session = ssl->session_negotiate; 04762 if( !session ) 04763 session = ssl->session; 04764 04765 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); 04766 04767 mbedtls_md5_init( &md5 ); 04768 mbedtls_sha1_init( &sha1 ); 04769 04770 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04771 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04772 04773 /* 04774 * TLSv1: 04775 * hash = PRF( master, finished_label, 04776 * MD5( handshake ) + SHA1( handshake ) )[0..11] 04777 */ 04778 04779 #if !defined(MBEDTLS_MD5_ALT) 04780 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04781 md5.state , sizeof( md5.state ) ); 04782 #endif 04783 04784 #if !defined(MBEDTLS_SHA1_ALT) 04785 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04786 sha1.state , sizeof( sha1.state ) ); 04787 #endif 04788 04789 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04790 ? "client finished" 04791 : "server finished"; 04792 04793 mbedtls_md5_finish( &md5, padbuf ); 04794 mbedtls_sha1_finish( &sha1, padbuf + 16 ); 04795 04796 ssl->handshake->tls_prf( session->master, 48, sender, 04797 padbuf, 36, buf, len ); 04798 04799 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04800 04801 mbedtls_md5_free( &md5 ); 04802 mbedtls_sha1_free( &sha1 ); 04803 04804 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04805 04806 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04807 } 04808 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 04809 04810 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04811 #if defined(MBEDTLS_SHA256_C) 04812 static void ssl_calc_finished_tls_sha256( 04813 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04814 { 04815 int len = 12; 04816 const char *sender; 04817 mbedtls_sha256_context sha256; 04818 unsigned char padbuf[32]; 04819 04820 mbedtls_ssl_session *session = ssl->session_negotiate; 04821 if( !session ) 04822 session = ssl->session; 04823 04824 mbedtls_sha256_init( &sha256 ); 04825 04826 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); 04827 04828 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 04829 04830 /* 04831 * TLSv1.2: 04832 * hash = PRF( master, finished_label, 04833 * Hash( handshake ) )[0.11] 04834 */ 04835 04836 #if !defined(MBEDTLS_SHA256_ALT) 04837 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) 04838 sha256.state , sizeof( sha256.state ) ); 04839 #endif 04840 04841 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04842 ? "client finished" 04843 : "server finished"; 04844 04845 mbedtls_sha256_finish( &sha256, padbuf ); 04846 04847 ssl->handshake->tls_prf( session->master, 48, sender, 04848 padbuf, 32, buf, len ); 04849 04850 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04851 04852 mbedtls_sha256_free( &sha256 ); 04853 04854 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04855 04856 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04857 } 04858 #endif /* MBEDTLS_SHA256_C */ 04859 04860 #if defined(MBEDTLS_SHA512_C) 04861 static void ssl_calc_finished_tls_sha384( 04862 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04863 { 04864 int len = 12; 04865 const char *sender; 04866 mbedtls_sha512_context sha512; 04867 unsigned char padbuf[48]; 04868 04869 mbedtls_ssl_session *session = ssl->session_negotiate; 04870 if( !session ) 04871 session = ssl->session; 04872 04873 mbedtls_sha512_init( &sha512 ); 04874 04875 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); 04876 04877 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 04878 04879 /* 04880 * TLSv1.2: 04881 * hash = PRF( master, finished_label, 04882 * Hash( handshake ) )[0.11] 04883 */ 04884 04885 #if !defined(MBEDTLS_SHA512_ALT) 04886 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) 04887 sha512.state , sizeof( sha512.state ) ); 04888 #endif 04889 04890 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 04891 ? "client finished" 04892 : "server finished"; 04893 04894 mbedtls_sha512_finish( &sha512, padbuf ); 04895 04896 ssl->handshake->tls_prf( session->master, 48, sender, 04897 padbuf, 48, buf, len ); 04898 04899 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 04900 04901 mbedtls_sha512_free( &sha512 ); 04902 04903 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04904 04905 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04906 } 04907 #endif /* MBEDTLS_SHA512_C */ 04908 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04909 04910 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) 04911 { 04912 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) ); 04913 04914 /* 04915 * Free our handshake params 04916 */ 04917 mbedtls_ssl_handshake_free( ssl->handshake ); 04918 mbedtls_free( ssl->handshake ); 04919 ssl->handshake = NULL; 04920 04921 /* 04922 * Free the previous transform and swith in the current one 04923 */ 04924 if( ssl->transform ) 04925 { 04926 mbedtls_ssl_transform_free( ssl->transform ); 04927 mbedtls_free( ssl->transform ); 04928 } 04929 ssl->transform = ssl->transform_negotiate; 04930 ssl->transform_negotiate = NULL; 04931 04932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) ); 04933 } 04934 04935 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) 04936 { 04937 int resume = ssl->handshake->resume; 04938 04939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); 04940 04941 #if defined(MBEDTLS_SSL_RENEGOTIATION) 04942 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04943 { 04944 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 04945 ssl->renego_records_seen = 0; 04946 } 04947 #endif 04948 04949 /* 04950 * Free the previous session and switch in the current one 04951 */ 04952 if( ssl->session ) 04953 { 04954 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 04955 /* RFC 7366 3.1: keep the EtM state */ 04956 ssl->session_negotiate->encrypt_then_mac = 04957 ssl->session->encrypt_then_mac; 04958 #endif 04959 04960 mbedtls_ssl_session_free( ssl->session ); 04961 mbedtls_free( ssl->session ); 04962 } 04963 ssl->session = ssl->session_negotiate; 04964 ssl->session_negotiate = NULL; 04965 04966 /* 04967 * Add cache entry 04968 */ 04969 if( ssl->conf->f_set_cache != NULL && 04970 ssl->session->id_len != 0 && 04971 resume == 0 ) 04972 { 04973 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) 04974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); 04975 } 04976 04977 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04978 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04979 ssl->handshake->flight != NULL ) 04980 { 04981 /* Cancel handshake timer */ 04982 ssl_set_timer( ssl, 0 ); 04983 04984 /* Keep last flight around in case we need to resend it: 04985 * we need the handshake and transform structures for that */ 04986 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); 04987 } 04988 else 04989 #endif 04990 ssl_handshake_wrapup_free_hs_transform( ssl ); 04991 04992 ssl->state++; 04993 04994 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); 04995 } 04996 04997 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) 04998 { 04999 int ret, hash_len; 05000 05001 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 05002 05003 /* 05004 * Set the out_msg pointer to the correct location based on IV length 05005 */ 05006 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 05007 { 05008 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen - 05009 ssl->transform_negotiate->fixed_ivlen; 05010 } 05011 else 05012 ssl->out_msg = ssl->out_iv; 05013 05014 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); 05015 05016 /* 05017 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 05018 * may define some other value. Currently (early 2016), no defined 05019 * ciphersuite does this (and this is unlikely to change as activity has 05020 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 05021 */ 05022 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; 05023 05024 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05025 ssl->verify_data_len = hash_len; 05026 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); 05027 #endif 05028 05029 ssl->out_msglen = 4 + hash_len; 05030 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 05031 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 05032 05033 /* 05034 * In case of session resuming, invert the client and server 05035 * ChangeCipherSpec messages order. 05036 */ 05037 if( ssl->handshake->resume != 0 ) 05038 { 05039 #if defined(MBEDTLS_SSL_CLI_C) 05040 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05041 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05042 #endif 05043 #if defined(MBEDTLS_SSL_SRV_C) 05044 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05045 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05046 #endif 05047 } 05048 else 05049 ssl->state++; 05050 05051 /* 05052 * Switch to our negotiated transform and session parameters for outbound 05053 * data. 05054 */ 05055 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); 05056 05057 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05058 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05059 { 05060 unsigned char i; 05061 05062 /* Remember current epoch settings for resending */ 05063 ssl->handshake->alt_transform_out = ssl->transform_out; 05064 memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); 05065 05066 /* Set sequence_number to zero */ 05067 memset( ssl->out_ctr + 2, 0, 6 ); 05068 05069 /* Increment epoch */ 05070 for( i = 2; i > 0; i-- ) 05071 if( ++ssl->out_ctr[i - 1] != 0 ) 05072 break; 05073 05074 /* The loop goes to its end iff the counter is wrapping */ 05075 if( i == 0 ) 05076 { 05077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 05078 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 05079 } 05080 } 05081 else 05082 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 05083 memset( ssl->out_ctr, 0, 8 ); 05084 05085 ssl->transform_out = ssl->transform_negotiate; 05086 ssl->session_out = ssl->session_negotiate; 05087 05088 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05089 if( mbedtls_ssl_hw_record_activate != NULL ) 05090 { 05091 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 05092 { 05093 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 05094 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05095 } 05096 } 05097 #endif 05098 05099 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05100 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05101 mbedtls_ssl_send_flight_completed( ssl ); 05102 #endif 05103 05104 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 05105 { 05106 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 05107 return( ret ); 05108 } 05109 05110 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 05111 05112 return( 0 ); 05113 } 05114 05115 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05116 #define SSL_MAX_HASH_LEN 36 05117 #else 05118 #define SSL_MAX_HASH_LEN 12 05119 #endif 05120 05121 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) 05122 { 05123 int ret; 05124 unsigned int hash_len; 05125 unsigned char buf[SSL_MAX_HASH_LEN]; 05126 05127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 05128 05129 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); 05130 05131 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 05132 { 05133 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 05134 return( ret ); 05135 } 05136 05137 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 05138 { 05139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05140 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 05141 } 05142 05143 /* There is currently no ciphersuite using another length with TLS 1.2 */ 05144 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05145 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 05146 hash_len = 36; 05147 else 05148 #endif 05149 hash_len = 12; 05150 05151 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || 05152 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) 05153 { 05154 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05155 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05156 } 05157 05158 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), 05159 buf, hash_len ) != 0 ) 05160 { 05161 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05162 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05163 } 05164 05165 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05166 ssl->verify_data_len = hash_len; 05167 memcpy( ssl->peer_verify_data, buf, hash_len ); 05168 #endif 05169 05170 if( ssl->handshake->resume != 0 ) 05171 { 05172 #if defined(MBEDTLS_SSL_CLI_C) 05173 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05174 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05175 #endif 05176 #if defined(MBEDTLS_SSL_SRV_C) 05177 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05178 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05179 #endif 05180 } 05181 else 05182 ssl->state++; 05183 05184 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05185 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05186 mbedtls_ssl_recv_flight_completed( ssl ); 05187 #endif 05188 05189 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 05190 05191 return( 0 ); 05192 } 05193 05194 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) 05195 { 05196 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); 05197 05198 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 05199 defined(MBEDTLS_SSL_PROTO_TLS1_1) 05200 mbedtls_md5_init( &handshake->fin_md5 ); 05201 mbedtls_sha1_init( &handshake->fin_sha1 ); 05202 mbedtls_md5_starts( &handshake->fin_md5 ); 05203 mbedtls_sha1_starts( &handshake->fin_sha1 ); 05204 #endif 05205 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05206 #if defined(MBEDTLS_SHA256_C) 05207 mbedtls_sha256_init( &handshake->fin_sha256 ); 05208 mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); 05209 #endif 05210 #if defined(MBEDTLS_SHA512_C) 05211 mbedtls_sha512_init( &handshake->fin_sha512 ); 05212 mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); 05213 #endif 05214 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05215 05216 handshake->update_checksum = ssl_update_checksum_start; 05217 handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1; 05218 05219 #if defined(MBEDTLS_DHM_C) 05220 mbedtls_dhm_init( &handshake->dhm_ctx ); 05221 #endif 05222 #if defined(MBEDTLS_ECDH_C) 05223 mbedtls_ecdh_init( &handshake->ecdh_ctx ); 05224 #endif 05225 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05226 mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); 05227 #if defined(MBEDTLS_SSL_CLI_C) 05228 handshake->ecjpake_cache = NULL; 05229 handshake->ecjpake_cache_len = 0; 05230 #endif 05231 #endif 05232 05233 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05234 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 05235 #endif 05236 } 05237 05238 static void ssl_transform_init( mbedtls_ssl_transform *transform ) 05239 { 05240 memset( transform, 0, sizeof(mbedtls_ssl_transform) ); 05241 05242 mbedtls_cipher_init( &transform->cipher_ctx_enc ); 05243 mbedtls_cipher_init( &transform->cipher_ctx_dec ); 05244 05245 mbedtls_md_init( &transform->md_ctx_enc ); 05246 mbedtls_md_init( &transform->md_ctx_dec ); 05247 } 05248 05249 void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) 05250 { 05251 memset( session, 0, sizeof(mbedtls_ssl_session) ); 05252 } 05253 05254 static int ssl_handshake_init( mbedtls_ssl_context *ssl ) 05255 { 05256 /* Clear old handshake information if present */ 05257 if( ssl->transform_negotiate ) 05258 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 05259 if( ssl->session_negotiate ) 05260 mbedtls_ssl_session_free( ssl->session_negotiate ); 05261 if( ssl->handshake ) 05262 mbedtls_ssl_handshake_free( ssl->handshake ); 05263 05264 /* 05265 * Either the pointers are now NULL or cleared properly and can be freed. 05266 * Now allocate missing structures. 05267 */ 05268 if( ssl->transform_negotiate == NULL ) 05269 { 05270 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); 05271 } 05272 05273 if( ssl->session_negotiate == NULL ) 05274 { 05275 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) ); 05276 } 05277 05278 if( ssl->handshake == NULL ) 05279 { 05280 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) ); 05281 } 05282 05283 /* All pointers should exist and can be directly freed without issue */ 05284 if( ssl->handshake == NULL || 05285 ssl->transform_negotiate == NULL || 05286 ssl->session_negotiate == NULL ) 05287 { 05288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); 05289 05290 mbedtls_free( ssl->handshake ); 05291 mbedtls_free( ssl->transform_negotiate ); 05292 mbedtls_free( ssl->session_negotiate ); 05293 05294 ssl->handshake = NULL; 05295 ssl->transform_negotiate = NULL; 05296 ssl->session_negotiate = NULL; 05297 05298 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05299 } 05300 05301 /* Initialize structures */ 05302 mbedtls_ssl_session_init( ssl->session_negotiate ); 05303 ssl_transform_init( ssl->transform_negotiate ); 05304 ssl_handshake_params_init( ssl->handshake ); 05305 05306 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05307 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05308 { 05309 ssl->handshake->alt_transform_out = ssl->transform_out; 05310 05311 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05312 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 05313 else 05314 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 05315 05316 ssl_set_timer( ssl, 0 ); 05317 } 05318 #endif 05319 05320 return( 0 ); 05321 } 05322 05323 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05324 /* Dummy cookie callbacks for defaults */ 05325 static int ssl_cookie_write_dummy( void *ctx, 05326 unsigned char **p, unsigned char *end, 05327 const unsigned char *cli_id, size_t cli_id_len ) 05328 { 05329 ((void) ctx); 05330 ((void) p); 05331 ((void) end); 05332 ((void) cli_id); 05333 ((void) cli_id_len); 05334 05335 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05336 } 05337 05338 static int ssl_cookie_check_dummy( void *ctx, 05339 const unsigned char *cookie, size_t cookie_len, 05340 const unsigned char *cli_id, size_t cli_id_len ) 05341 { 05342 ((void) ctx); 05343 ((void) cookie); 05344 ((void) cookie_len); 05345 ((void) cli_id); 05346 ((void) cli_id_len); 05347 05348 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05349 } 05350 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 05351 05352 /* 05353 * Initialize an SSL context 05354 */ 05355 void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) 05356 { 05357 memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); 05358 } 05359 05360 /* 05361 * Setup an SSL context 05362 */ 05363 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, 05364 const mbedtls_ssl_config *conf ) 05365 { 05366 int ret; 05367 const size_t len = MBEDTLS_SSL_BUFFER_LEN; 05368 05369 ssl->conf = conf; 05370 05371 /* 05372 * Prepare base structures 05373 */ 05374 if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || 05375 ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) 05376 { 05377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); 05378 mbedtls_free( ssl->in_buf ); 05379 ssl->in_buf = NULL; 05380 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05381 } 05382 05383 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05384 if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05385 { 05386 ssl->out_hdr = ssl->out_buf; 05387 ssl->out_ctr = ssl->out_buf + 3; 05388 ssl->out_len = ssl->out_buf + 11; 05389 ssl->out_iv = ssl->out_buf + 13; 05390 ssl->out_msg = ssl->out_buf + 13; 05391 05392 ssl->in_hdr = ssl->in_buf; 05393 ssl->in_ctr = ssl->in_buf + 3; 05394 ssl->in_len = ssl->in_buf + 11; 05395 ssl->in_iv = ssl->in_buf + 13; 05396 ssl->in_msg = ssl->in_buf + 13; 05397 } 05398 else 05399 #endif 05400 { 05401 ssl->out_ctr = ssl->out_buf; 05402 ssl->out_hdr = ssl->out_buf + 8; 05403 ssl->out_len = ssl->out_buf + 11; 05404 ssl->out_iv = ssl->out_buf + 13; 05405 ssl->out_msg = ssl->out_buf + 13; 05406 05407 ssl->in_ctr = ssl->in_buf; 05408 ssl->in_hdr = ssl->in_buf + 8; 05409 ssl->in_len = ssl->in_buf + 11; 05410 ssl->in_iv = ssl->in_buf + 13; 05411 ssl->in_msg = ssl->in_buf + 13; 05412 } 05413 05414 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05415 return( ret ); 05416 05417 return( 0 ); 05418 } 05419 05420 /* 05421 * Reset an initialized and used SSL context for re-use while retaining 05422 * all application-set variables, function pointers and data. 05423 * 05424 * If partial is non-zero, keep data in the input buffer and client ID. 05425 * (Use when a DTLS client reconnects from the same port.) 05426 */ 05427 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) 05428 { 05429 int ret; 05430 05431 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 05432 05433 /* Cancel any possibly running timer */ 05434 ssl_set_timer( ssl, 0 ); 05435 05436 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05437 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 05438 ssl->renego_records_seen = 0; 05439 05440 ssl->verify_data_len = 0; 05441 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05442 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05443 #endif 05444 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 05445 05446 ssl->in_offt = NULL; 05447 05448 ssl->in_msg = ssl->in_buf + 13; 05449 ssl->in_msgtype = 0; 05450 ssl->in_msglen = 0; 05451 if( partial == 0 ) 05452 ssl->in_left = 0; 05453 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05454 ssl->next_record_offset = 0; 05455 ssl->in_epoch = 0; 05456 #endif 05457 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05458 ssl_dtls_replay_reset( ssl ); 05459 #endif 05460 05461 ssl->in_hslen = 0; 05462 ssl->nb_zero = 0; 05463 ssl->record_read = 0; 05464 05465 ssl->out_msg = ssl->out_buf + 13; 05466 ssl->out_msgtype = 0; 05467 ssl->out_msglen = 0; 05468 ssl->out_left = 0; 05469 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 05470 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) 05471 ssl->split_done = 0; 05472 #endif 05473 05474 ssl->transform_in = NULL; 05475 ssl->transform_out = NULL; 05476 05477 memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05478 if( partial == 0 ) 05479 memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05480 05481 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05482 if( mbedtls_ssl_hw_record_reset != NULL ) 05483 { 05484 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) ); 05485 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 ) 05486 { 05487 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret ); 05488 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05489 } 05490 } 05491 #endif 05492 05493 if( ssl->transform ) 05494 { 05495 mbedtls_ssl_transform_free( ssl->transform ); 05496 mbedtls_free( ssl->transform ); 05497 ssl->transform = NULL; 05498 } 05499 05500 if( ssl->session ) 05501 { 05502 mbedtls_ssl_session_free( ssl->session ); 05503 mbedtls_free( ssl->session ); 05504 ssl->session = NULL; 05505 } 05506 05507 #if defined(MBEDTLS_SSL_ALPN) 05508 ssl->alpn_chosen = NULL; 05509 #endif 05510 05511 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05512 if( partial == 0 ) 05513 { 05514 mbedtls_free( ssl->cli_id ); 05515 ssl->cli_id = NULL; 05516 ssl->cli_id_len = 0; 05517 } 05518 #endif 05519 05520 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05521 return( ret ); 05522 05523 return( 0 ); 05524 } 05525 05526 /* 05527 * Reset an initialized and used SSL context for re-use while retaining 05528 * all application-set variables, function pointers and data. 05529 */ 05530 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) 05531 { 05532 return( ssl_session_reset_int( ssl, 0 ) ); 05533 } 05534 05535 /* 05536 * SSL set accessors 05537 */ 05538 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) 05539 { 05540 conf->endpoint = endpoint; 05541 } 05542 05543 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) 05544 { 05545 conf->transport = transport; 05546 } 05547 05548 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05549 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) 05550 { 05551 conf->anti_replay = mode; 05552 } 05553 #endif 05554 05555 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 05556 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) 05557 { 05558 conf->badmac_limit = limit; 05559 } 05560 #endif 05561 05562 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05563 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) 05564 { 05565 conf->hs_timeout_min = min; 05566 conf->hs_timeout_max = max; 05567 } 05568 #endif 05569 05570 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) 05571 { 05572 conf->authmode = authmode; 05573 } 05574 05575 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05576 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, 05577 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 05578 void *p_vrfy ) 05579 { 05580 conf->f_vrfy = f_vrfy; 05581 conf->p_vrfy = p_vrfy; 05582 } 05583 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05584 05585 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, 05586 int (*f_rng)(void *, unsigned char *, size_t), 05587 void *p_rng ) 05588 { 05589 conf->f_rng = f_rng; 05590 conf->p_rng = p_rng; 05591 } 05592 05593 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, 05594 void (*f_dbg)(void *, int, const char *, int, const char *), 05595 void *p_dbg ) 05596 { 05597 conf->f_dbg = f_dbg; 05598 conf->p_dbg = p_dbg; 05599 } 05600 05601 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, 05602 void *p_bio, 05603 mbedtls_ssl_send_t *f_send, 05604 mbedtls_ssl_recv_t *f_recv, 05605 mbedtls_ssl_recv_timeout_t *f_recv_timeout ) 05606 { 05607 ssl->p_bio = p_bio; 05608 ssl->f_send = f_send; 05609 ssl->f_recv = f_recv; 05610 ssl->f_recv_timeout = f_recv_timeout; 05611 } 05612 05613 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) 05614 { 05615 conf->read_timeout = timeout; 05616 } 05617 05618 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, 05619 void *p_timer, 05620 mbedtls_ssl_set_timer_t *f_set_timer, 05621 mbedtls_ssl_get_timer_t *f_get_timer ) 05622 { 05623 ssl->p_timer = p_timer; 05624 ssl->f_set_timer = f_set_timer; 05625 ssl->f_get_timer = f_get_timer; 05626 05627 /* Make sure we start with no timer running */ 05628 ssl_set_timer( ssl, 0 ); 05629 } 05630 05631 #if defined(MBEDTLS_SSL_SRV_C) 05632 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, 05633 void *p_cache, 05634 int (*f_get_cache)(void *, mbedtls_ssl_session *), 05635 int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) 05636 { 05637 conf->p_cache = p_cache; 05638 conf->f_get_cache = f_get_cache; 05639 conf->f_set_cache = f_set_cache; 05640 } 05641 #endif /* MBEDTLS_SSL_SRV_C */ 05642 05643 #if defined(MBEDTLS_SSL_CLI_C) 05644 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) 05645 { 05646 int ret; 05647 05648 if( ssl == NULL || 05649 session == NULL || 05650 ssl->session_negotiate == NULL || 05651 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 05652 { 05653 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05654 } 05655 05656 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) 05657 return( ret ); 05658 05659 ssl->handshake->resume = 1; 05660 05661 return( 0 ); 05662 } 05663 #endif /* MBEDTLS_SSL_CLI_C */ 05664 05665 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, 05666 const int *ciphersuites ) 05667 { 05668 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; 05669 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; 05670 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; 05671 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; 05672 } 05673 05674 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, 05675 const int *ciphersuites, 05676 int major, int minor ) 05677 { 05678 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) 05679 return; 05680 05681 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) 05682 return; 05683 05684 conf->ciphersuite_list [minor] = ciphersuites; 05685 } 05686 05687 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05688 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, 05689 const mbedtls_x509_crt_profile *profile ) 05690 { 05691 conf->cert_profile = profile; 05692 } 05693 05694 /* Append a new keycert entry to a (possibly empty) list */ 05695 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, 05696 mbedtls_x509_crt *cert, 05697 mbedtls_pk_context *key ) 05698 { 05699 mbedtls_ssl_key_cert *new; 05700 05701 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) ); 05702 if( new == NULL ) 05703 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05704 05705 new->cert = cert; 05706 new->key = key; 05707 new->next = NULL; 05708 05709 /* Update head is the list was null, else add to the end */ 05710 if( *head == NULL ) 05711 { 05712 *head = new; 05713 } 05714 else 05715 { 05716 mbedtls_ssl_key_cert *cur = *head; 05717 while( cur->next != NULL ) 05718 cur = cur->next; 05719 cur->next = new; 05720 } 05721 05722 return( 0 ); 05723 } 05724 05725 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, 05726 mbedtls_x509_crt *own_cert, 05727 mbedtls_pk_context *pk_key ) 05728 { 05729 return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) ); 05730 } 05731 05732 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, 05733 mbedtls_x509_crt *ca_chain, 05734 mbedtls_x509_crl *ca_crl ) 05735 { 05736 conf->ca_chain = ca_chain; 05737 conf->ca_crl = ca_crl; 05738 } 05739 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05740 05741 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05742 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, 05743 mbedtls_x509_crt *own_cert, 05744 mbedtls_pk_context *pk_key ) 05745 { 05746 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, 05747 own_cert, pk_key ) ); 05748 } 05749 05750 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, 05751 mbedtls_x509_crt *ca_chain, 05752 mbedtls_x509_crl *ca_crl ) 05753 { 05754 ssl->handshake->sni_ca_chain = ca_chain; 05755 ssl->handshake->sni_ca_crl = ca_crl; 05756 } 05757 05758 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, 05759 int authmode ) 05760 { 05761 ssl->handshake->sni_authmode = authmode; 05762 } 05763 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 05764 05765 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05766 /* 05767 * Set EC J-PAKE password for current handshake 05768 */ 05769 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, 05770 const unsigned char *pw, 05771 size_t pw_len ) 05772 { 05773 mbedtls_ecjpake_role role; 05774 05775 if( ssl->handshake == NULL || ssl->conf == NULL ) 05776 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05777 05778 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05779 role = MBEDTLS_ECJPAKE_SERVER; 05780 else 05781 role = MBEDTLS_ECJPAKE_CLIENT; 05782 05783 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, 05784 role, 05785 MBEDTLS_MD_SHA256, 05786 MBEDTLS_ECP_DP_SECP256R1 , 05787 pw, pw_len ) ); 05788 } 05789 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 05790 05791 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 05792 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, 05793 const unsigned char *psk, size_t psk_len, 05794 const unsigned char *psk_identity, size_t psk_identity_len ) 05795 { 05796 if( psk == NULL || psk_identity == NULL ) 05797 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05798 05799 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 05800 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05801 05802 /* Identity len will be encoded on two bytes */ 05803 if( ( psk_identity_len >> 16 ) != 0 || 05804 psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 05805 { 05806 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05807 } 05808 05809 if( conf->psk != NULL || conf->psk_identity != NULL ) 05810 { 05811 mbedtls_free( conf->psk ); 05812 mbedtls_free( conf->psk_identity ); 05813 conf->psk = NULL; 05814 conf->psk_identity = NULL; 05815 } 05816 05817 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || 05818 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL ) 05819 { 05820 mbedtls_free( conf->psk ); 05821 mbedtls_free( conf->psk_identity ); 05822 conf->psk = NULL; 05823 conf->psk_identity = NULL; 05824 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05825 } 05826 05827 conf->psk_len = psk_len; 05828 conf->psk_identity_len = psk_identity_len; 05829 05830 memcpy( conf->psk , psk, conf->psk_len ); 05831 memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len ); 05832 05833 return( 0 ); 05834 } 05835 05836 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, 05837 const unsigned char *psk, size_t psk_len ) 05838 { 05839 if( psk == NULL || ssl->handshake == NULL ) 05840 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05841 05842 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 05843 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05844 05845 if( ssl->handshake->psk != NULL ) 05846 mbedtls_free( ssl->handshake->psk ); 05847 05848 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) 05849 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05850 05851 ssl->handshake->psk_len = psk_len; 05852 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); 05853 05854 return( 0 ); 05855 } 05856 05857 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, 05858 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 05859 size_t), 05860 void *p_psk ) 05861 { 05862 conf->f_psk = f_psk; 05863 conf->p_psk = p_psk; 05864 } 05865 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 05866 05867 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 05868 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) 05869 { 05870 int ret; 05871 05872 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 || 05873 ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 ) 05874 { 05875 mbedtls_mpi_free( &conf->dhm_P ); 05876 mbedtls_mpi_free( &conf->dhm_G ); 05877 return( ret ); 05878 } 05879 05880 return( 0 ); 05881 } 05882 05883 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) 05884 { 05885 int ret; 05886 05887 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P ) ) != 0 || 05888 ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G ) ) != 0 ) 05889 { 05890 mbedtls_mpi_free( &conf->dhm_P ); 05891 mbedtls_mpi_free( &conf->dhm_G ); 05892 return( ret ); 05893 } 05894 05895 return( 0 ); 05896 } 05897 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 05898 05899 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 05900 /* 05901 * Set the minimum length for Diffie-Hellman parameters 05902 */ 05903 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, 05904 unsigned int bitlen ) 05905 { 05906 conf->dhm_min_bitlen = bitlen; 05907 } 05908 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 05909 05910 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 05911 /* 05912 * Set allowed/preferred hashes for handshake signatures 05913 */ 05914 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, 05915 const int *hashes ) 05916 { 05917 conf->sig_hashes = hashes; 05918 } 05919 #endif 05920 05921 #if defined(MBEDTLS_ECP_C) 05922 /* 05923 * Set the allowed elliptic curves 05924 */ 05925 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, 05926 const mbedtls_ecp_group_id *curve_list ) 05927 { 05928 conf->curve_list = curve_list; 05929 } 05930 #endif 05931 05932 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05933 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) 05934 { 05935 size_t hostname_len; 05936 05937 if( hostname == NULL ) 05938 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05939 05940 hostname_len = strlen( hostname ); 05941 05942 if( hostname_len + 1 == 0 ) 05943 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05944 05945 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) 05946 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05947 05948 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); 05949 05950 if( ssl->hostname == NULL ) 05951 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05952 05953 memcpy( ssl->hostname, hostname, hostname_len ); 05954 05955 ssl->hostname[hostname_len] = '\0'; 05956 05957 return( 0 ); 05958 } 05959 #endif 05960 05961 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05962 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, 05963 int (*f_sni)(void *, mbedtls_ssl_context *, 05964 const unsigned char *, size_t), 05965 void *p_sni ) 05966 { 05967 conf->f_sni = f_sni; 05968 conf->p_sni = p_sni; 05969 } 05970 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 05971 05972 #if defined(MBEDTLS_SSL_ALPN) 05973 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) 05974 { 05975 size_t cur_len, tot_len; 05976 const char **p; 05977 05978 /* 05979 * "Empty strings MUST NOT be included and byte strings MUST NOT be 05980 * truncated". Check lengths now rather than later. 05981 */ 05982 tot_len = 0; 05983 for( p = protos; *p != NULL; p++ ) 05984 { 05985 cur_len = strlen( *p ); 05986 tot_len += cur_len; 05987 05988 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 ) 05989 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05990 } 05991 05992 conf->alpn_list = protos; 05993 05994 return( 0 ); 05995 } 05996 05997 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) 05998 { 05999 return( ssl->alpn_chosen ); 06000 } 06001 #endif /* MBEDTLS_SSL_ALPN */ 06002 06003 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) 06004 { 06005 conf->max_major_ver = major; 06006 conf->max_minor_ver = minor; 06007 } 06008 06009 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) 06010 { 06011 conf->min_major_ver = major; 06012 conf->min_minor_ver = minor; 06013 } 06014 06015 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) 06016 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) 06017 { 06018 conf->fallback = fallback; 06019 } 06020 #endif 06021 06022 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 06023 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) 06024 { 06025 conf->encrypt_then_mac = etm; 06026 } 06027 #endif 06028 06029 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 06030 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) 06031 { 06032 conf->extended_ms = ems; 06033 } 06034 #endif 06035 06036 #if defined(MBEDTLS_ARC4_C) 06037 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) 06038 { 06039 conf->arc4_disabled = arc4; 06040 } 06041 #endif 06042 06043 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06044 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) 06045 { 06046 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 06047 mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06048 { 06049 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06050 } 06051 06052 conf->mfl_code = mfl_code; 06053 06054 return( 0 ); 06055 } 06056 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06057 06058 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 06059 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) 06060 { 06061 conf->trunc_hmac = truncate; 06062 } 06063 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 06064 06065 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06066 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) 06067 { 06068 conf->cbc_record_splitting = split; 06069 } 06070 #endif 06071 06072 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) 06073 { 06074 conf->allow_legacy_renegotiation = allow_legacy; 06075 } 06076 06077 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06078 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) 06079 { 06080 conf->disable_renegotiation = renegotiation; 06081 } 06082 06083 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) 06084 { 06085 conf->renego_max_records = max_records; 06086 } 06087 06088 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, 06089 const unsigned char period[8] ) 06090 { 06091 memcpy( conf->renego_period , period, 8 ); 06092 } 06093 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06094 06095 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 06096 #if defined(MBEDTLS_SSL_CLI_C) 06097 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) 06098 { 06099 conf->session_tickets = use_tickets; 06100 } 06101 #endif 06102 06103 #if defined(MBEDTLS_SSL_SRV_C) 06104 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, 06105 mbedtls_ssl_ticket_write_t *f_ticket_write, 06106 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 06107 void *p_ticket ) 06108 { 06109 conf->f_ticket_write = f_ticket_write; 06110 conf->f_ticket_parse = f_ticket_parse; 06111 conf->p_ticket = p_ticket; 06112 } 06113 #endif 06114 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 06115 06116 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 06117 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, 06118 mbedtls_ssl_export_keys_t *f_export_keys, 06119 void *p_export_keys ) 06120 { 06121 conf->f_export_keys = f_export_keys; 06122 conf->p_export_keys = p_export_keys; 06123 } 06124 #endif 06125 06126 /* 06127 * SSL get accessors 06128 */ 06129 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 06130 { 06131 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 06132 } 06133 06134 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) 06135 { 06136 if( ssl->session != NULL ) 06137 return( ssl->session->verify_result ); 06138 06139 if( ssl->session_negotiate != NULL ) 06140 return( ssl->session_negotiate->verify_result ); 06141 06142 return( 0xFFFFFFFF ); 06143 } 06144 06145 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) 06146 { 06147 if( ssl == NULL || ssl->session == NULL ) 06148 return( NULL ); 06149 06150 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 06151 } 06152 06153 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) 06154 { 06155 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06156 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06157 { 06158 switch( ssl->minor_ver ) 06159 { 06160 case MBEDTLS_SSL_MINOR_VERSION_2: 06161 return( "DTLSv1.0" ); 06162 06163 case MBEDTLS_SSL_MINOR_VERSION_3: 06164 return( "DTLSv1.2" ); 06165 06166 default: 06167 return( "unknown (DTLS)" ); 06168 } 06169 } 06170 #endif 06171 06172 switch( ssl->minor_ver ) 06173 { 06174 case MBEDTLS_SSL_MINOR_VERSION_0: 06175 return( "SSLv3.0" ); 06176 06177 case MBEDTLS_SSL_MINOR_VERSION_1: 06178 return( "TLSv1.0" ); 06179 06180 case MBEDTLS_SSL_MINOR_VERSION_2: 06181 return( "TLSv1.1" ); 06182 06183 case MBEDTLS_SSL_MINOR_VERSION_3: 06184 return( "TLSv1.2" ); 06185 06186 default: 06187 return( "unknown" ); 06188 } 06189 } 06190 06191 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 06192 { 06193 size_t transform_expansion; 06194 const mbedtls_ssl_transform *transform = ssl->transform_out; 06195 06196 #if defined(MBEDTLS_ZLIB_SUPPORT) 06197 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 06198 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 06199 #endif 06200 06201 if( transform == NULL ) 06202 return( (int) mbedtls_ssl_hdr_len( ssl ) ); 06203 06204 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 06205 { 06206 case MBEDTLS_MODE_GCM: 06207 case MBEDTLS_MODE_CCM: 06208 case MBEDTLS_MODE_STREAM: 06209 transform_expansion = transform->minlen; 06210 break; 06211 06212 case MBEDTLS_MODE_CBC: 06213 transform_expansion = transform->maclen 06214 + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); 06215 break; 06216 06217 default: 06218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06219 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06220 } 06221 06222 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); 06223 } 06224 06225 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06226 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) 06227 { 06228 size_t max_len; 06229 06230 /* 06231 * Assume mfl_code is correct since it was checked when set 06232 */ 06233 max_len = mfl_code_to_length[ssl->conf->mfl_code]; 06234 06235 /* 06236 * Check if a smaller max length was negotiated 06237 */ 06238 if( ssl->session_out != NULL && 06239 mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) 06240 { 06241 max_len = mfl_code_to_length[ssl->session_out->mfl_code]; 06242 } 06243 06244 return max_len; 06245 } 06246 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06247 06248 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06249 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) 06250 { 06251 if( ssl == NULL || ssl->session == NULL ) 06252 return( NULL ); 06253 06254 return( ssl->session->peer_cert ); 06255 } 06256 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06257 06258 #if defined(MBEDTLS_SSL_CLI_C) 06259 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) 06260 { 06261 if( ssl == NULL || 06262 dst == NULL || 06263 ssl->session == NULL || 06264 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 06265 { 06266 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06267 } 06268 06269 return( ssl_session_copy( dst, ssl->session ) ); 06270 } 06271 #endif /* MBEDTLS_SSL_CLI_C */ 06272 06273 /* 06274 * Perform a single step of the SSL handshake 06275 */ 06276 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) 06277 { 06278 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06279 06280 if( ssl == NULL || ssl->conf == NULL ) 06281 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06282 06283 #if defined(MBEDTLS_SSL_CLI_C) 06284 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06285 ret = mbedtls_ssl_handshake_client_step( ssl ); 06286 #endif 06287 #if defined(MBEDTLS_SSL_SRV_C) 06288 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06289 ret = mbedtls_ssl_handshake_server_step( ssl ); 06290 #endif 06291 06292 return( ret ); 06293 } 06294 06295 /* 06296 * Perform the SSL handshake 06297 */ 06298 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) 06299 { 06300 int ret = 0; 06301 06302 if( ssl == NULL || ssl->conf == NULL ) 06303 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06304 06305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 06306 06307 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06308 { 06309 ret = mbedtls_ssl_handshake_step( ssl ); 06310 06311 if( ret != 0 ) 06312 break; 06313 } 06314 06315 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 06316 06317 return( ret ); 06318 } 06319 06320 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06321 #if defined(MBEDTLS_SSL_SRV_C) 06322 /* 06323 * Write HelloRequest to request renegotiation on server 06324 */ 06325 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ) 06326 { 06327 int ret; 06328 06329 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); 06330 06331 ssl->out_msglen = 4; 06332 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 06333 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 06334 06335 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06336 { 06337 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06338 return( ret ); 06339 } 06340 06341 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); 06342 06343 return( 0 ); 06344 } 06345 #endif /* MBEDTLS_SSL_SRV_C */ 06346 06347 /* 06348 * Actually renegotiate current connection, triggered by either: 06349 * - any side: calling mbedtls_ssl_renegotiate(), 06350 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 06351 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 06352 * the initial handshake is completed. 06353 * If the handshake doesn't complete due to waiting for I/O, it will continue 06354 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 06355 */ 06356 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) 06357 { 06358 int ret; 06359 06360 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); 06361 06362 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 06363 return( ret ); 06364 06365 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 06366 * the ServerHello will have message_seq = 1" */ 06367 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06368 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06369 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06370 { 06371 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06372 ssl->handshake->out_msg_seq = 1; 06373 else 06374 ssl->handshake->in_msg_seq = 1; 06375 } 06376 #endif 06377 06378 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 06379 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 06380 06381 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06382 { 06383 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06384 return( ret ); 06385 } 06386 06387 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) ); 06388 06389 return( 0 ); 06390 } 06391 06392 /* 06393 * Renegotiate current connection on client, 06394 * or request renegotiation on server 06395 */ 06396 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) 06397 { 06398 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06399 06400 if( ssl == NULL || ssl->conf == NULL ) 06401 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06402 06403 #if defined(MBEDTLS_SSL_SRV_C) 06404 /* On server, just send the request */ 06405 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06406 { 06407 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06408 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06409 06410 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06411 06412 /* Did we already try/start sending HelloRequest? */ 06413 if( ssl->out_left != 0 ) 06414 return( mbedtls_ssl_flush_output( ssl ) ); 06415 06416 return( ssl_write_hello_request( ssl ) ); 06417 } 06418 #endif /* MBEDTLS_SSL_SRV_C */ 06419 06420 #if defined(MBEDTLS_SSL_CLI_C) 06421 /* 06422 * On client, either start the renegotiation process or, 06423 * if already in progress, continue the handshake 06424 */ 06425 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 06426 { 06427 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06428 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06429 06430 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) 06431 { 06432 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06433 return( ret ); 06434 } 06435 } 06436 else 06437 { 06438 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06439 { 06440 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06441 return( ret ); 06442 } 06443 } 06444 #endif /* MBEDTLS_SSL_CLI_C */ 06445 06446 return( ret ); 06447 } 06448 06449 /* 06450 * Check record counters and renegotiate if they're above the limit. 06451 */ 06452 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 06453 { 06454 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 06455 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 06456 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 06457 { 06458 return( 0 ); 06459 } 06460 06461 if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 && 06462 memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 ) 06463 { 06464 return( 0 ); 06465 } 06466 06467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 06468 return( mbedtls_ssl_renegotiate( ssl ) ); 06469 } 06470 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06471 06472 /* 06473 * Receive application data decrypted from the SSL layer 06474 */ 06475 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 06476 { 06477 int ret, record_read = 0; 06478 size_t n; 06479 06480 if( ssl == NULL || ssl->conf == NULL ) 06481 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06482 06483 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 06484 06485 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06486 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06487 { 06488 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06489 return( ret ); 06490 06491 if( ssl->handshake != NULL && 06492 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 06493 { 06494 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 06495 return( ret ); 06496 } 06497 } 06498 #endif 06499 06500 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06501 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 06502 { 06503 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06504 return( ret ); 06505 } 06506 #endif 06507 06508 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06509 { 06510 ret = mbedtls_ssl_handshake( ssl ); 06511 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ) 06512 { 06513 record_read = 1; 06514 } 06515 else if( ret != 0 ) 06516 { 06517 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06518 return( ret ); 06519 } 06520 } 06521 06522 if( ssl->in_offt == NULL ) 06523 { 06524 /* Start timer if not already running */ 06525 if( ssl->f_get_timer != NULL && 06526 ssl->f_get_timer( ssl->p_timer ) == -1 ) 06527 { 06528 ssl_set_timer( ssl, ssl->conf->read_timeout ); 06529 } 06530 06531 if( ! record_read ) 06532 { 06533 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06534 { 06535 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06536 return( 0 ); 06537 06538 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06539 return( ret ); 06540 } 06541 } 06542 06543 if( ssl->in_msglen == 0 && 06544 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06545 { 06546 /* 06547 * OpenSSL sends empty messages to randomize the IV 06548 */ 06549 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06550 { 06551 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06552 return( 0 ); 06553 06554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06555 return( ret ); 06556 } 06557 } 06558 06559 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06560 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 06561 { 06562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 06563 06564 #if defined(MBEDTLS_SSL_CLI_C) 06565 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 06566 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 06567 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 06568 { 06569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 06570 06571 /* With DTLS, drop the packet (probably from last handshake) */ 06572 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06573 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06574 return( MBEDTLS_ERR_SSL_WANT_READ ); 06575 #endif 06576 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06577 } 06578 06579 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06580 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 06581 { 06582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 06583 06584 /* With DTLS, drop the packet (probably from last handshake) */ 06585 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06586 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06587 return( MBEDTLS_ERR_SSL_WANT_READ ); 06588 #endif 06589 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06590 } 06591 #endif 06592 06593 if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 06594 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 06595 ssl->conf->allow_legacy_renegotiation == 06596 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) 06597 { 06598 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 06599 06600 #if defined(MBEDTLS_SSL_PROTO_SSL3) 06601 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 06602 { 06603 /* 06604 * SSLv3 does not have a "no_renegotiation" alert 06605 */ 06606 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 06607 return( ret ); 06608 } 06609 else 06610 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 06611 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 06612 defined(MBEDTLS_SSL_PROTO_TLS1_2) 06613 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 06614 { 06615 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06616 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06617 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 06618 { 06619 return( ret ); 06620 } 06621 } 06622 else 06623 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 06624 MBEDTLS_SSL_PROTO_TLS1_2 */ 06625 { 06626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06627 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06628 } 06629 } 06630 else 06631 { 06632 /* DTLS clients need to know renego is server-initiated */ 06633 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06634 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06635 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06636 { 06637 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06638 } 06639 #endif 06640 ret = ssl_start_renegotiation( ssl ); 06641 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ) 06642 { 06643 record_read = 1; 06644 } 06645 else if( ret != 0 ) 06646 { 06647 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06648 return( ret ); 06649 } 06650 } 06651 06652 /* If a non-handshake record was read during renego, fallthrough, 06653 * else tell the user they should call mbedtls_ssl_read() again */ 06654 if( ! record_read ) 06655 return( MBEDTLS_ERR_SSL_WANT_READ ); 06656 } 06657 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06658 { 06659 06660 if( ssl->conf->renego_max_records >= 0 ) 06661 { 06662 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 06663 { 06664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 06665 "but not honored by client" ) ); 06666 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06667 } 06668 } 06669 } 06670 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06671 06672 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 06673 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 06674 { 06675 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 06676 return( MBEDTLS_ERR_SSL_WANT_READ ); 06677 } 06678 06679 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06680 { 06681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 06682 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06683 } 06684 06685 ssl->in_offt = ssl->in_msg; 06686 06687 /* We're going to return something now, cancel timer, 06688 * except if handshake (renegotiation) is in progress */ 06689 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 06690 ssl_set_timer( ssl, 0 ); 06691 06692 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06693 /* If we requested renego but received AppData, resend HelloRequest. 06694 * Do it now, after setting in_offt, to avoid taking this branch 06695 * again if ssl_write_hello_request() returns WANT_WRITE */ 06696 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 06697 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06698 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06699 { 06700 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 06701 { 06702 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 06703 return( ret ); 06704 } 06705 } 06706 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 06707 #endif 06708 } 06709 06710 n = ( len < ssl->in_msglen ) 06711 ? len : ssl->in_msglen; 06712 06713 memcpy( buf, ssl->in_offt, n ); 06714 ssl->in_msglen -= n; 06715 06716 if( ssl->in_msglen == 0 ) 06717 /* all bytes consumed */ 06718 ssl->in_offt = NULL; 06719 else 06720 /* more data available */ 06721 ssl->in_offt += n; 06722 06723 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 06724 06725 return( (int) n ); 06726 } 06727 06728 /* 06729 * Send application data to be encrypted by the SSL layer, 06730 * taking care of max fragment length and buffer size 06731 */ 06732 static int ssl_write_real( mbedtls_ssl_context *ssl, 06733 const unsigned char *buf, size_t len ) 06734 { 06735 int ret; 06736 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06737 size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); 06738 06739 if( len > max_len ) 06740 { 06741 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06742 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06743 { 06744 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 06745 "maximum fragment length: %d > %d", 06746 len, max_len ) ); 06747 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06748 } 06749 else 06750 #endif 06751 len = max_len; 06752 } 06753 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06754 06755 if( ssl->out_left != 0 ) 06756 { 06757 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06758 { 06759 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 06760 return( ret ); 06761 } 06762 } 06763 else 06764 { 06765 ssl->out_msglen = len; 06766 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 06767 memcpy( ssl->out_msg, buf, len ); 06768 06769 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06770 { 06771 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06772 return( ret ); 06773 } 06774 } 06775 06776 return( (int) len ); 06777 } 06778 06779 /* 06780 * Write application data, doing 1/n-1 splitting if necessary. 06781 * 06782 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 06783 * then the caller will call us again with the same arguments, so 06784 * remember wether we already did the split or not. 06785 */ 06786 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06787 static int ssl_write_split( mbedtls_ssl_context *ssl, 06788 const unsigned char *buf, size_t len ) 06789 { 06790 int ret; 06791 06792 if( ssl->conf->cbc_record_splitting == 06793 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 06794 len <= 1 || 06795 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 06796 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 06797 != MBEDTLS_MODE_CBC ) 06798 { 06799 return( ssl_write_real( ssl, buf, len ) ); 06800 } 06801 06802 if( ssl->split_done == 0 ) 06803 { 06804 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 06805 return( ret ); 06806 ssl->split_done = 1; 06807 } 06808 06809 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 06810 return( ret ); 06811 ssl->split_done = 0; 06812 06813 return( ret + 1 ); 06814 } 06815 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 06816 06817 /* 06818 * Write application data (public-facing wrapper) 06819 */ 06820 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 06821 { 06822 int ret; 06823 06824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 06825 06826 if( ssl == NULL || ssl->conf == NULL ) 06827 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06828 06829 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06830 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 06831 { 06832 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06833 return( ret ); 06834 } 06835 #endif 06836 06837 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06838 { 06839 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06840 { 06841 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06842 return( ret ); 06843 } 06844 } 06845 06846 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06847 ret = ssl_write_split( ssl, buf, len ); 06848 #else 06849 ret = ssl_write_real( ssl, buf, len ); 06850 #endif 06851 06852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 06853 06854 return( ret ); 06855 } 06856 06857 /* 06858 * Notify the peer that the connection is being closed 06859 */ 06860 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 06861 { 06862 int ret; 06863 06864 if( ssl == NULL || ssl->conf == NULL ) 06865 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06866 06867 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 06868 06869 if( ssl->out_left != 0 ) 06870 return( mbedtls_ssl_flush_output( ssl ) ); 06871 06872 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 06873 { 06874 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06875 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06876 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 06877 { 06878 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 06879 return( ret ); 06880 } 06881 } 06882 06883 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 06884 06885 return( 0 ); 06886 } 06887 06888 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 06889 { 06890 if( transform == NULL ) 06891 return; 06892 06893 #if defined(MBEDTLS_ZLIB_SUPPORT) 06894 deflateEnd( &transform->ctx_deflate ); 06895 inflateEnd( &transform->ctx_inflate ); 06896 #endif 06897 06898 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 06899 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 06900 06901 mbedtls_md_free( &transform->md_ctx_enc ); 06902 mbedtls_md_free( &transform->md_ctx_dec ); 06903 06904 mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 06905 } 06906 06907 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06908 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert ) 06909 { 06910 mbedtls_ssl_key_cert *cur = key_cert, *next; 06911 06912 while( cur != NULL ) 06913 { 06914 next = cur->next; 06915 mbedtls_free( cur ); 06916 cur = next; 06917 } 06918 } 06919 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06920 06921 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) 06922 { 06923 if( handshake == NULL ) 06924 return; 06925 06926 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 06927 defined(MBEDTLS_SSL_PROTO_TLS1_1) 06928 mbedtls_md5_free( &handshake->fin_md5 ); 06929 mbedtls_sha1_free( &handshake->fin_sha1 ); 06930 #endif 06931 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 06932 #if defined(MBEDTLS_SHA256_C) 06933 mbedtls_sha256_free( &handshake->fin_sha256 ); 06934 #endif 06935 #if defined(MBEDTLS_SHA512_C) 06936 mbedtls_sha512_free( &handshake->fin_sha512 ); 06937 #endif 06938 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 06939 06940 #if defined(MBEDTLS_DHM_C) 06941 mbedtls_dhm_free( &handshake->dhm_ctx ); 06942 #endif 06943 #if defined(MBEDTLS_ECDH_C) 06944 mbedtls_ecdh_free( &handshake->ecdh_ctx ); 06945 #endif 06946 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06947 mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); 06948 #if defined(MBEDTLS_SSL_CLI_C) 06949 mbedtls_free( handshake->ecjpake_cache ); 06950 handshake->ecjpake_cache = NULL; 06951 handshake->ecjpake_cache_len = 0; 06952 #endif 06953 #endif 06954 06955 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 06956 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06957 /* explicit void pointer cast for buggy MS compiler */ 06958 mbedtls_free( (void *) handshake->curves ); 06959 #endif 06960 06961 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 06962 if( handshake->psk != NULL ) 06963 { 06964 mbedtls_zeroize( handshake->psk, handshake->psk_len ); 06965 mbedtls_free( handshake->psk ); 06966 } 06967 #endif 06968 06969 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 06970 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06971 /* 06972 * Free only the linked list wrapper, not the keys themselves 06973 * since the belong to the SNI callback 06974 */ 06975 if( handshake->sni_key_cert != NULL ) 06976 { 06977 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next; 06978 06979 while( cur != NULL ) 06980 { 06981 next = cur->next; 06982 mbedtls_free( cur ); 06983 cur = next; 06984 } 06985 } 06986 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06987 06988 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06989 mbedtls_free( handshake->verify_cookie ); 06990 mbedtls_free( handshake->hs_msg ); 06991 ssl_flight_free( handshake->flight ); 06992 #endif 06993 06994 mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) ); 06995 } 06996 06997 void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) 06998 { 06999 if( session == NULL ) 07000 return; 07001 07002 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07003 if( session->peer_cert != NULL ) 07004 { 07005 mbedtls_x509_crt_free( session->peer_cert ); 07006 mbedtls_free( session->peer_cert ); 07007 } 07008 #endif 07009 07010 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 07011 mbedtls_free( session->ticket ); 07012 #endif 07013 07014 mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) ); 07015 } 07016 07017 /* 07018 * Free an SSL context 07019 */ 07020 void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) 07021 { 07022 if( ssl == NULL ) 07023 return; 07024 07025 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) ); 07026 07027 if( ssl->out_buf != NULL ) 07028 { 07029 mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN ); 07030 mbedtls_free( ssl->out_buf ); 07031 } 07032 07033 if( ssl->in_buf != NULL ) 07034 { 07035 mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN ); 07036 mbedtls_free( ssl->in_buf ); 07037 } 07038 07039 #if defined(MBEDTLS_ZLIB_SUPPORT) 07040 if( ssl->compress_buf != NULL ) 07041 { 07042 mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN ); 07043 mbedtls_free( ssl->compress_buf ); 07044 } 07045 #endif 07046 07047 if( ssl->transform ) 07048 { 07049 mbedtls_ssl_transform_free( ssl->transform ); 07050 mbedtls_free( ssl->transform ); 07051 } 07052 07053 if( ssl->handshake ) 07054 { 07055 mbedtls_ssl_handshake_free( ssl->handshake ); 07056 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 07057 mbedtls_ssl_session_free( ssl->session_negotiate ); 07058 07059 mbedtls_free( ssl->handshake ); 07060 mbedtls_free( ssl->transform_negotiate ); 07061 mbedtls_free( ssl->session_negotiate ); 07062 } 07063 07064 if( ssl->session ) 07065 { 07066 mbedtls_ssl_session_free( ssl->session ); 07067 mbedtls_free( ssl->session ); 07068 } 07069 07070 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07071 if( ssl->hostname != NULL ) 07072 { 07073 mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 07074 mbedtls_free( ssl->hostname ); 07075 } 07076 #endif 07077 07078 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 07079 if( mbedtls_ssl_hw_record_finish != NULL ) 07080 { 07081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) ); 07082 mbedtls_ssl_hw_record_finish( ssl ); 07083 } 07084 #endif 07085 07086 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07087 mbedtls_free( ssl->cli_id ); 07088 #endif 07089 07090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); 07091 07092 /* Actually clear after last debug message */ 07093 mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); 07094 } 07095 07096 /* 07097 * Initialze mbedtls_ssl_config 07098 */ 07099 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) 07100 { 07101 memset( conf, 0, sizeof( mbedtls_ssl_config ) ); 07102 } 07103 07104 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07105 static int ssl_preset_default_hashes[] = { 07106 #if defined(MBEDTLS_SHA512_C) 07107 MBEDTLS_MD_SHA512, 07108 MBEDTLS_MD_SHA384, 07109 #endif 07110 #if defined(MBEDTLS_SHA256_C) 07111 MBEDTLS_MD_SHA256, 07112 MBEDTLS_MD_SHA224, 07113 #endif 07114 #if defined(MBEDTLS_SHA1_C) 07115 MBEDTLS_MD_SHA1, 07116 #endif 07117 MBEDTLS_MD_NONE 07118 }; 07119 #endif 07120 07121 static int ssl_preset_suiteb_ciphersuites[] = { 07122 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 07123 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 07124 0 07125 }; 07126 07127 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07128 static int ssl_preset_suiteb_hashes[] = { 07129 MBEDTLS_MD_SHA256, 07130 MBEDTLS_MD_SHA384, 07131 MBEDTLS_MD_NONE 07132 }; 07133 #endif 07134 07135 #if defined(MBEDTLS_ECP_C) 07136 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { 07137 MBEDTLS_ECP_DP_SECP256R1 , 07138 MBEDTLS_ECP_DP_SECP384R1 , 07139 MBEDTLS_ECP_DP_NONE 07140 }; 07141 #endif 07142 07143 /* 07144 * Load default in mbedtls_ssl_config 07145 */ 07146 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, 07147 int endpoint, int transport, int preset ) 07148 { 07149 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07150 int ret; 07151 #endif 07152 07153 /* Use the functions here so that they are covered in tests, 07154 * but otherwise access member directly for efficiency */ 07155 mbedtls_ssl_conf_endpoint( conf, endpoint ); 07156 mbedtls_ssl_conf_transport( conf, transport ); 07157 07158 /* 07159 * Things that are common to all presets 07160 */ 07161 #if defined(MBEDTLS_SSL_CLI_C) 07162 if( endpoint == MBEDTLS_SSL_IS_CLIENT ) 07163 { 07164 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 07165 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 07166 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 07167 #endif 07168 } 07169 #endif 07170 07171 #if defined(MBEDTLS_ARC4_C) 07172 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; 07173 #endif 07174 07175 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 07176 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 07177 #endif 07178 07179 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 07180 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 07181 #endif 07182 07183 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07184 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; 07185 #endif 07186 07187 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07188 conf->f_cookie_write = ssl_cookie_write_dummy; 07189 conf->f_cookie_check = ssl_cookie_check_dummy; 07190 #endif 07191 07192 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 07193 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 07194 #endif 07195 07196 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07197 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 07198 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 07199 #endif 07200 07201 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07202 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 07203 memset( conf->renego_period , 0xFF, 7 ); 07204 conf->renego_period [7] = 0x00; 07205 #endif 07206 07207 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07208 if( endpoint == MBEDTLS_SSL_IS_SERVER ) 07209 { 07210 if( ( ret = mbedtls_ssl_conf_dh_param( conf, 07211 MBEDTLS_DHM_RFC5114_MODP_2048_P, 07212 MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) 07213 { 07214 return( ret ); 07215 } 07216 } 07217 #endif 07218 07219 /* 07220 * Preset-specific defaults 07221 */ 07222 switch( preset ) 07223 { 07224 /* 07225 * NSA Suite B 07226 */ 07227 case MBEDTLS_SSL_PRESET_SUITEB: 07228 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07229 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */ 07230 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07231 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07232 07233 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07234 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07235 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07236 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07237 ssl_preset_suiteb_ciphersuites; 07238 07239 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07240 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 07241 #endif 07242 07243 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07244 conf->sig_hashes = ssl_preset_suiteb_hashes; 07245 #endif 07246 07247 #if defined(MBEDTLS_ECP_C) 07248 conf->curve_list = ssl_preset_suiteb_curves; 07249 #endif 07250 break; 07251 07252 /* 07253 * Default 07254 */ 07255 default: 07256 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07257 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ 07258 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07259 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07260 07261 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07262 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07263 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; 07264 #endif 07265 07266 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07267 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07268 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07269 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07270 mbedtls_ssl_list_ciphersuites(); 07271 07272 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07273 conf->cert_profile = &mbedtls_x509_crt_profile_default; 07274 #endif 07275 07276 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07277 conf->sig_hashes = ssl_preset_default_hashes; 07278 #endif 07279 07280 #if defined(MBEDTLS_ECP_C) 07281 conf->curve_list = mbedtls_ecp_grp_id_list(); 07282 #endif 07283 07284 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 07285 conf->dhm_min_bitlen = 1024; 07286 #endif 07287 } 07288 07289 return( 0 ); 07290 } 07291 07292 /* 07293 * Free mbedtls_ssl_config 07294 */ 07295 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) 07296 { 07297 #if defined(MBEDTLS_DHM_C) 07298 mbedtls_mpi_free( &conf->dhm_P ); 07299 mbedtls_mpi_free( &conf->dhm_G ); 07300 #endif 07301 07302 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07303 if( conf->psk != NULL ) 07304 { 07305 mbedtls_zeroize( conf->psk , conf->psk_len ); 07306 mbedtls_zeroize( conf->psk_identity , conf->psk_identity_len ); 07307 mbedtls_free( conf->psk ); 07308 mbedtls_free( conf->psk_identity ); 07309 conf->psk_len = 0; 07310 conf->psk_identity_len = 0; 07311 } 07312 #endif 07313 07314 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07315 ssl_key_cert_free( conf->key_cert ); 07316 #endif 07317 07318 mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); 07319 } 07320 07321 #if defined(MBEDTLS_PK_C) && \ 07322 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) 07323 /* 07324 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 07325 */ 07326 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ) 07327 { 07328 #if defined(MBEDTLS_RSA_C) 07329 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) ) 07330 return( MBEDTLS_SSL_SIG_RSA ); 07331 #endif 07332 #if defined(MBEDTLS_ECDSA_C) 07333 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) ) 07334 return( MBEDTLS_SSL_SIG_ECDSA ); 07335 #endif 07336 return( MBEDTLS_SSL_SIG_ANON ); 07337 } 07338 07339 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) 07340 { 07341 switch( sig ) 07342 { 07343 #if defined(MBEDTLS_RSA_C) 07344 case MBEDTLS_SSL_SIG_RSA: 07345 return( MBEDTLS_PK_RSA ); 07346 #endif 07347 #if defined(MBEDTLS_ECDSA_C) 07348 case MBEDTLS_SSL_SIG_ECDSA: 07349 return( MBEDTLS_PK_ECDSA ); 07350 #endif 07351 default: 07352 return( MBEDTLS_PK_NONE ); 07353 } 07354 } 07355 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ 07356 07357 /* 07358 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 07359 */ 07360 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) 07361 { 07362 switch( hash ) 07363 { 07364 #if defined(MBEDTLS_MD5_C) 07365 case MBEDTLS_SSL_HASH_MD5: 07366 return( MBEDTLS_MD_MD5 ); 07367 #endif 07368 #if defined(MBEDTLS_SHA1_C) 07369 case MBEDTLS_SSL_HASH_SHA1: 07370 return( MBEDTLS_MD_SHA1 ); 07371 #endif 07372 #if defined(MBEDTLS_SHA256_C) 07373 case MBEDTLS_SSL_HASH_SHA224: 07374 return( MBEDTLS_MD_SHA224 ); 07375 case MBEDTLS_SSL_HASH_SHA256: 07376 return( MBEDTLS_MD_SHA256 ); 07377 #endif 07378 #if defined(MBEDTLS_SHA512_C) 07379 case MBEDTLS_SSL_HASH_SHA384: 07380 return( MBEDTLS_MD_SHA384 ); 07381 case MBEDTLS_SSL_HASH_SHA512: 07382 return( MBEDTLS_MD_SHA512 ); 07383 #endif 07384 default: 07385 return( MBEDTLS_MD_NONE ); 07386 } 07387 } 07388 07389 /* 07390 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 07391 */ 07392 unsigned char mbedtls_ssl_hash_from_md_alg( int md ) 07393 { 07394 switch( md ) 07395 { 07396 #if defined(MBEDTLS_MD5_C) 07397 case MBEDTLS_MD_MD5: 07398 return( MBEDTLS_SSL_HASH_MD5 ); 07399 #endif 07400 #if defined(MBEDTLS_SHA1_C) 07401 case MBEDTLS_MD_SHA1: 07402 return( MBEDTLS_SSL_HASH_SHA1 ); 07403 #endif 07404 #if defined(MBEDTLS_SHA256_C) 07405 case MBEDTLS_MD_SHA224: 07406 return( MBEDTLS_SSL_HASH_SHA224 ); 07407 case MBEDTLS_MD_SHA256: 07408 return( MBEDTLS_SSL_HASH_SHA256 ); 07409 #endif 07410 #if defined(MBEDTLS_SHA512_C) 07411 case MBEDTLS_MD_SHA384: 07412 return( MBEDTLS_SSL_HASH_SHA384 ); 07413 case MBEDTLS_MD_SHA512: 07414 return( MBEDTLS_SSL_HASH_SHA512 ); 07415 #endif 07416 default: 07417 return( MBEDTLS_SSL_HASH_NONE ); 07418 } 07419 } 07420 07421 #if defined(MBEDTLS_ECP_C) 07422 /* 07423 * Check if a curve proposed by the peer is in our list. 07424 * Return 0 if we're willing to use it, -1 otherwise. 07425 */ 07426 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) 07427 { 07428 const mbedtls_ecp_group_id *gid; 07429 07430 if( ssl->conf->curve_list == NULL ) 07431 return( -1 ); 07432 07433 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 07434 if( *gid == grp_id ) 07435 return( 0 ); 07436 07437 return( -1 ); 07438 } 07439 #endif /* MBEDTLS_ECP_C */ 07440 07441 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07442 /* 07443 * Check if a hash proposed by the peer is in our list. 07444 * Return 0 if we're willing to use it, -1 otherwise. 07445 */ 07446 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 07447 mbedtls_md_type_t md ) 07448 { 07449 const int *cur; 07450 07451 if( ssl->conf->sig_hashes == NULL ) 07452 return( -1 ); 07453 07454 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 07455 if( *cur == (int) md ) 07456 return( 0 ); 07457 07458 return( -1 ); 07459 } 07460 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07461 07462 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07463 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 07464 const mbedtls_ssl_ciphersuite_t *ciphersuite, 07465 int cert_endpoint, 07466 uint32_t *flags ) 07467 { 07468 int ret = 0; 07469 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07470 int usage = 0; 07471 #endif 07472 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07473 const char *ext_oid; 07474 size_t ext_len; 07475 #endif 07476 07477 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ 07478 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07479 ((void) cert); 07480 ((void) cert_endpoint); 07481 ((void) flags); 07482 #endif 07483 07484 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07485 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07486 { 07487 /* Server part of the key exchange */ 07488 switch( ciphersuite->key_exchange ) 07489 { 07490 case MBEDTLS_KEY_EXCHANGE_RSA: 07491 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 07492 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 07493 break; 07494 07495 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 07496 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 07497 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 07498 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07499 break; 07500 07501 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 07502 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 07503 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 07504 break; 07505 07506 /* Don't use default: we want warnings when adding new values */ 07507 case MBEDTLS_KEY_EXCHANGE_NONE: 07508 case MBEDTLS_KEY_EXCHANGE_PSK: 07509 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 07510 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 07511 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 07512 usage = 0; 07513 } 07514 } 07515 else 07516 { 07517 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 07518 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07519 } 07520 07521 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 ) 07522 { 07523 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 07524 ret = -1; 07525 } 07526 #else 07527 ((void) ciphersuite); 07528 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ 07529 07530 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07531 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07532 { 07533 ext_oid = MBEDTLS_OID_SERVER_AUTH; 07534 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); 07535 } 07536 else 07537 { 07538 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 07539 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); 07540 } 07541 07542 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) 07543 { 07544 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 07545 ret = -1; 07546 } 07547 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 07548 07549 return( ret ); 07550 } 07551 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07552 07553 /* 07554 * Convert version numbers to/from wire format 07555 * and, for DTLS, to/from TLS equivalent. 07556 * 07557 * For TLS this is the identity. 07558 * For DTLS, use one complement (v -> 255 - v, and then map as follows: 07559 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 07560 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 07561 */ 07562 void mbedtls_ssl_write_version( int major, int minor, int transport, 07563 unsigned char ver[2] ) 07564 { 07565 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07566 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07567 { 07568 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 07569 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07570 07571 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 07572 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 07573 } 07574 else 07575 #else 07576 ((void) transport); 07577 #endif 07578 { 07579 ver[0] = (unsigned char) major; 07580 ver[1] = (unsigned char) minor; 07581 } 07582 } 07583 07584 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 07585 const unsigned char ver[2] ) 07586 { 07587 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07588 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07589 { 07590 *major = 255 - ver[0] + 2; 07591 *minor = 255 - ver[1] + 1; 07592 07593 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 07594 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07595 } 07596 else 07597 #else 07598 ((void) transport); 07599 #endif 07600 { 07601 *major = ver[0]; 07602 *minor = ver[1]; 07603 } 07604 } 07605 07606 #endif /* MBEDTLS_SSL_TLS_C */
Generated on Tue Jul 12 2022 20:52:41 by
1.7.2