Timothy Beight
This is a fork due to permission issues
Dependencies: mbed Socket lwip-eth lwip-sys lwip
Fork of
6_songs-from-the-cloud
by 
MakingMusicWorkshop
mbed-client/mbedtls/source/ssl_srv.c@1:0ddbe2d3319c, 2016-05-19 (annotated)
- Committer:
- timbeight
- Date:
- Thu May 19 16:02:10 2016 +0000
- Revision:
- 1:0ddbe2d3319c
- Parent:
- 0:f7c60d3e7b8a
This is my first commit while in the class.
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| maclobdell | 0:f7c60d3e7b8a | 1 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2 | * SSLv3/TLSv1 server-side functions |
| maclobdell | 0:f7c60d3e7b8a | 3 | * |
| maclobdell | 0:f7c60d3e7b8a | 4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved |
| maclobdell | 0:f7c60d3e7b8a | 5 | * SPDX-License-Identifier: Apache-2.0 |
| maclobdell | 0:f7c60d3e7b8a | 6 | * |
| maclobdell | 0:f7c60d3e7b8a | 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| maclobdell | 0:f7c60d3e7b8a | 8 | * not use this file except in compliance with the License. |
| maclobdell | 0:f7c60d3e7b8a | 9 | * You may obtain a copy of the License at |
| maclobdell | 0:f7c60d3e7b8a | 10 | * |
| maclobdell | 0:f7c60d3e7b8a | 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| maclobdell | 0:f7c60d3e7b8a | 12 | * |
| maclobdell | 0:f7c60d3e7b8a | 13 | * Unless required by applicable law or agreed to in writing, software |
| maclobdell | 0:f7c60d3e7b8a | 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| maclobdell | 0:f7c60d3e7b8a | 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| maclobdell | 0:f7c60d3e7b8a | 16 | * See the License for the specific language governing permissions and |
| maclobdell | 0:f7c60d3e7b8a | 17 | * limitations under the License. |
| maclobdell | 0:f7c60d3e7b8a | 18 | * |
| maclobdell | 0:f7c60d3e7b8a | 19 | * This file is part of mbed TLS (https://tls.mbed.org) |
| maclobdell | 0:f7c60d3e7b8a | 20 | */ |
| maclobdell | 0:f7c60d3e7b8a | 21 | |
| maclobdell | 0:f7c60d3e7b8a | 22 | #if !defined(MBEDTLS_CONFIG_FILE) |
| maclobdell | 0:f7c60d3e7b8a | 23 | #include "mbedtls/config.h" |
| maclobdell | 0:f7c60d3e7b8a | 24 | #else |
| maclobdell | 0:f7c60d3e7b8a | 25 | #include MBEDTLS_CONFIG_FILE |
| maclobdell | 0:f7c60d3e7b8a | 26 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 27 | |
| maclobdell | 0:f7c60d3e7b8a | 28 | #if defined(MBEDTLS_SSL_SRV_C) |
| maclobdell | 0:f7c60d3e7b8a | 29 | |
| maclobdell | 0:f7c60d3e7b8a | 30 | #include "mbedtls/debug.h" |
| maclobdell | 0:f7c60d3e7b8a | 31 | #include "mbedtls/ssl.h" |
| maclobdell | 0:f7c60d3e7b8a | 32 | #include "mbedtls/ssl_internal.h" |
| maclobdell | 0:f7c60d3e7b8a | 33 | |
| maclobdell | 0:f7c60d3e7b8a | 34 | #include <string.h> |
| maclobdell | 0:f7c60d3e7b8a | 35 | |
| maclobdell | 0:f7c60d3e7b8a | 36 | #if defined(MBEDTLS_ECP_C) |
| maclobdell | 0:f7c60d3e7b8a | 37 | #include "mbedtls/ecp.h" |
| maclobdell | 0:f7c60d3e7b8a | 38 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 39 | |
| maclobdell | 0:f7c60d3e7b8a | 40 | #if defined(MBEDTLS_PLATFORM_C) |
| maclobdell | 0:f7c60d3e7b8a | 41 | #include "mbedtls/platform.h" |
| maclobdell | 0:f7c60d3e7b8a | 42 | #else |
| maclobdell | 0:f7c60d3e7b8a | 43 | #include <stdlib.h> |
| maclobdell | 0:f7c60d3e7b8a | 44 | #define mbedtls_calloc calloc |
| maclobdell | 0:f7c60d3e7b8a | 45 | #define mbedtls_free free |
| maclobdell | 0:f7c60d3e7b8a | 46 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 47 | |
| maclobdell | 0:f7c60d3e7b8a | 48 | #if defined(MBEDTLS_HAVE_TIME) |
| maclobdell | 0:f7c60d3e7b8a | 49 | #include <time.h> |
| maclobdell | 0:f7c60d3e7b8a | 50 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 51 | |
| maclobdell | 0:f7c60d3e7b8a | 52 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 53 | /* Implementation that should never be optimized out by the compiler */ |
| maclobdell | 0:f7c60d3e7b8a | 54 | static void mbedtls_zeroize( void *v, size_t n ) { |
| maclobdell | 0:f7c60d3e7b8a | 55 | volatile unsigned char *p = v; while( n-- ) *p++ = 0; |
| maclobdell | 0:f7c60d3e7b8a | 56 | } |
| maclobdell | 0:f7c60d3e7b8a | 57 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 58 | |
| maclobdell | 0:f7c60d3e7b8a | 59 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| maclobdell | 0:f7c60d3e7b8a | 60 | int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 61 | const unsigned char *info, |
| maclobdell | 0:f7c60d3e7b8a | 62 | size_t ilen ) |
| maclobdell | 0:f7c60d3e7b8a | 63 | { |
| maclobdell | 0:f7c60d3e7b8a | 64 | if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) |
| maclobdell | 0:f7c60d3e7b8a | 65 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| maclobdell | 0:f7c60d3e7b8a | 66 | |
| maclobdell | 0:f7c60d3e7b8a | 67 | mbedtls_free( ssl->cli_id ); |
| maclobdell | 0:f7c60d3e7b8a | 68 | |
| maclobdell | 0:f7c60d3e7b8a | 69 | if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 70 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| maclobdell | 0:f7c60d3e7b8a | 71 | |
| maclobdell | 0:f7c60d3e7b8a | 72 | memcpy( ssl->cli_id, info, ilen ); |
| maclobdell | 0:f7c60d3e7b8a | 73 | ssl->cli_id_len = ilen; |
| maclobdell | 0:f7c60d3e7b8a | 74 | |
| maclobdell | 0:f7c60d3e7b8a | 75 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 76 | } |
| maclobdell | 0:f7c60d3e7b8a | 77 | |
| maclobdell | 0:f7c60d3e7b8a | 78 | void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, |
| maclobdell | 0:f7c60d3e7b8a | 79 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| maclobdell | 0:f7c60d3e7b8a | 80 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| maclobdell | 0:f7c60d3e7b8a | 81 | void *p_cookie ) |
| maclobdell | 0:f7c60d3e7b8a | 82 | { |
| maclobdell | 0:f7c60d3e7b8a | 83 | conf->f_cookie_write = f_cookie_write; |
| maclobdell | 0:f7c60d3e7b8a | 84 | conf->f_cookie_check = f_cookie_check; |
| maclobdell | 0:f7c60d3e7b8a | 85 | conf->p_cookie = p_cookie; |
| maclobdell | 0:f7c60d3e7b8a | 86 | } |
| maclobdell | 0:f7c60d3e7b8a | 87 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| maclobdell | 0:f7c60d3e7b8a | 88 | |
| maclobdell | 0:f7c60d3e7b8a | 89 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| maclobdell | 0:f7c60d3e7b8a | 90 | static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 91 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 92 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 93 | { |
| maclobdell | 0:f7c60d3e7b8a | 94 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 95 | size_t servername_list_size, hostname_len; |
| maclobdell | 0:f7c60d3e7b8a | 96 | const unsigned char *p; |
| maclobdell | 0:f7c60d3e7b8a | 97 | |
| maclobdell | 0:f7c60d3e7b8a | 98 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 99 | |
| maclobdell | 0:f7c60d3e7b8a | 100 | servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 101 | if( servername_list_size + 2 != len ) |
| maclobdell | 0:f7c60d3e7b8a | 102 | { |
| maclobdell | 0:f7c60d3e7b8a | 103 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 104 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 105 | } |
| maclobdell | 0:f7c60d3e7b8a | 106 | |
| maclobdell | 0:f7c60d3e7b8a | 107 | p = buf + 2; |
| maclobdell | 0:f7c60d3e7b8a | 108 | while( servername_list_size > 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 109 | { |
| maclobdell | 0:f7c60d3e7b8a | 110 | hostname_len = ( ( p[1] << 8 ) | p[2] ); |
| maclobdell | 0:f7c60d3e7b8a | 111 | if( hostname_len + 3 > servername_list_size ) |
| maclobdell | 0:f7c60d3e7b8a | 112 | { |
| maclobdell | 0:f7c60d3e7b8a | 113 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 114 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 115 | } |
| maclobdell | 0:f7c60d3e7b8a | 116 | |
| maclobdell | 0:f7c60d3e7b8a | 117 | if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) |
| maclobdell | 0:f7c60d3e7b8a | 118 | { |
| maclobdell | 0:f7c60d3e7b8a | 119 | ret = ssl->conf->f_sni( ssl->conf->p_sni, |
| maclobdell | 0:f7c60d3e7b8a | 120 | ssl, p + 3, hostname_len ); |
| maclobdell | 0:f7c60d3e7b8a | 121 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 122 | { |
| maclobdell | 0:f7c60d3e7b8a | 123 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 124 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 125 | MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); |
| maclobdell | 0:f7c60d3e7b8a | 126 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 127 | } |
| maclobdell | 0:f7c60d3e7b8a | 128 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 129 | } |
| maclobdell | 0:f7c60d3e7b8a | 130 | |
| maclobdell | 0:f7c60d3e7b8a | 131 | servername_list_size -= hostname_len + 3; |
| maclobdell | 0:f7c60d3e7b8a | 132 | p += hostname_len + 3; |
| maclobdell | 0:f7c60d3e7b8a | 133 | } |
| maclobdell | 0:f7c60d3e7b8a | 134 | |
| maclobdell | 0:f7c60d3e7b8a | 135 | if( servername_list_size != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 136 | { |
| maclobdell | 0:f7c60d3e7b8a | 137 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 138 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 139 | } |
| maclobdell | 0:f7c60d3e7b8a | 140 | |
| maclobdell | 0:f7c60d3e7b8a | 141 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 142 | } |
| maclobdell | 0:f7c60d3e7b8a | 143 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| maclobdell | 0:f7c60d3e7b8a | 144 | |
| maclobdell | 0:f7c60d3e7b8a | 145 | static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 146 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 147 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 148 | { |
| maclobdell | 0:f7c60d3e7b8a | 149 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 150 | |
| maclobdell | 0:f7c60d3e7b8a | 151 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 152 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 153 | { |
| maclobdell | 0:f7c60d3e7b8a | 154 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| maclobdell | 0:f7c60d3e7b8a | 155 | if( len != 1 + ssl->verify_data_len || |
| maclobdell | 0:f7c60d3e7b8a | 156 | buf[0] != ssl->verify_data_len || |
| maclobdell | 0:f7c60d3e7b8a | 157 | mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, |
| maclobdell | 0:f7c60d3e7b8a | 158 | ssl->verify_data_len ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 159 | { |
| maclobdell | 0:f7c60d3e7b8a | 160 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 161 | |
| maclobdell | 0:f7c60d3e7b8a | 162 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 163 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 164 | |
| maclobdell | 0:f7c60d3e7b8a | 165 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 166 | } |
| maclobdell | 0:f7c60d3e7b8a | 167 | } |
| maclobdell | 0:f7c60d3e7b8a | 168 | else |
| maclobdell | 0:f7c60d3e7b8a | 169 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| maclobdell | 0:f7c60d3e7b8a | 170 | { |
| maclobdell | 0:f7c60d3e7b8a | 171 | if( len != 1 || buf[0] != 0x0 ) |
| maclobdell | 0:f7c60d3e7b8a | 172 | { |
| maclobdell | 0:f7c60d3e7b8a | 173 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 174 | |
| maclobdell | 0:f7c60d3e7b8a | 175 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 176 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 177 | |
| maclobdell | 0:f7c60d3e7b8a | 178 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 179 | } |
| maclobdell | 0:f7c60d3e7b8a | 180 | |
| maclobdell | 0:f7c60d3e7b8a | 181 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| maclobdell | 0:f7c60d3e7b8a | 182 | } |
| maclobdell | 0:f7c60d3e7b8a | 183 | |
| maclobdell | 0:f7c60d3e7b8a | 184 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 185 | } |
| maclobdell | 0:f7c60d3e7b8a | 186 | |
| maclobdell | 0:f7c60d3e7b8a | 187 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| maclobdell | 0:f7c60d3e7b8a | 188 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 189 | static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 190 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 191 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 192 | { |
| maclobdell | 0:f7c60d3e7b8a | 193 | size_t sig_alg_list_size; |
| maclobdell | 0:f7c60d3e7b8a | 194 | const unsigned char *p; |
| maclobdell | 0:f7c60d3e7b8a | 195 | const unsigned char *end = buf + len; |
| maclobdell | 0:f7c60d3e7b8a | 196 | const int *md_cur; |
| maclobdell | 0:f7c60d3e7b8a | 197 | |
| maclobdell | 0:f7c60d3e7b8a | 198 | |
| maclobdell | 0:f7c60d3e7b8a | 199 | sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 200 | if( sig_alg_list_size + 2 != len || |
| maclobdell | 0:f7c60d3e7b8a | 201 | sig_alg_list_size % 2 != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 202 | { |
| maclobdell | 0:f7c60d3e7b8a | 203 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 204 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 205 | } |
| maclobdell | 0:f7c60d3e7b8a | 206 | |
| maclobdell | 0:f7c60d3e7b8a | 207 | /* |
| maclobdell | 0:f7c60d3e7b8a | 208 | * For now, ignore the SignatureAlgorithm part and rely on offered |
| maclobdell | 0:f7c60d3e7b8a | 209 | * ciphersuites only for that part. To be fixed later. |
| maclobdell | 0:f7c60d3e7b8a | 210 | * |
| maclobdell | 0:f7c60d3e7b8a | 211 | * So, just look at the HashAlgorithm part. |
| maclobdell | 0:f7c60d3e7b8a | 212 | */ |
| maclobdell | 0:f7c60d3e7b8a | 213 | for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) { |
| maclobdell | 0:f7c60d3e7b8a | 214 | for( p = buf + 2; p < end; p += 2 ) { |
| maclobdell | 0:f7c60d3e7b8a | 215 | if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) { |
| maclobdell | 0:f7c60d3e7b8a | 216 | ssl->handshake->sig_alg = p[0]; |
| maclobdell | 0:f7c60d3e7b8a | 217 | goto have_sig_alg; |
| maclobdell | 0:f7c60d3e7b8a | 218 | } |
| maclobdell | 0:f7c60d3e7b8a | 219 | } |
| maclobdell | 0:f7c60d3e7b8a | 220 | } |
| maclobdell | 0:f7c60d3e7b8a | 221 | |
| maclobdell | 0:f7c60d3e7b8a | 222 | /* Some key echanges do not need signatures at all */ |
| maclobdell | 0:f7c60d3e7b8a | 223 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 224 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 225 | |
| maclobdell | 0:f7c60d3e7b8a | 226 | have_sig_alg: |
| maclobdell | 0:f7c60d3e7b8a | 227 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", |
| maclobdell | 0:f7c60d3e7b8a | 228 | ssl->handshake->sig_alg ) ); |
| maclobdell | 0:f7c60d3e7b8a | 229 | |
| maclobdell | 0:f7c60d3e7b8a | 230 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 231 | } |
| maclobdell | 0:f7c60d3e7b8a | 232 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| maclobdell | 0:f7c60d3e7b8a | 233 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 234 | |
| maclobdell | 0:f7c60d3e7b8a | 235 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| maclobdell | 0:f7c60d3e7b8a | 236 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 237 | static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 238 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 239 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 240 | { |
| maclobdell | 0:f7c60d3e7b8a | 241 | size_t list_size, our_size; |
| maclobdell | 0:f7c60d3e7b8a | 242 | const unsigned char *p; |
| maclobdell | 0:f7c60d3e7b8a | 243 | const mbedtls_ecp_curve_info *curve_info, **curves; |
| maclobdell | 0:f7c60d3e7b8a | 244 | |
| maclobdell | 0:f7c60d3e7b8a | 245 | list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 246 | if( list_size + 2 != len || |
| maclobdell | 0:f7c60d3e7b8a | 247 | list_size % 2 != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 248 | { |
| maclobdell | 0:f7c60d3e7b8a | 249 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 250 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 251 | } |
| maclobdell | 0:f7c60d3e7b8a | 252 | |
| maclobdell | 0:f7c60d3e7b8a | 253 | /* Should never happen unless client duplicates the extension */ |
| maclobdell | 0:f7c60d3e7b8a | 254 | if( ssl->handshake->curves != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 255 | { |
| maclobdell | 0:f7c60d3e7b8a | 256 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 257 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 258 | } |
| maclobdell | 0:f7c60d3e7b8a | 259 | |
| maclobdell | 0:f7c60d3e7b8a | 260 | /* Don't allow our peer to make us allocate too much memory, |
| maclobdell | 0:f7c60d3e7b8a | 261 | * and leave room for a final 0 */ |
| maclobdell | 0:f7c60d3e7b8a | 262 | our_size = list_size / 2 + 1; |
| maclobdell | 0:f7c60d3e7b8a | 263 | if( our_size > MBEDTLS_ECP_DP_MAX ) |
| maclobdell | 0:f7c60d3e7b8a | 264 | our_size = MBEDTLS_ECP_DP_MAX; |
| maclobdell | 0:f7c60d3e7b8a | 265 | |
| maclobdell | 0:f7c60d3e7b8a | 266 | if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 267 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| maclobdell | 0:f7c60d3e7b8a | 268 | |
| maclobdell | 0:f7c60d3e7b8a | 269 | ssl->handshake->curves = curves; |
| maclobdell | 0:f7c60d3e7b8a | 270 | |
| maclobdell | 0:f7c60d3e7b8a | 271 | p = buf + 2; |
| maclobdell | 0:f7c60d3e7b8a | 272 | while( list_size > 0 && our_size > 1 ) |
| maclobdell | 0:f7c60d3e7b8a | 273 | { |
| maclobdell | 0:f7c60d3e7b8a | 274 | curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); |
| maclobdell | 0:f7c60d3e7b8a | 275 | |
| maclobdell | 0:f7c60d3e7b8a | 276 | if( curve_info != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 277 | { |
| maclobdell | 0:f7c60d3e7b8a | 278 | *curves++ = curve_info; |
| maclobdell | 0:f7c60d3e7b8a | 279 | our_size--; |
| maclobdell | 0:f7c60d3e7b8a | 280 | } |
| maclobdell | 0:f7c60d3e7b8a | 281 | |
| maclobdell | 0:f7c60d3e7b8a | 282 | list_size -= 2; |
| maclobdell | 0:f7c60d3e7b8a | 283 | p += 2; |
| maclobdell | 0:f7c60d3e7b8a | 284 | } |
| maclobdell | 0:f7c60d3e7b8a | 285 | |
| maclobdell | 0:f7c60d3e7b8a | 286 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 287 | } |
| maclobdell | 0:f7c60d3e7b8a | 288 | |
| maclobdell | 0:f7c60d3e7b8a | 289 | static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 290 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 291 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 292 | { |
| maclobdell | 0:f7c60d3e7b8a | 293 | size_t list_size; |
| maclobdell | 0:f7c60d3e7b8a | 294 | const unsigned char *p; |
| maclobdell | 0:f7c60d3e7b8a | 295 | |
| maclobdell | 0:f7c60d3e7b8a | 296 | list_size = buf[0]; |
| maclobdell | 0:f7c60d3e7b8a | 297 | if( list_size + 1 != len ) |
| maclobdell | 0:f7c60d3e7b8a | 298 | { |
| maclobdell | 0:f7c60d3e7b8a | 299 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 300 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 301 | } |
| maclobdell | 0:f7c60d3e7b8a | 302 | |
| maclobdell | 0:f7c60d3e7b8a | 303 | p = buf + 1; |
| maclobdell | 0:f7c60d3e7b8a | 304 | while( list_size > 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 305 | { |
| maclobdell | 0:f7c60d3e7b8a | 306 | if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| maclobdell | 0:f7c60d3e7b8a | 307 | p[0] == MBEDTLS_ECP_PF_COMPRESSED ) |
| maclobdell | 0:f7c60d3e7b8a | 308 | { |
| maclobdell | 0:f7c60d3e7b8a | 309 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 310 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| maclobdell | 0:f7c60d3e7b8a | 311 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 312 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 313 | ssl->handshake->ecjpake_ctx.point_format = p[0]; |
| maclobdell | 0:f7c60d3e7b8a | 314 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 315 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 316 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 317 | } |
| maclobdell | 0:f7c60d3e7b8a | 318 | |
| maclobdell | 0:f7c60d3e7b8a | 319 | list_size--; |
| maclobdell | 0:f7c60d3e7b8a | 320 | p++; |
| maclobdell | 0:f7c60d3e7b8a | 321 | } |
| maclobdell | 0:f7c60d3e7b8a | 322 | |
| maclobdell | 0:f7c60d3e7b8a | 323 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 324 | } |
| maclobdell | 0:f7c60d3e7b8a | 325 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| maclobdell | 0:f7c60d3e7b8a | 326 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 327 | |
| maclobdell | 0:f7c60d3e7b8a | 328 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 329 | static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 330 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 331 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 332 | { |
| maclobdell | 0:f7c60d3e7b8a | 333 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 334 | |
| maclobdell | 0:f7c60d3e7b8a | 335 | if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 336 | { |
| maclobdell | 0:f7c60d3e7b8a | 337 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 338 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 339 | } |
| maclobdell | 0:f7c60d3e7b8a | 340 | |
| maclobdell | 0:f7c60d3e7b8a | 341 | if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 342 | buf, len ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 343 | { |
| maclobdell | 0:f7c60d3e7b8a | 344 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 345 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 346 | } |
| maclobdell | 0:f7c60d3e7b8a | 347 | |
| maclobdell | 0:f7c60d3e7b8a | 348 | /* Only mark the extension as OK when we're sure it is */ |
| maclobdell | 0:f7c60d3e7b8a | 349 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; |
| maclobdell | 0:f7c60d3e7b8a | 350 | |
| maclobdell | 0:f7c60d3e7b8a | 351 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 352 | } |
| maclobdell | 0:f7c60d3e7b8a | 353 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 354 | |
| maclobdell | 0:f7c60d3e7b8a | 355 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| maclobdell | 0:f7c60d3e7b8a | 356 | static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 357 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 358 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 359 | { |
| maclobdell | 0:f7c60d3e7b8a | 360 | if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) |
| maclobdell | 0:f7c60d3e7b8a | 361 | { |
| maclobdell | 0:f7c60d3e7b8a | 362 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 363 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 364 | } |
| maclobdell | 0:f7c60d3e7b8a | 365 | |
| maclobdell | 0:f7c60d3e7b8a | 366 | ssl->session_negotiate->mfl_code = buf[0]; |
| maclobdell | 0:f7c60d3e7b8a | 367 | |
| maclobdell | 0:f7c60d3e7b8a | 368 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 369 | } |
| maclobdell | 0:f7c60d3e7b8a | 370 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| maclobdell | 0:f7c60d3e7b8a | 371 | |
| maclobdell | 0:f7c60d3e7b8a | 372 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| maclobdell | 0:f7c60d3e7b8a | 373 | static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 374 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 375 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 376 | { |
| maclobdell | 0:f7c60d3e7b8a | 377 | if( len != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 378 | { |
| maclobdell | 0:f7c60d3e7b8a | 379 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 380 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 381 | } |
| maclobdell | 0:f7c60d3e7b8a | 382 | |
| maclobdell | 0:f7c60d3e7b8a | 383 | ((void) buf); |
| maclobdell | 0:f7c60d3e7b8a | 384 | |
| maclobdell | 0:f7c60d3e7b8a | 385 | if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) |
| maclobdell | 0:f7c60d3e7b8a | 386 | ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; |
| maclobdell | 0:f7c60d3e7b8a | 387 | |
| maclobdell | 0:f7c60d3e7b8a | 388 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 389 | } |
| maclobdell | 0:f7c60d3e7b8a | 390 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| maclobdell | 0:f7c60d3e7b8a | 391 | |
| maclobdell | 0:f7c60d3e7b8a | 392 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| maclobdell | 0:f7c60d3e7b8a | 393 | static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 394 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 395 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 396 | { |
| maclobdell | 0:f7c60d3e7b8a | 397 | if( len != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 398 | { |
| maclobdell | 0:f7c60d3e7b8a | 399 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 400 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 401 | } |
| maclobdell | 0:f7c60d3e7b8a | 402 | |
| maclobdell | 0:f7c60d3e7b8a | 403 | ((void) buf); |
| maclobdell | 0:f7c60d3e7b8a | 404 | |
| maclobdell | 0:f7c60d3e7b8a | 405 | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 406 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) |
| maclobdell | 0:f7c60d3e7b8a | 407 | { |
| maclobdell | 0:f7c60d3e7b8a | 408 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| maclobdell | 0:f7c60d3e7b8a | 409 | } |
| maclobdell | 0:f7c60d3e7b8a | 410 | |
| maclobdell | 0:f7c60d3e7b8a | 411 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 412 | } |
| maclobdell | 0:f7c60d3e7b8a | 413 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| maclobdell | 0:f7c60d3e7b8a | 414 | |
| maclobdell | 0:f7c60d3e7b8a | 415 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| maclobdell | 0:f7c60d3e7b8a | 416 | static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 417 | const unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 418 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 419 | { |
| maclobdell | 0:f7c60d3e7b8a | 420 | if( len != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 421 | { |
| maclobdell | 0:f7c60d3e7b8a | 422 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 423 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 424 | } |
| maclobdell | 0:f7c60d3e7b8a | 425 | |
| maclobdell | 0:f7c60d3e7b8a | 426 | ((void) buf); |
| maclobdell | 0:f7c60d3e7b8a | 427 | |
| maclobdell | 0:f7c60d3e7b8a | 428 | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 429 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) |
| maclobdell | 0:f7c60d3e7b8a | 430 | { |
| maclobdell | 0:f7c60d3e7b8a | 431 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| maclobdell | 0:f7c60d3e7b8a | 432 | } |
| maclobdell | 0:f7c60d3e7b8a | 433 | |
| maclobdell | 0:f7c60d3e7b8a | 434 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 435 | } |
| maclobdell | 0:f7c60d3e7b8a | 436 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| maclobdell | 0:f7c60d3e7b8a | 437 | |
| maclobdell | 0:f7c60d3e7b8a | 438 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 439 | static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 440 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 441 | size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 442 | { |
| maclobdell | 0:f7c60d3e7b8a | 443 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 444 | mbedtls_ssl_session session; |
| maclobdell | 0:f7c60d3e7b8a | 445 | |
| maclobdell | 0:f7c60d3e7b8a | 446 | mbedtls_ssl_session_init( &session ); |
| maclobdell | 0:f7c60d3e7b8a | 447 | |
| maclobdell | 0:f7c60d3e7b8a | 448 | if( ssl->conf->f_ticket_parse == NULL || |
| maclobdell | 0:f7c60d3e7b8a | 449 | ssl->conf->f_ticket_write == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 450 | { |
| maclobdell | 0:f7c60d3e7b8a | 451 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 452 | } |
| maclobdell | 0:f7c60d3e7b8a | 453 | |
| maclobdell | 0:f7c60d3e7b8a | 454 | /* Remember the client asked us to send a new ticket */ |
| maclobdell | 0:f7c60d3e7b8a | 455 | ssl->handshake->new_session_ticket = 1; |
| maclobdell | 0:f7c60d3e7b8a | 456 | |
| maclobdell | 0:f7c60d3e7b8a | 457 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); |
| maclobdell | 0:f7c60d3e7b8a | 458 | |
| maclobdell | 0:f7c60d3e7b8a | 459 | if( len == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 460 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 461 | |
| maclobdell | 0:f7c60d3e7b8a | 462 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 463 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 464 | { |
| maclobdell | 0:f7c60d3e7b8a | 465 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 466 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 467 | } |
| maclobdell | 0:f7c60d3e7b8a | 468 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| maclobdell | 0:f7c60d3e7b8a | 469 | |
| maclobdell | 0:f7c60d3e7b8a | 470 | /* |
| maclobdell | 0:f7c60d3e7b8a | 471 | * Failures are ok: just ignore the ticket and proceed. |
| maclobdell | 0:f7c60d3e7b8a | 472 | */ |
| maclobdell | 0:f7c60d3e7b8a | 473 | if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, |
| maclobdell | 0:f7c60d3e7b8a | 474 | buf, len ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 475 | { |
| maclobdell | 0:f7c60d3e7b8a | 476 | mbedtls_ssl_session_free( &session ); |
| maclobdell | 0:f7c60d3e7b8a | 477 | |
| maclobdell | 0:f7c60d3e7b8a | 478 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
| maclobdell | 0:f7c60d3e7b8a | 479 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 480 | else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) |
| maclobdell | 0:f7c60d3e7b8a | 481 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 482 | else |
| maclobdell | 0:f7c60d3e7b8a | 483 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 484 | |
| maclobdell | 0:f7c60d3e7b8a | 485 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 486 | } |
| maclobdell | 0:f7c60d3e7b8a | 487 | |
| maclobdell | 0:f7c60d3e7b8a | 488 | /* |
| maclobdell | 0:f7c60d3e7b8a | 489 | * Keep the session ID sent by the client, since we MUST send it back to |
| maclobdell | 0:f7c60d3e7b8a | 490 | * inform them we're accepting the ticket (RFC 5077 section 3.4) |
| maclobdell | 0:f7c60d3e7b8a | 491 | */ |
| maclobdell | 0:f7c60d3e7b8a | 492 | session.id_len = ssl->session_negotiate->id_len; |
| maclobdell | 0:f7c60d3e7b8a | 493 | memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); |
| maclobdell | 0:f7c60d3e7b8a | 494 | |
| maclobdell | 0:f7c60d3e7b8a | 495 | mbedtls_ssl_session_free( ssl->session_negotiate ); |
| maclobdell | 0:f7c60d3e7b8a | 496 | memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); |
| maclobdell | 0:f7c60d3e7b8a | 497 | |
| maclobdell | 0:f7c60d3e7b8a | 498 | /* Zeroize instead of free as we copied the content */ |
| maclobdell | 0:f7c60d3e7b8a | 499 | mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) ); |
| maclobdell | 0:f7c60d3e7b8a | 500 | |
| maclobdell | 0:f7c60d3e7b8a | 501 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 502 | |
| maclobdell | 0:f7c60d3e7b8a | 503 | ssl->handshake->resume = 1; |
| maclobdell | 0:f7c60d3e7b8a | 504 | |
| maclobdell | 0:f7c60d3e7b8a | 505 | /* Don't send a new ticket after all, this one is OK */ |
| maclobdell | 0:f7c60d3e7b8a | 506 | ssl->handshake->new_session_ticket = 0; |
| maclobdell | 0:f7c60d3e7b8a | 507 | |
| maclobdell | 0:f7c60d3e7b8a | 508 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 509 | } |
| maclobdell | 0:f7c60d3e7b8a | 510 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| maclobdell | 0:f7c60d3e7b8a | 511 | |
| maclobdell | 0:f7c60d3e7b8a | 512 | #if defined(MBEDTLS_SSL_ALPN) |
| maclobdell | 0:f7c60d3e7b8a | 513 | static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 514 | const unsigned char *buf, size_t len ) |
| maclobdell | 0:f7c60d3e7b8a | 515 | { |
| maclobdell | 0:f7c60d3e7b8a | 516 | size_t list_len, cur_len, ours_len; |
| maclobdell | 0:f7c60d3e7b8a | 517 | const unsigned char *theirs, *start, *end; |
| maclobdell | 0:f7c60d3e7b8a | 518 | const char **ours; |
| maclobdell | 0:f7c60d3e7b8a | 519 | |
| maclobdell | 0:f7c60d3e7b8a | 520 | /* If ALPN not configured, just ignore the extension */ |
| maclobdell | 0:f7c60d3e7b8a | 521 | if( ssl->conf->alpn_list == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 522 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 523 | |
| maclobdell | 0:f7c60d3e7b8a | 524 | /* |
| maclobdell | 0:f7c60d3e7b8a | 525 | * opaque ProtocolName<1..2^8-1>; |
| maclobdell | 0:f7c60d3e7b8a | 526 | * |
| maclobdell | 0:f7c60d3e7b8a | 527 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 528 | * ProtocolName protocol_name_list<2..2^16-1> |
| maclobdell | 0:f7c60d3e7b8a | 529 | * } ProtocolNameList; |
| maclobdell | 0:f7c60d3e7b8a | 530 | */ |
| maclobdell | 0:f7c60d3e7b8a | 531 | |
| maclobdell | 0:f7c60d3e7b8a | 532 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
| maclobdell | 0:f7c60d3e7b8a | 533 | if( len < 4 ) |
| maclobdell | 0:f7c60d3e7b8a | 534 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 535 | |
| maclobdell | 0:f7c60d3e7b8a | 536 | list_len = ( buf[0] << 8 ) | buf[1]; |
| maclobdell | 0:f7c60d3e7b8a | 537 | if( list_len != len - 2 ) |
| maclobdell | 0:f7c60d3e7b8a | 538 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 539 | |
| maclobdell | 0:f7c60d3e7b8a | 540 | /* |
| maclobdell | 0:f7c60d3e7b8a | 541 | * Use our order of preference |
| maclobdell | 0:f7c60d3e7b8a | 542 | */ |
| maclobdell | 0:f7c60d3e7b8a | 543 | start = buf + 2; |
| maclobdell | 0:f7c60d3e7b8a | 544 | end = buf + len; |
| maclobdell | 0:f7c60d3e7b8a | 545 | for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) |
| maclobdell | 0:f7c60d3e7b8a | 546 | { |
| maclobdell | 0:f7c60d3e7b8a | 547 | ours_len = strlen( *ours ); |
| maclobdell | 0:f7c60d3e7b8a | 548 | for( theirs = start; theirs != end; theirs += cur_len ) |
| maclobdell | 0:f7c60d3e7b8a | 549 | { |
| maclobdell | 0:f7c60d3e7b8a | 550 | /* If the list is well formed, we should get equality first */ |
| maclobdell | 0:f7c60d3e7b8a | 551 | if( theirs > end ) |
| maclobdell | 0:f7c60d3e7b8a | 552 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 553 | |
| maclobdell | 0:f7c60d3e7b8a | 554 | cur_len = *theirs++; |
| maclobdell | 0:f7c60d3e7b8a | 555 | |
| maclobdell | 0:f7c60d3e7b8a | 556 | /* Empty strings MUST NOT be included */ |
| maclobdell | 0:f7c60d3e7b8a | 557 | if( cur_len == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 558 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 559 | |
| maclobdell | 0:f7c60d3e7b8a | 560 | if( cur_len == ours_len && |
| maclobdell | 0:f7c60d3e7b8a | 561 | memcmp( theirs, *ours, cur_len ) == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 562 | { |
| maclobdell | 0:f7c60d3e7b8a | 563 | ssl->alpn_chosen = *ours; |
| maclobdell | 0:f7c60d3e7b8a | 564 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 565 | } |
| maclobdell | 0:f7c60d3e7b8a | 566 | } |
| maclobdell | 0:f7c60d3e7b8a | 567 | } |
| maclobdell | 0:f7c60d3e7b8a | 568 | |
| maclobdell | 0:f7c60d3e7b8a | 569 | /* If we get there, no match was found */ |
| maclobdell | 0:f7c60d3e7b8a | 570 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 571 | MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); |
| maclobdell | 0:f7c60d3e7b8a | 572 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 573 | } |
| maclobdell | 0:f7c60d3e7b8a | 574 | #endif /* MBEDTLS_SSL_ALPN */ |
| maclobdell | 0:f7c60d3e7b8a | 575 | |
| maclobdell | 0:f7c60d3e7b8a | 576 | /* |
| maclobdell | 0:f7c60d3e7b8a | 577 | * Auxiliary functions for ServerHello parsing and related actions |
| maclobdell | 0:f7c60d3e7b8a | 578 | */ |
| maclobdell | 0:f7c60d3e7b8a | 579 | |
| maclobdell | 0:f7c60d3e7b8a | 580 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| maclobdell | 0:f7c60d3e7b8a | 581 | /* |
| maclobdell | 0:f7c60d3e7b8a | 582 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
| maclobdell | 0:f7c60d3e7b8a | 583 | */ |
| maclobdell | 0:f7c60d3e7b8a | 584 | #if defined(MBEDTLS_ECDSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 585 | static int ssl_check_key_curve( mbedtls_pk_context *pk, |
| maclobdell | 0:f7c60d3e7b8a | 586 | const mbedtls_ecp_curve_info **curves ) |
| maclobdell | 0:f7c60d3e7b8a | 587 | { |
| maclobdell | 0:f7c60d3e7b8a | 588 | const mbedtls_ecp_curve_info **crv = curves; |
| maclobdell | 0:f7c60d3e7b8a | 589 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id; |
| maclobdell | 0:f7c60d3e7b8a | 590 | |
| maclobdell | 0:f7c60d3e7b8a | 591 | while( *crv != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 592 | { |
| maclobdell | 0:f7c60d3e7b8a | 593 | if( (*crv)->grp_id == grp_id ) |
| maclobdell | 0:f7c60d3e7b8a | 594 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 595 | crv++; |
| maclobdell | 0:f7c60d3e7b8a | 596 | } |
| maclobdell | 0:f7c60d3e7b8a | 597 | |
| maclobdell | 0:f7c60d3e7b8a | 598 | return( -1 ); |
| maclobdell | 0:f7c60d3e7b8a | 599 | } |
| maclobdell | 0:f7c60d3e7b8a | 600 | #endif /* MBEDTLS_ECDSA_C */ |
| maclobdell | 0:f7c60d3e7b8a | 601 | |
| maclobdell | 0:f7c60d3e7b8a | 602 | /* |
| maclobdell | 0:f7c60d3e7b8a | 603 | * Try picking a certificate for this ciphersuite, |
| maclobdell | 0:f7c60d3e7b8a | 604 | * return 0 on success and -1 on failure. |
| maclobdell | 0:f7c60d3e7b8a | 605 | */ |
| maclobdell | 0:f7c60d3e7b8a | 606 | static int ssl_pick_cert( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 607 | const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) |
| maclobdell | 0:f7c60d3e7b8a | 608 | { |
| maclobdell | 0:f7c60d3e7b8a | 609 | mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; |
| maclobdell | 0:f7c60d3e7b8a | 610 | mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
| maclobdell | 0:f7c60d3e7b8a | 611 | uint32_t flags; |
| maclobdell | 0:f7c60d3e7b8a | 612 | |
| maclobdell | 0:f7c60d3e7b8a | 613 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| maclobdell | 0:f7c60d3e7b8a | 614 | if( ssl->handshake->sni_key_cert != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 615 | list = ssl->handshake->sni_key_cert; |
| maclobdell | 0:f7c60d3e7b8a | 616 | else |
| maclobdell | 0:f7c60d3e7b8a | 617 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 618 | list = ssl->conf->key_cert; |
| maclobdell | 0:f7c60d3e7b8a | 619 | |
| maclobdell | 0:f7c60d3e7b8a | 620 | if( pk_alg == MBEDTLS_PK_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 621 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 622 | |
| maclobdell | 0:f7c60d3e7b8a | 623 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 624 | |
| maclobdell | 0:f7c60d3e7b8a | 625 | if( list == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 626 | { |
| maclobdell | 0:f7c60d3e7b8a | 627 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 628 | return( -1 ); |
| maclobdell | 0:f7c60d3e7b8a | 629 | } |
| maclobdell | 0:f7c60d3e7b8a | 630 | |
| maclobdell | 0:f7c60d3e7b8a | 631 | for( cur = list; cur != NULL; cur = cur->next ) |
| maclobdell | 0:f7c60d3e7b8a | 632 | { |
| maclobdell | 0:f7c60d3e7b8a | 633 | MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", |
| maclobdell | 0:f7c60d3e7b8a | 634 | cur->cert ); |
| maclobdell | 0:f7c60d3e7b8a | 635 | |
| maclobdell | 0:f7c60d3e7b8a | 636 | if( ! mbedtls_pk_can_do( cur->key, pk_alg ) ) |
| maclobdell | 0:f7c60d3e7b8a | 637 | { |
| maclobdell | 0:f7c60d3e7b8a | 638 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 639 | continue; |
| maclobdell | 0:f7c60d3e7b8a | 640 | } |
| maclobdell | 0:f7c60d3e7b8a | 641 | |
| maclobdell | 0:f7c60d3e7b8a | 642 | /* |
| maclobdell | 0:f7c60d3e7b8a | 643 | * This avoids sending the client a cert it'll reject based on |
| maclobdell | 0:f7c60d3e7b8a | 644 | * keyUsage or other extensions. |
| maclobdell | 0:f7c60d3e7b8a | 645 | * |
| maclobdell | 0:f7c60d3e7b8a | 646 | * It also allows the user to provision different certificates for |
| maclobdell | 0:f7c60d3e7b8a | 647 | * different uses based on keyUsage, eg if they want to avoid signing |
| maclobdell | 0:f7c60d3e7b8a | 648 | * and decrypting with the same RSA key. |
| maclobdell | 0:f7c60d3e7b8a | 649 | */ |
| maclobdell | 0:f7c60d3e7b8a | 650 | if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, |
| maclobdell | 0:f7c60d3e7b8a | 651 | MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 652 | { |
| maclobdell | 0:f7c60d3e7b8a | 653 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " |
| maclobdell | 0:f7c60d3e7b8a | 654 | "(extended) key usage extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 655 | continue; |
| maclobdell | 0:f7c60d3e7b8a | 656 | } |
| maclobdell | 0:f7c60d3e7b8a | 657 | |
| maclobdell | 0:f7c60d3e7b8a | 658 | #if defined(MBEDTLS_ECDSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 659 | if( pk_alg == MBEDTLS_PK_ECDSA && |
| maclobdell | 0:f7c60d3e7b8a | 660 | ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 661 | { |
| maclobdell | 0:f7c60d3e7b8a | 662 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 663 | continue; |
| maclobdell | 0:f7c60d3e7b8a | 664 | } |
| maclobdell | 0:f7c60d3e7b8a | 665 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 666 | |
| maclobdell | 0:f7c60d3e7b8a | 667 | /* |
| maclobdell | 0:f7c60d3e7b8a | 668 | * Try to select a SHA-1 certificate for pre-1.2 clients, but still |
| maclobdell | 0:f7c60d3e7b8a | 669 | * present them a SHA-higher cert rather than failing if it's the only |
| maclobdell | 0:f7c60d3e7b8a | 670 | * one we got that satisfies the other conditions. |
| maclobdell | 0:f7c60d3e7b8a | 671 | */ |
| maclobdell | 0:f7c60d3e7b8a | 672 | if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && |
| maclobdell | 0:f7c60d3e7b8a | 673 | cur->cert->sig_md != MBEDTLS_MD_SHA1 ) |
| maclobdell | 0:f7c60d3e7b8a | 674 | { |
| maclobdell | 0:f7c60d3e7b8a | 675 | if( fallback == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 676 | fallback = cur; |
| maclobdell | 0:f7c60d3e7b8a | 677 | { |
| maclobdell | 0:f7c60d3e7b8a | 678 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " |
| maclobdell | 0:f7c60d3e7b8a | 679 | "sha-2 with pre-TLS 1.2 client" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 680 | continue; |
| maclobdell | 0:f7c60d3e7b8a | 681 | } |
| maclobdell | 0:f7c60d3e7b8a | 682 | } |
| maclobdell | 0:f7c60d3e7b8a | 683 | |
| maclobdell | 0:f7c60d3e7b8a | 684 | /* If we get there, we got a winner */ |
| maclobdell | 0:f7c60d3e7b8a | 685 | break; |
| maclobdell | 0:f7c60d3e7b8a | 686 | } |
| maclobdell | 0:f7c60d3e7b8a | 687 | |
| maclobdell | 0:f7c60d3e7b8a | 688 | if( cur == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 689 | cur = fallback; |
| maclobdell | 0:f7c60d3e7b8a | 690 | |
| maclobdell | 0:f7c60d3e7b8a | 691 | /* Do not update ssl->handshake->key_cert unless there is a match */ |
| maclobdell | 0:f7c60d3e7b8a | 692 | if( cur != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 693 | { |
| maclobdell | 0:f7c60d3e7b8a | 694 | ssl->handshake->key_cert = cur; |
| maclobdell | 0:f7c60d3e7b8a | 695 | MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", |
| maclobdell | 0:f7c60d3e7b8a | 696 | ssl->handshake->key_cert->cert ); |
| maclobdell | 0:f7c60d3e7b8a | 697 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 698 | } |
| maclobdell | 0:f7c60d3e7b8a | 699 | |
| maclobdell | 0:f7c60d3e7b8a | 700 | return( -1 ); |
| maclobdell | 0:f7c60d3e7b8a | 701 | } |
| maclobdell | 0:f7c60d3e7b8a | 702 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| maclobdell | 0:f7c60d3e7b8a | 703 | |
| maclobdell | 0:f7c60d3e7b8a | 704 | /* |
| maclobdell | 0:f7c60d3e7b8a | 705 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
| maclobdell | 0:f7c60d3e7b8a | 706 | * Sets ciphersuite_info only if the suite matches. |
| maclobdell | 0:f7c60d3e7b8a | 707 | */ |
| maclobdell | 0:f7c60d3e7b8a | 708 | static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, |
| maclobdell | 0:f7c60d3e7b8a | 709 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) |
| maclobdell | 0:f7c60d3e7b8a | 710 | { |
| maclobdell | 0:f7c60d3e7b8a | 711 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| maclobdell | 0:f7c60d3e7b8a | 712 | |
| maclobdell | 0:f7c60d3e7b8a | 713 | suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); |
| maclobdell | 0:f7c60d3e7b8a | 714 | if( suite_info == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 715 | { |
| maclobdell | 0:f7c60d3e7b8a | 716 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 717 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 718 | } |
| maclobdell | 0:f7c60d3e7b8a | 719 | |
| maclobdell | 0:f7c60d3e7b8a | 720 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); |
| maclobdell | 0:f7c60d3e7b8a | 721 | |
| maclobdell | 0:f7c60d3e7b8a | 722 | if( suite_info->min_minor_ver > ssl->minor_ver || |
| maclobdell | 0:f7c60d3e7b8a | 723 | suite_info->max_minor_ver < ssl->minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 724 | { |
| maclobdell | 0:f7c60d3e7b8a | 725 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 726 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 727 | } |
| maclobdell | 0:f7c60d3e7b8a | 728 | |
| maclobdell | 0:f7c60d3e7b8a | 729 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 730 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| maclobdell | 0:f7c60d3e7b8a | 731 | ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) |
| maclobdell | 0:f7c60d3e7b8a | 732 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 733 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 734 | |
| maclobdell | 0:f7c60d3e7b8a | 735 | #if defined(MBEDTLS_ARC4_C) |
| maclobdell | 0:f7c60d3e7b8a | 736 | if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && |
| maclobdell | 0:f7c60d3e7b8a | 737 | suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) |
| maclobdell | 0:f7c60d3e7b8a | 738 | { |
| maclobdell | 0:f7c60d3e7b8a | 739 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 740 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 741 | } |
| maclobdell | 0:f7c60d3e7b8a | 742 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 743 | |
| maclobdell | 0:f7c60d3e7b8a | 744 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 745 | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
| maclobdell | 0:f7c60d3e7b8a | 746 | ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 747 | { |
| maclobdell | 0:f7c60d3e7b8a | 748 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " |
| maclobdell | 0:f7c60d3e7b8a | 749 | "not configured or ext missing" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 750 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 751 | } |
| maclobdell | 0:f7c60d3e7b8a | 752 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 753 | |
| maclobdell | 0:f7c60d3e7b8a | 754 | |
| maclobdell | 0:f7c60d3e7b8a | 755 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 756 | if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && |
| maclobdell | 0:f7c60d3e7b8a | 757 | ( ssl->handshake->curves == NULL || |
| maclobdell | 0:f7c60d3e7b8a | 758 | ssl->handshake->curves[0] == NULL ) ) |
| maclobdell | 0:f7c60d3e7b8a | 759 | { |
| maclobdell | 0:f7c60d3e7b8a | 760 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
| maclobdell | 0:f7c60d3e7b8a | 761 | "no common elliptic curve" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 762 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 763 | } |
| maclobdell | 0:f7c60d3e7b8a | 764 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 765 | |
| maclobdell | 0:f7c60d3e7b8a | 766 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 767 | /* If the ciphersuite requires a pre-shared key and we don't |
| maclobdell | 0:f7c60d3e7b8a | 768 | * have one, skip it now rather than failing later */ |
| maclobdell | 0:f7c60d3e7b8a | 769 | if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && |
| maclobdell | 0:f7c60d3e7b8a | 770 | ssl->conf->f_psk == NULL && |
| maclobdell | 0:f7c60d3e7b8a | 771 | ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || |
| maclobdell | 0:f7c60d3e7b8a | 772 | ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) |
| maclobdell | 0:f7c60d3e7b8a | 773 | { |
| maclobdell | 0:f7c60d3e7b8a | 774 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 775 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 776 | } |
| maclobdell | 0:f7c60d3e7b8a | 777 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 778 | |
| maclobdell | 0:f7c60d3e7b8a | 779 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| maclobdell | 0:f7c60d3e7b8a | 780 | /* |
| maclobdell | 0:f7c60d3e7b8a | 781 | * Final check: if ciphersuite requires us to have a |
| maclobdell | 0:f7c60d3e7b8a | 782 | * certificate/key of a particular type: |
| maclobdell | 0:f7c60d3e7b8a | 783 | * - select the appropriate certificate if we have one, or |
| maclobdell | 0:f7c60d3e7b8a | 784 | * - try the next ciphersuite if we don't |
| maclobdell | 0:f7c60d3e7b8a | 785 | * This must be done last since we modify the key_cert list. |
| maclobdell | 0:f7c60d3e7b8a | 786 | */ |
| maclobdell | 0:f7c60d3e7b8a | 787 | if( ssl_pick_cert( ssl, suite_info ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 788 | { |
| maclobdell | 0:f7c60d3e7b8a | 789 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
| maclobdell | 0:f7c60d3e7b8a | 790 | "no suitable certificate" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 791 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 792 | } |
| maclobdell | 0:f7c60d3e7b8a | 793 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 794 | |
| maclobdell | 0:f7c60d3e7b8a | 795 | *ciphersuite_info = suite_info; |
| maclobdell | 0:f7c60d3e7b8a | 796 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 797 | } |
| maclobdell | 0:f7c60d3e7b8a | 798 | |
| maclobdell | 0:f7c60d3e7b8a | 799 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) |
| maclobdell | 0:f7c60d3e7b8a | 800 | static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 801 | { |
| maclobdell | 0:f7c60d3e7b8a | 802 | int ret, got_common_suite; |
| maclobdell | 0:f7c60d3e7b8a | 803 | unsigned int i, j; |
| maclobdell | 0:f7c60d3e7b8a | 804 | size_t n; |
| maclobdell | 0:f7c60d3e7b8a | 805 | unsigned int ciph_len, sess_len, chal_len; |
| maclobdell | 0:f7c60d3e7b8a | 806 | unsigned char *buf, *p; |
| maclobdell | 0:f7c60d3e7b8a | 807 | const int *ciphersuites; |
| maclobdell | 0:f7c60d3e7b8a | 808 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 809 | |
| maclobdell | 0:f7c60d3e7b8a | 810 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 811 | |
| maclobdell | 0:f7c60d3e7b8a | 812 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 813 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 814 | { |
| maclobdell | 0:f7c60d3e7b8a | 815 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 816 | |
| maclobdell | 0:f7c60d3e7b8a | 817 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 818 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 819 | |
| maclobdell | 0:f7c60d3e7b8a | 820 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 821 | } |
| maclobdell | 0:f7c60d3e7b8a | 822 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| maclobdell | 0:f7c60d3e7b8a | 823 | |
| maclobdell | 0:f7c60d3e7b8a | 824 | buf = ssl->in_hdr; |
| maclobdell | 0:f7c60d3e7b8a | 825 | |
| maclobdell | 0:f7c60d3e7b8a | 826 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); |
| maclobdell | 0:f7c60d3e7b8a | 827 | |
| maclobdell | 0:f7c60d3e7b8a | 828 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", |
| maclobdell | 0:f7c60d3e7b8a | 829 | buf[2] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 830 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", |
| maclobdell | 0:f7c60d3e7b8a | 831 | ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 832 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", |
| maclobdell | 0:f7c60d3e7b8a | 833 | buf[3], buf[4] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 834 | |
| maclobdell | 0:f7c60d3e7b8a | 835 | /* |
| maclobdell | 0:f7c60d3e7b8a | 836 | * SSLv2 Client Hello |
| maclobdell | 0:f7c60d3e7b8a | 837 | * |
| maclobdell | 0:f7c60d3e7b8a | 838 | * Record layer: |
| maclobdell | 0:f7c60d3e7b8a | 839 | * 0 . 1 message length |
| maclobdell | 0:f7c60d3e7b8a | 840 | * |
| maclobdell | 0:f7c60d3e7b8a | 841 | * SSL layer: |
| maclobdell | 0:f7c60d3e7b8a | 842 | * 2 . 2 message type |
| maclobdell | 0:f7c60d3e7b8a | 843 | * 3 . 4 protocol version |
| maclobdell | 0:f7c60d3e7b8a | 844 | */ |
| maclobdell | 0:f7c60d3e7b8a | 845 | if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || |
| maclobdell | 0:f7c60d3e7b8a | 846 | buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 847 | { |
| maclobdell | 0:f7c60d3e7b8a | 848 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 849 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 850 | } |
| maclobdell | 0:f7c60d3e7b8a | 851 | |
| maclobdell | 0:f7c60d3e7b8a | 852 | n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; |
| maclobdell | 0:f7c60d3e7b8a | 853 | |
| maclobdell | 0:f7c60d3e7b8a | 854 | if( n < 17 || n > 512 ) |
| maclobdell | 0:f7c60d3e7b8a | 855 | { |
| maclobdell | 0:f7c60d3e7b8a | 856 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 857 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 858 | } |
| maclobdell | 0:f7c60d3e7b8a | 859 | |
| maclobdell | 0:f7c60d3e7b8a | 860 | ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; |
| maclobdell | 0:f7c60d3e7b8a | 861 | ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 862 | ? buf[4] : ssl->conf->max_minor_ver; |
| maclobdell | 0:f7c60d3e7b8a | 863 | |
| maclobdell | 0:f7c60d3e7b8a | 864 | if( ssl->minor_ver < ssl->conf->min_minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 865 | { |
| maclobdell | 0:f7c60d3e7b8a | 866 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" |
| maclobdell | 0:f7c60d3e7b8a | 867 | " [%d:%d] < [%d:%d]", |
| maclobdell | 0:f7c60d3e7b8a | 868 | ssl->major_ver, ssl->minor_ver, |
| maclobdell | 0:f7c60d3e7b8a | 869 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); |
| maclobdell | 0:f7c60d3e7b8a | 870 | |
| maclobdell | 0:f7c60d3e7b8a | 871 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 872 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
| maclobdell | 0:f7c60d3e7b8a | 873 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
| maclobdell | 0:f7c60d3e7b8a | 874 | } |
| maclobdell | 0:f7c60d3e7b8a | 875 | |
| maclobdell | 0:f7c60d3e7b8a | 876 | ssl->handshake->max_major_ver = buf[3]; |
| maclobdell | 0:f7c60d3e7b8a | 877 | ssl->handshake->max_minor_ver = buf[4]; |
| maclobdell | 0:f7c60d3e7b8a | 878 | |
| maclobdell | 0:f7c60d3e7b8a | 879 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 880 | { |
| maclobdell | 0:f7c60d3e7b8a | 881 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 882 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 883 | } |
| maclobdell | 0:f7c60d3e7b8a | 884 | |
| maclobdell | 0:f7c60d3e7b8a | 885 | ssl->handshake->update_checksum( ssl, buf + 2, n ); |
| maclobdell | 0:f7c60d3e7b8a | 886 | |
| maclobdell | 0:f7c60d3e7b8a | 887 | buf = ssl->in_msg; |
| maclobdell | 0:f7c60d3e7b8a | 888 | n = ssl->in_left - 5; |
| maclobdell | 0:f7c60d3e7b8a | 889 | |
| maclobdell | 0:f7c60d3e7b8a | 890 | /* |
| maclobdell | 0:f7c60d3e7b8a | 891 | * 0 . 1 ciphersuitelist length |
| maclobdell | 0:f7c60d3e7b8a | 892 | * 2 . 3 session id length |
| maclobdell | 0:f7c60d3e7b8a | 893 | * 4 . 5 challenge length |
| maclobdell | 0:f7c60d3e7b8a | 894 | * 6 . .. ciphersuitelist |
| maclobdell | 0:f7c60d3e7b8a | 895 | * .. . .. session id |
| maclobdell | 0:f7c60d3e7b8a | 896 | * .. . .. challenge |
| maclobdell | 0:f7c60d3e7b8a | 897 | */ |
| maclobdell | 0:f7c60d3e7b8a | 898 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); |
| maclobdell | 0:f7c60d3e7b8a | 899 | |
| maclobdell | 0:f7c60d3e7b8a | 900 | ciph_len = ( buf[0] << 8 ) | buf[1]; |
| maclobdell | 0:f7c60d3e7b8a | 901 | sess_len = ( buf[2] << 8 ) | buf[3]; |
| maclobdell | 0:f7c60d3e7b8a | 902 | chal_len = ( buf[4] << 8 ) | buf[5]; |
| maclobdell | 0:f7c60d3e7b8a | 903 | |
| maclobdell | 0:f7c60d3e7b8a | 904 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", |
| maclobdell | 0:f7c60d3e7b8a | 905 | ciph_len, sess_len, chal_len ) ); |
| maclobdell | 0:f7c60d3e7b8a | 906 | |
| maclobdell | 0:f7c60d3e7b8a | 907 | /* |
| maclobdell | 0:f7c60d3e7b8a | 908 | * Make sure each parameter length is valid |
| maclobdell | 0:f7c60d3e7b8a | 909 | */ |
| maclobdell | 0:f7c60d3e7b8a | 910 | if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 911 | { |
| maclobdell | 0:f7c60d3e7b8a | 912 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 913 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 914 | } |
| maclobdell | 0:f7c60d3e7b8a | 915 | |
| maclobdell | 0:f7c60d3e7b8a | 916 | if( sess_len > 32 ) |
| maclobdell | 0:f7c60d3e7b8a | 917 | { |
| maclobdell | 0:f7c60d3e7b8a | 918 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 919 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 920 | } |
| maclobdell | 0:f7c60d3e7b8a | 921 | |
| maclobdell | 0:f7c60d3e7b8a | 922 | if( chal_len < 8 || chal_len > 32 ) |
| maclobdell | 0:f7c60d3e7b8a | 923 | { |
| maclobdell | 0:f7c60d3e7b8a | 924 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 925 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 926 | } |
| maclobdell | 0:f7c60d3e7b8a | 927 | |
| maclobdell | 0:f7c60d3e7b8a | 928 | if( n != 6 + ciph_len + sess_len + chal_len ) |
| maclobdell | 0:f7c60d3e7b8a | 929 | { |
| maclobdell | 0:f7c60d3e7b8a | 930 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 931 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 932 | } |
| maclobdell | 0:f7c60d3e7b8a | 933 | |
| maclobdell | 0:f7c60d3e7b8a | 934 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
| maclobdell | 0:f7c60d3e7b8a | 935 | buf + 6, ciph_len ); |
| maclobdell | 0:f7c60d3e7b8a | 936 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", |
| maclobdell | 0:f7c60d3e7b8a | 937 | buf + 6 + ciph_len, sess_len ); |
| maclobdell | 0:f7c60d3e7b8a | 938 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", |
| maclobdell | 0:f7c60d3e7b8a | 939 | buf + 6 + ciph_len + sess_len, chal_len ); |
| maclobdell | 0:f7c60d3e7b8a | 940 | |
| maclobdell | 0:f7c60d3e7b8a | 941 | p = buf + 6 + ciph_len; |
| maclobdell | 0:f7c60d3e7b8a | 942 | ssl->session_negotiate->id_len = sess_len; |
| maclobdell | 0:f7c60d3e7b8a | 943 | memset( ssl->session_negotiate->id, 0, |
| maclobdell | 0:f7c60d3e7b8a | 944 | sizeof( ssl->session_negotiate->id ) ); |
| maclobdell | 0:f7c60d3e7b8a | 945 | memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); |
| maclobdell | 0:f7c60d3e7b8a | 946 | |
| maclobdell | 0:f7c60d3e7b8a | 947 | p += sess_len; |
| maclobdell | 0:f7c60d3e7b8a | 948 | memset( ssl->handshake->randbytes, 0, 64 ); |
| maclobdell | 0:f7c60d3e7b8a | 949 | memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); |
| maclobdell | 0:f7c60d3e7b8a | 950 | |
| maclobdell | 0:f7c60d3e7b8a | 951 | /* |
| maclobdell | 0:f7c60d3e7b8a | 952 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| maclobdell | 0:f7c60d3e7b8a | 953 | */ |
| maclobdell | 0:f7c60d3e7b8a | 954 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) |
| maclobdell | 0:f7c60d3e7b8a | 955 | { |
| maclobdell | 0:f7c60d3e7b8a | 956 | if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) |
| maclobdell | 0:f7c60d3e7b8a | 957 | { |
| maclobdell | 0:f7c60d3e7b8a | 958 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
| maclobdell | 0:f7c60d3e7b8a | 959 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 960 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| maclobdell | 0:f7c60d3e7b8a | 961 | { |
| maclobdell | 0:f7c60d3e7b8a | 962 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " |
| maclobdell | 0:f7c60d3e7b8a | 963 | "during renegotiation" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 964 | |
| maclobdell | 0:f7c60d3e7b8a | 965 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 966 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 967 | |
| maclobdell | 0:f7c60d3e7b8a | 968 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 969 | } |
| maclobdell | 0:f7c60d3e7b8a | 970 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| maclobdell | 0:f7c60d3e7b8a | 971 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| maclobdell | 0:f7c60d3e7b8a | 972 | break; |
| maclobdell | 0:f7c60d3e7b8a | 973 | } |
| maclobdell | 0:f7c60d3e7b8a | 974 | } |
| maclobdell | 0:f7c60d3e7b8a | 975 | |
| maclobdell | 0:f7c60d3e7b8a | 976 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV) |
| maclobdell | 0:f7c60d3e7b8a | 977 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) |
| maclobdell | 0:f7c60d3e7b8a | 978 | { |
| maclobdell | 0:f7c60d3e7b8a | 979 | if( p[0] == 0 && |
| maclobdell | 0:f7c60d3e7b8a | 980 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && |
| maclobdell | 0:f7c60d3e7b8a | 981 | p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) |
| maclobdell | 0:f7c60d3e7b8a | 982 | { |
| maclobdell | 0:f7c60d3e7b8a | 983 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 984 | |
| maclobdell | 0:f7c60d3e7b8a | 985 | if( ssl->minor_ver < ssl->conf->max_minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 986 | { |
| maclobdell | 0:f7c60d3e7b8a | 987 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 988 | |
| maclobdell | 0:f7c60d3e7b8a | 989 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 990 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); |
| maclobdell | 0:f7c60d3e7b8a | 991 | |
| maclobdell | 0:f7c60d3e7b8a | 992 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 993 | } |
| maclobdell | 0:f7c60d3e7b8a | 994 | |
| maclobdell | 0:f7c60d3e7b8a | 995 | break; |
| maclobdell | 0:f7c60d3e7b8a | 996 | } |
| maclobdell | 0:f7c60d3e7b8a | 997 | } |
| maclobdell | 0:f7c60d3e7b8a | 998 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ |
| maclobdell | 0:f7c60d3e7b8a | 999 | |
| maclobdell | 0:f7c60d3e7b8a | 1000 | got_common_suite = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1001 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; |
| maclobdell | 0:f7c60d3e7b8a | 1002 | ciphersuite_info = NULL; |
| maclobdell | 0:f7c60d3e7b8a | 1003 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
| maclobdell | 0:f7c60d3e7b8a | 1004 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) |
| maclobdell | 0:f7c60d3e7b8a | 1005 | { |
| maclobdell | 0:f7c60d3e7b8a | 1006 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| maclobdell | 0:f7c60d3e7b8a | 1007 | #else |
| maclobdell | 0:f7c60d3e7b8a | 1008 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| maclobdell | 0:f7c60d3e7b8a | 1009 | { |
| maclobdell | 0:f7c60d3e7b8a | 1010 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) |
| maclobdell | 0:f7c60d3e7b8a | 1011 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1012 | { |
| maclobdell | 0:f7c60d3e7b8a | 1013 | if( p[0] != 0 || |
| maclobdell | 0:f7c60d3e7b8a | 1014 | p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || |
| maclobdell | 0:f7c60d3e7b8a | 1015 | p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) |
| maclobdell | 0:f7c60d3e7b8a | 1016 | continue; |
| maclobdell | 0:f7c60d3e7b8a | 1017 | |
| maclobdell | 0:f7c60d3e7b8a | 1018 | got_common_suite = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1019 | |
| maclobdell | 0:f7c60d3e7b8a | 1020 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
| maclobdell | 0:f7c60d3e7b8a | 1021 | &ciphersuite_info ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1022 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1023 | |
| maclobdell | 0:f7c60d3e7b8a | 1024 | if( ciphersuite_info != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 1025 | goto have_ciphersuite_v2; |
| maclobdell | 0:f7c60d3e7b8a | 1026 | } |
| maclobdell | 0:f7c60d3e7b8a | 1027 | } |
| maclobdell | 0:f7c60d3e7b8a | 1028 | |
| maclobdell | 0:f7c60d3e7b8a | 1029 | if( got_common_suite ) |
| maclobdell | 0:f7c60d3e7b8a | 1030 | { |
| maclobdell | 0:f7c60d3e7b8a | 1031 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
| maclobdell | 0:f7c60d3e7b8a | 1032 | "but none of them usable" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1033 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); |
| maclobdell | 0:f7c60d3e7b8a | 1034 | } |
| maclobdell | 0:f7c60d3e7b8a | 1035 | else |
| maclobdell | 0:f7c60d3e7b8a | 1036 | { |
| maclobdell | 0:f7c60d3e7b8a | 1037 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1038 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); |
| maclobdell | 0:f7c60d3e7b8a | 1039 | } |
| maclobdell | 0:f7c60d3e7b8a | 1040 | |
| maclobdell | 0:f7c60d3e7b8a | 1041 | have_ciphersuite_v2: |
| maclobdell | 0:f7c60d3e7b8a | 1042 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1043 | |
| maclobdell | 0:f7c60d3e7b8a | 1044 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| maclobdell | 0:f7c60d3e7b8a | 1045 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 1046 | mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); |
| maclobdell | 0:f7c60d3e7b8a | 1047 | |
| maclobdell | 0:f7c60d3e7b8a | 1048 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1049 | * SSLv2 Client Hello relevant renegotiation security checks |
| maclobdell | 0:f7c60d3e7b8a | 1050 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1051 | if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| maclobdell | 0:f7c60d3e7b8a | 1052 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 1053 | { |
| maclobdell | 0:f7c60d3e7b8a | 1054 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1055 | |
| maclobdell | 0:f7c60d3e7b8a | 1056 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1057 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1058 | |
| maclobdell | 0:f7c60d3e7b8a | 1059 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1060 | } |
| maclobdell | 0:f7c60d3e7b8a | 1061 | |
| maclobdell | 0:f7c60d3e7b8a | 1062 | ssl->in_left = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1063 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 1064 | |
| maclobdell | 0:f7c60d3e7b8a | 1065 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1066 | |
| maclobdell | 0:f7c60d3e7b8a | 1067 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 1068 | } |
| maclobdell | 0:f7c60d3e7b8a | 1069 | #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ |
| maclobdell | 0:f7c60d3e7b8a | 1070 | |
| maclobdell | 0:f7c60d3e7b8a | 1071 | static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 1072 | { |
| maclobdell | 0:f7c60d3e7b8a | 1073 | int ret, got_common_suite; |
| maclobdell | 0:f7c60d3e7b8a | 1074 | size_t i, j; |
| maclobdell | 0:f7c60d3e7b8a | 1075 | size_t ciph_offset, comp_offset, ext_offset; |
| maclobdell | 0:f7c60d3e7b8a | 1076 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len; |
| maclobdell | 0:f7c60d3e7b8a | 1077 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1078 | size_t cookie_offset, cookie_len; |
| maclobdell | 0:f7c60d3e7b8a | 1079 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1080 | unsigned char *buf, *p, *ext; |
| maclobdell | 0:f7c60d3e7b8a | 1081 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1082 | int renegotiation_info_seen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1083 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1084 | int handshake_failure = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1085 | const int *ciphersuites; |
| maclobdell | 0:f7c60d3e7b8a | 1086 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 1087 | int major, minor; |
| maclobdell | 0:f7c60d3e7b8a | 1088 | |
| maclobdell | 0:f7c60d3e7b8a | 1089 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1090 | |
| maclobdell | 0:f7c60d3e7b8a | 1091 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| maclobdell | 0:f7c60d3e7b8a | 1092 | read_record_header: |
| maclobdell | 0:f7c60d3e7b8a | 1093 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1094 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1095 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(), |
| maclobdell | 0:f7c60d3e7b8a | 1096 | * otherwise read it ourselves manually in order to support SSLv2 |
| maclobdell | 0:f7c60d3e7b8a | 1097 | * ClientHello, which doesn't use the same record layer format. |
| maclobdell | 0:f7c60d3e7b8a | 1098 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1099 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1100 | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 1101 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1102 | { |
| maclobdell | 0:f7c60d3e7b8a | 1103 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1104 | { |
| maclobdell | 0:f7c60d3e7b8a | 1105 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1106 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1107 | } |
| maclobdell | 0:f7c60d3e7b8a | 1108 | } |
| maclobdell | 0:f7c60d3e7b8a | 1109 | |
| maclobdell | 0:f7c60d3e7b8a | 1110 | buf = ssl->in_hdr; |
| maclobdell | 0:f7c60d3e7b8a | 1111 | |
| maclobdell | 0:f7c60d3e7b8a | 1112 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) |
| maclobdell | 0:f7c60d3e7b8a | 1113 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1114 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) |
| maclobdell | 0:f7c60d3e7b8a | 1115 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1116 | if( ( buf[0] & 0x80 ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1117 | return ssl_parse_client_hello_v2( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1118 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1119 | |
| maclobdell | 0:f7c60d3e7b8a | 1120 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1121 | |
| maclobdell | 0:f7c60d3e7b8a | 1122 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1123 | * SSLv3/TLS Client Hello |
| maclobdell | 0:f7c60d3e7b8a | 1124 | * |
| maclobdell | 0:f7c60d3e7b8a | 1125 | * Record layer: |
| maclobdell | 0:f7c60d3e7b8a | 1126 | * 0 . 0 message type |
| maclobdell | 0:f7c60d3e7b8a | 1127 | * 1 . 2 protocol version |
| maclobdell | 0:f7c60d3e7b8a | 1128 | * 3 . 11 DTLS: epoch + record sequence number |
| maclobdell | 0:f7c60d3e7b8a | 1129 | * 3 . 4 message length |
| maclobdell | 0:f7c60d3e7b8a | 1130 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1131 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", |
| maclobdell | 0:f7c60d3e7b8a | 1132 | buf[0] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1133 | |
| maclobdell | 0:f7c60d3e7b8a | 1134 | if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 1135 | { |
| maclobdell | 0:f7c60d3e7b8a | 1136 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1137 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1138 | } |
| maclobdell | 0:f7c60d3e7b8a | 1139 | |
| maclobdell | 0:f7c60d3e7b8a | 1140 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", |
| maclobdell | 0:f7c60d3e7b8a | 1141 | ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1142 | |
| maclobdell | 0:f7c60d3e7b8a | 1143 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", |
| maclobdell | 0:f7c60d3e7b8a | 1144 | buf[1], buf[2] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1145 | |
| maclobdell | 0:f7c60d3e7b8a | 1146 | mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); |
| maclobdell | 0:f7c60d3e7b8a | 1147 | |
| maclobdell | 0:f7c60d3e7b8a | 1148 | /* According to RFC 5246 Appendix E.1, the version here is typically |
| maclobdell | 0:f7c60d3e7b8a | 1149 | * "{03,00}, the lowest version number supported by the client, [or] the |
| maclobdell | 0:f7c60d3e7b8a | 1150 | * value of ClientHello.client_version", so the only meaningful check here |
| maclobdell | 0:f7c60d3e7b8a | 1151 | * is the major version shouldn't be less than 3 */ |
| maclobdell | 0:f7c60d3e7b8a | 1152 | if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 1153 | { |
| maclobdell | 0:f7c60d3e7b8a | 1154 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1155 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1156 | } |
| maclobdell | 0:f7c60d3e7b8a | 1157 | |
| maclobdell | 0:f7c60d3e7b8a | 1158 | /* For DTLS if this is the initial handshake, remember the client sequence |
| maclobdell | 0:f7c60d3e7b8a | 1159 | * number to use it in our next message (RFC 6347 4.2.1) */ |
| maclobdell | 0:f7c60d3e7b8a | 1160 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1161 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM |
| maclobdell | 0:f7c60d3e7b8a | 1162 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1163 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| maclobdell | 0:f7c60d3e7b8a | 1164 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1165 | ) |
| maclobdell | 0:f7c60d3e7b8a | 1166 | { |
| maclobdell | 0:f7c60d3e7b8a | 1167 | /* Epoch should be 0 for initial handshakes */ |
| maclobdell | 0:f7c60d3e7b8a | 1168 | if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1169 | { |
| maclobdell | 0:f7c60d3e7b8a | 1170 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1171 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1172 | } |
| maclobdell | 0:f7c60d3e7b8a | 1173 | |
| maclobdell | 0:f7c60d3e7b8a | 1174 | memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); |
| maclobdell | 0:f7c60d3e7b8a | 1175 | |
| maclobdell | 0:f7c60d3e7b8a | 1176 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| maclobdell | 0:f7c60d3e7b8a | 1177 | if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1178 | { |
| maclobdell | 0:f7c60d3e7b8a | 1179 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1180 | ssl->next_record_offset = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1181 | ssl->in_left = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1182 | goto read_record_header; |
| maclobdell | 0:f7c60d3e7b8a | 1183 | } |
| maclobdell | 0:f7c60d3e7b8a | 1184 | |
| maclobdell | 0:f7c60d3e7b8a | 1185 | /* No MAC to check yet, so we can update right now */ |
| maclobdell | 0:f7c60d3e7b8a | 1186 | mbedtls_ssl_dtls_replay_update( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1187 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1188 | } |
| maclobdell | 0:f7c60d3e7b8a | 1189 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| maclobdell | 0:f7c60d3e7b8a | 1190 | |
| maclobdell | 0:f7c60d3e7b8a | 1191 | msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; |
| maclobdell | 0:f7c60d3e7b8a | 1192 | |
| maclobdell | 0:f7c60d3e7b8a | 1193 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1194 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 1195 | { |
| maclobdell | 0:f7c60d3e7b8a | 1196 | /* Set by mbedtls_ssl_read_record() */ |
| maclobdell | 0:f7c60d3e7b8a | 1197 | msg_len = ssl->in_hslen; |
| maclobdell | 0:f7c60d3e7b8a | 1198 | } |
| maclobdell | 0:f7c60d3e7b8a | 1199 | else |
| maclobdell | 0:f7c60d3e7b8a | 1200 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1201 | { |
| maclobdell | 0:f7c60d3e7b8a | 1202 | if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) |
| maclobdell | 0:f7c60d3e7b8a | 1203 | { |
| maclobdell | 0:f7c60d3e7b8a | 1204 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1205 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1206 | } |
| maclobdell | 0:f7c60d3e7b8a | 1207 | |
| maclobdell | 0:f7c60d3e7b8a | 1208 | if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1209 | { |
| maclobdell | 0:f7c60d3e7b8a | 1210 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1211 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1212 | } |
| maclobdell | 0:f7c60d3e7b8a | 1213 | |
| maclobdell | 0:f7c60d3e7b8a | 1214 | /* Done reading this record, get ready for the next one */ |
| maclobdell | 0:f7c60d3e7b8a | 1215 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1216 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| maclobdell | 0:f7c60d3e7b8a | 1217 | ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1218 | else |
| maclobdell | 0:f7c60d3e7b8a | 1219 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1220 | ssl->in_left = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1221 | } |
| maclobdell | 0:f7c60d3e7b8a | 1222 | |
| maclobdell | 0:f7c60d3e7b8a | 1223 | buf = ssl->in_msg; |
| maclobdell | 0:f7c60d3e7b8a | 1224 | |
| maclobdell | 0:f7c60d3e7b8a | 1225 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1226 | |
| maclobdell | 0:f7c60d3e7b8a | 1227 | ssl->handshake->update_checksum( ssl, buf, msg_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1228 | |
| maclobdell | 0:f7c60d3e7b8a | 1229 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1230 | * Handshake layer: |
| maclobdell | 0:f7c60d3e7b8a | 1231 | * 0 . 0 handshake type |
| maclobdell | 0:f7c60d3e7b8a | 1232 | * 1 . 3 handshake length |
| maclobdell | 0:f7c60d3e7b8a | 1233 | * 4 . 5 DTLS only: message seqence number |
| maclobdell | 0:f7c60d3e7b8a | 1234 | * 6 . 8 DTLS only: fragment offset |
| maclobdell | 0:f7c60d3e7b8a | 1235 | * 9 . 11 DTLS only: fragment length |
| maclobdell | 0:f7c60d3e7b8a | 1236 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1237 | if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) |
| maclobdell | 0:f7c60d3e7b8a | 1238 | { |
| maclobdell | 0:f7c60d3e7b8a | 1239 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1240 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1241 | } |
| maclobdell | 0:f7c60d3e7b8a | 1242 | |
| maclobdell | 0:f7c60d3e7b8a | 1243 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1244 | |
| maclobdell | 0:f7c60d3e7b8a | 1245 | if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| maclobdell | 0:f7c60d3e7b8a | 1246 | { |
| maclobdell | 0:f7c60d3e7b8a | 1247 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1248 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1249 | } |
| maclobdell | 0:f7c60d3e7b8a | 1250 | |
| maclobdell | 0:f7c60d3e7b8a | 1251 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", |
| maclobdell | 0:f7c60d3e7b8a | 1252 | ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1253 | |
| maclobdell | 0:f7c60d3e7b8a | 1254 | /* We don't support fragmentation of ClientHello (yet?) */ |
| maclobdell | 0:f7c60d3e7b8a | 1255 | if( buf[1] != 0 || |
| maclobdell | 0:f7c60d3e7b8a | 1256 | msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) |
| maclobdell | 0:f7c60d3e7b8a | 1257 | { |
| maclobdell | 0:f7c60d3e7b8a | 1258 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1259 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1260 | } |
| maclobdell | 0:f7c60d3e7b8a | 1261 | |
| maclobdell | 0:f7c60d3e7b8a | 1262 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1263 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| maclobdell | 0:f7c60d3e7b8a | 1264 | { |
| maclobdell | 0:f7c60d3e7b8a | 1265 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1266 | * Copy the client's handshake message_seq on initial handshakes, |
| maclobdell | 0:f7c60d3e7b8a | 1267 | * check sequence number on renego. |
| maclobdell | 0:f7c60d3e7b8a | 1268 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1269 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1270 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| maclobdell | 0:f7c60d3e7b8a | 1271 | { |
| maclobdell | 0:f7c60d3e7b8a | 1272 | /* This couldn't be done in ssl_prepare_handshake_record() */ |
| maclobdell | 0:f7c60d3e7b8a | 1273 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | |
| maclobdell | 0:f7c60d3e7b8a | 1274 | ssl->in_msg[5]; |
| maclobdell | 0:f7c60d3e7b8a | 1275 | |
| maclobdell | 0:f7c60d3e7b8a | 1276 | if( cli_msg_seq != ssl->handshake->in_msg_seq ) |
| maclobdell | 0:f7c60d3e7b8a | 1277 | { |
| maclobdell | 0:f7c60d3e7b8a | 1278 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " |
| maclobdell | 0:f7c60d3e7b8a | 1279 | "%d (expected %d)", cli_msg_seq, |
| maclobdell | 0:f7c60d3e7b8a | 1280 | ssl->handshake->in_msg_seq ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1281 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1282 | } |
| maclobdell | 0:f7c60d3e7b8a | 1283 | |
| maclobdell | 0:f7c60d3e7b8a | 1284 | ssl->handshake->in_msg_seq++; |
| maclobdell | 0:f7c60d3e7b8a | 1285 | } |
| maclobdell | 0:f7c60d3e7b8a | 1286 | else |
| maclobdell | 0:f7c60d3e7b8a | 1287 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1288 | { |
| maclobdell | 0:f7c60d3e7b8a | 1289 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | |
| maclobdell | 0:f7c60d3e7b8a | 1290 | ssl->in_msg[5]; |
| maclobdell | 0:f7c60d3e7b8a | 1291 | ssl->handshake->out_msg_seq = cli_msg_seq; |
| maclobdell | 0:f7c60d3e7b8a | 1292 | ssl->handshake->in_msg_seq = cli_msg_seq + 1; |
| maclobdell | 0:f7c60d3e7b8a | 1293 | } |
| maclobdell | 0:f7c60d3e7b8a | 1294 | |
| maclobdell | 0:f7c60d3e7b8a | 1295 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1296 | * For now we don't support fragmentation, so make sure |
| maclobdell | 0:f7c60d3e7b8a | 1297 | * fragment_offset == 0 and fragment_length == length |
| maclobdell | 0:f7c60d3e7b8a | 1298 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1299 | if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || |
| maclobdell | 0:f7c60d3e7b8a | 1300 | memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1301 | { |
| maclobdell | 0:f7c60d3e7b8a | 1302 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1303 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| maclobdell | 0:f7c60d3e7b8a | 1304 | } |
| maclobdell | 0:f7c60d3e7b8a | 1305 | } |
| maclobdell | 0:f7c60d3e7b8a | 1306 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| maclobdell | 0:f7c60d3e7b8a | 1307 | |
| maclobdell | 0:f7c60d3e7b8a | 1308 | buf += mbedtls_ssl_hs_hdr_len( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1309 | msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1310 | |
| maclobdell | 0:f7c60d3e7b8a | 1311 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1312 | * ClientHello layer: |
| maclobdell | 0:f7c60d3e7b8a | 1313 | * 0 . 1 protocol version |
| maclobdell | 0:f7c60d3e7b8a | 1314 | * 2 . 33 random bytes (starting with 4 bytes of Unix time) |
| maclobdell | 0:f7c60d3e7b8a | 1315 | * 34 . 35 session id length (1 byte) |
| maclobdell | 0:f7c60d3e7b8a | 1316 | * 35 . 34+x session id |
| maclobdell | 0:f7c60d3e7b8a | 1317 | * 35+x . 35+x DTLS only: cookie length (1 byte) |
| maclobdell | 0:f7c60d3e7b8a | 1318 | * 36+x . .. DTLS only: cookie |
| maclobdell | 0:f7c60d3e7b8a | 1319 | * .. . .. ciphersuite list length (2 bytes) |
| maclobdell | 0:f7c60d3e7b8a | 1320 | * .. . .. ciphersuite list |
| maclobdell | 0:f7c60d3e7b8a | 1321 | * .. . .. compression alg. list length (1 byte) |
| maclobdell | 0:f7c60d3e7b8a | 1322 | * .. . .. compression alg. list |
| maclobdell | 0:f7c60d3e7b8a | 1323 | * .. . .. extensions length (2 bytes, optional) |
| maclobdell | 0:f7c60d3e7b8a | 1324 | * .. . .. extensions (optional) |
| maclobdell | 0:f7c60d3e7b8a | 1325 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1326 | |
| maclobdell | 0:f7c60d3e7b8a | 1327 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1328 | * Minimal length (with everything empty and extensions ommitted) is |
| maclobdell | 0:f7c60d3e7b8a | 1329 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
| maclobdell | 0:f7c60d3e7b8a | 1330 | * read at least up to session id length without worrying. |
| maclobdell | 0:f7c60d3e7b8a | 1331 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1332 | if( msg_len < 38 ) |
| maclobdell | 0:f7c60d3e7b8a | 1333 | { |
| maclobdell | 0:f7c60d3e7b8a | 1334 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1335 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1336 | } |
| maclobdell | 0:f7c60d3e7b8a | 1337 | |
| maclobdell | 0:f7c60d3e7b8a | 1338 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1339 | * Check and save the protocol version |
| maclobdell | 0:f7c60d3e7b8a | 1340 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1341 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); |
| maclobdell | 0:f7c60d3e7b8a | 1342 | |
| maclobdell | 0:f7c60d3e7b8a | 1343 | mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, |
| maclobdell | 0:f7c60d3e7b8a | 1344 | ssl->conf->transport, buf ); |
| maclobdell | 0:f7c60d3e7b8a | 1345 | |
| maclobdell | 0:f7c60d3e7b8a | 1346 | ssl->handshake->max_major_ver = ssl->major_ver; |
| maclobdell | 0:f7c60d3e7b8a | 1347 | ssl->handshake->max_minor_ver = ssl->minor_ver; |
| maclobdell | 0:f7c60d3e7b8a | 1348 | |
| maclobdell | 0:f7c60d3e7b8a | 1349 | if( ssl->major_ver < ssl->conf->min_major_ver || |
| maclobdell | 0:f7c60d3e7b8a | 1350 | ssl->minor_ver < ssl->conf->min_minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 1351 | { |
| maclobdell | 0:f7c60d3e7b8a | 1352 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" |
| maclobdell | 0:f7c60d3e7b8a | 1353 | " [%d:%d] < [%d:%d]", |
| maclobdell | 0:f7c60d3e7b8a | 1354 | ssl->major_ver, ssl->minor_ver, |
| maclobdell | 0:f7c60d3e7b8a | 1355 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1356 | |
| maclobdell | 0:f7c60d3e7b8a | 1357 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 1358 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
| maclobdell | 0:f7c60d3e7b8a | 1359 | |
| maclobdell | 0:f7c60d3e7b8a | 1360 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
| maclobdell | 0:f7c60d3e7b8a | 1361 | } |
| maclobdell | 0:f7c60d3e7b8a | 1362 | |
| maclobdell | 0:f7c60d3e7b8a | 1363 | if( ssl->major_ver > ssl->conf->max_major_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 1364 | { |
| maclobdell | 0:f7c60d3e7b8a | 1365 | ssl->major_ver = ssl->conf->max_major_ver; |
| maclobdell | 0:f7c60d3e7b8a | 1366 | ssl->minor_ver = ssl->conf->max_minor_ver; |
| maclobdell | 0:f7c60d3e7b8a | 1367 | } |
| maclobdell | 0:f7c60d3e7b8a | 1368 | else if( ssl->minor_ver > ssl->conf->max_minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 1369 | ssl->minor_ver = ssl->conf->max_minor_ver; |
| maclobdell | 0:f7c60d3e7b8a | 1370 | |
| maclobdell | 0:f7c60d3e7b8a | 1371 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1372 | * Save client random (inc. Unix time) |
| maclobdell | 0:f7c60d3e7b8a | 1373 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1374 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); |
| maclobdell | 0:f7c60d3e7b8a | 1375 | |
| maclobdell | 0:f7c60d3e7b8a | 1376 | memcpy( ssl->handshake->randbytes, buf + 2, 32 ); |
| maclobdell | 0:f7c60d3e7b8a | 1377 | |
| maclobdell | 0:f7c60d3e7b8a | 1378 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1379 | * Check the session ID length and save session ID |
| maclobdell | 0:f7c60d3e7b8a | 1380 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1381 | sess_len = buf[34]; |
| maclobdell | 0:f7c60d3e7b8a | 1382 | |
| maclobdell | 0:f7c60d3e7b8a | 1383 | if( sess_len > sizeof( ssl->session_negotiate->id ) || |
| maclobdell | 0:f7c60d3e7b8a | 1384 | sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ |
| maclobdell | 0:f7c60d3e7b8a | 1385 | { |
| maclobdell | 0:f7c60d3e7b8a | 1386 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1387 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1388 | } |
| maclobdell | 0:f7c60d3e7b8a | 1389 | |
| maclobdell | 0:f7c60d3e7b8a | 1390 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1391 | |
| maclobdell | 0:f7c60d3e7b8a | 1392 | ssl->session_negotiate->id_len = sess_len; |
| maclobdell | 0:f7c60d3e7b8a | 1393 | memset( ssl->session_negotiate->id, 0, |
| maclobdell | 0:f7c60d3e7b8a | 1394 | sizeof( ssl->session_negotiate->id ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1395 | memcpy( ssl->session_negotiate->id, buf + 35, |
| maclobdell | 0:f7c60d3e7b8a | 1396 | ssl->session_negotiate->id_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1397 | |
| maclobdell | 0:f7c60d3e7b8a | 1398 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1399 | * Check the cookie length and content |
| maclobdell | 0:f7c60d3e7b8a | 1400 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1401 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1402 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| maclobdell | 0:f7c60d3e7b8a | 1403 | { |
| maclobdell | 0:f7c60d3e7b8a | 1404 | cookie_offset = 35 + sess_len; |
| maclobdell | 0:f7c60d3e7b8a | 1405 | cookie_len = buf[cookie_offset]; |
| maclobdell | 0:f7c60d3e7b8a | 1406 | |
| maclobdell | 0:f7c60d3e7b8a | 1407 | if( cookie_offset + 1 + cookie_len + 2 > msg_len ) |
| maclobdell | 0:f7c60d3e7b8a | 1408 | { |
| maclobdell | 0:f7c60d3e7b8a | 1409 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1410 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1411 | } |
| maclobdell | 0:f7c60d3e7b8a | 1412 | |
| maclobdell | 0:f7c60d3e7b8a | 1413 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", |
| maclobdell | 0:f7c60d3e7b8a | 1414 | buf + cookie_offset + 1, cookie_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1415 | |
| maclobdell | 0:f7c60d3e7b8a | 1416 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| maclobdell | 0:f7c60d3e7b8a | 1417 | if( ssl->conf->f_cookie_check != NULL |
| maclobdell | 0:f7c60d3e7b8a | 1418 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1419 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| maclobdell | 0:f7c60d3e7b8a | 1420 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1421 | ) |
| maclobdell | 0:f7c60d3e7b8a | 1422 | { |
| maclobdell | 0:f7c60d3e7b8a | 1423 | if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, |
| maclobdell | 0:f7c60d3e7b8a | 1424 | buf + cookie_offset + 1, cookie_len, |
| maclobdell | 0:f7c60d3e7b8a | 1425 | ssl->cli_id, ssl->cli_id_len ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1426 | { |
| maclobdell | 0:f7c60d3e7b8a | 1427 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1428 | ssl->handshake->verify_cookie_len = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1429 | } |
| maclobdell | 0:f7c60d3e7b8a | 1430 | else |
| maclobdell | 0:f7c60d3e7b8a | 1431 | { |
| maclobdell | 0:f7c60d3e7b8a | 1432 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1433 | ssl->handshake->verify_cookie_len = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1434 | } |
| maclobdell | 0:f7c60d3e7b8a | 1435 | } |
| maclobdell | 0:f7c60d3e7b8a | 1436 | else |
| maclobdell | 0:f7c60d3e7b8a | 1437 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| maclobdell | 0:f7c60d3e7b8a | 1438 | { |
| maclobdell | 0:f7c60d3e7b8a | 1439 | /* We know we didn't send a cookie, so it should be empty */ |
| maclobdell | 0:f7c60d3e7b8a | 1440 | if( cookie_len != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1441 | { |
| maclobdell | 0:f7c60d3e7b8a | 1442 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1443 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1444 | } |
| maclobdell | 0:f7c60d3e7b8a | 1445 | |
| maclobdell | 0:f7c60d3e7b8a | 1446 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1447 | } |
| maclobdell | 0:f7c60d3e7b8a | 1448 | |
| maclobdell | 0:f7c60d3e7b8a | 1449 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1450 | * Check the ciphersuitelist length (will be parsed later) |
| maclobdell | 0:f7c60d3e7b8a | 1451 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1452 | ciph_offset = cookie_offset + 1 + cookie_len; |
| maclobdell | 0:f7c60d3e7b8a | 1453 | } |
| maclobdell | 0:f7c60d3e7b8a | 1454 | else |
| maclobdell | 0:f7c60d3e7b8a | 1455 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| maclobdell | 0:f7c60d3e7b8a | 1456 | ciph_offset = 35 + sess_len; |
| maclobdell | 0:f7c60d3e7b8a | 1457 | |
| maclobdell | 0:f7c60d3e7b8a | 1458 | ciph_len = ( buf[ciph_offset + 0] << 8 ) |
| maclobdell | 0:f7c60d3e7b8a | 1459 | | ( buf[ciph_offset + 1] ); |
| maclobdell | 0:f7c60d3e7b8a | 1460 | |
| maclobdell | 0:f7c60d3e7b8a | 1461 | if( ciph_len < 2 || |
| maclobdell | 0:f7c60d3e7b8a | 1462 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ |
| maclobdell | 0:f7c60d3e7b8a | 1463 | ( ciph_len % 2 ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1464 | { |
| maclobdell | 0:f7c60d3e7b8a | 1465 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1466 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1467 | } |
| maclobdell | 0:f7c60d3e7b8a | 1468 | |
| maclobdell | 0:f7c60d3e7b8a | 1469 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
| maclobdell | 0:f7c60d3e7b8a | 1470 | buf + ciph_offset + 2, ciph_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1471 | |
| maclobdell | 0:f7c60d3e7b8a | 1472 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1473 | * Check the compression algorithms length and pick one |
| maclobdell | 0:f7c60d3e7b8a | 1474 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1475 | comp_offset = ciph_offset + 2 + ciph_len; |
| maclobdell | 0:f7c60d3e7b8a | 1476 | |
| maclobdell | 0:f7c60d3e7b8a | 1477 | comp_len = buf[comp_offset]; |
| maclobdell | 0:f7c60d3e7b8a | 1478 | |
| maclobdell | 0:f7c60d3e7b8a | 1479 | if( comp_len < 1 || |
| maclobdell | 0:f7c60d3e7b8a | 1480 | comp_len > 16 || |
| maclobdell | 0:f7c60d3e7b8a | 1481 | comp_len + comp_offset + 1 > msg_len ) |
| maclobdell | 0:f7c60d3e7b8a | 1482 | { |
| maclobdell | 0:f7c60d3e7b8a | 1483 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1484 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1485 | } |
| maclobdell | 0:f7c60d3e7b8a | 1486 | |
| maclobdell | 0:f7c60d3e7b8a | 1487 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", |
| maclobdell | 0:f7c60d3e7b8a | 1488 | buf + comp_offset + 1, comp_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1489 | |
| maclobdell | 0:f7c60d3e7b8a | 1490 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; |
| maclobdell | 0:f7c60d3e7b8a | 1491 | #if defined(MBEDTLS_ZLIB_SUPPORT) |
| maclobdell | 0:f7c60d3e7b8a | 1492 | for( i = 0; i < comp_len; ++i ) |
| maclobdell | 0:f7c60d3e7b8a | 1493 | { |
| maclobdell | 0:f7c60d3e7b8a | 1494 | if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) |
| maclobdell | 0:f7c60d3e7b8a | 1495 | { |
| maclobdell | 0:f7c60d3e7b8a | 1496 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; |
| maclobdell | 0:f7c60d3e7b8a | 1497 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1498 | } |
| maclobdell | 0:f7c60d3e7b8a | 1499 | } |
| maclobdell | 0:f7c60d3e7b8a | 1500 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1501 | |
| maclobdell | 0:f7c60d3e7b8a | 1502 | /* See comments in ssl_write_client_hello() */ |
| maclobdell | 0:f7c60d3e7b8a | 1503 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1504 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| maclobdell | 0:f7c60d3e7b8a | 1505 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; |
| maclobdell | 0:f7c60d3e7b8a | 1506 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1507 | |
| maclobdell | 0:f7c60d3e7b8a | 1508 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1509 | * Check the extension length |
| maclobdell | 0:f7c60d3e7b8a | 1510 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1511 | ext_offset = comp_offset + 1 + comp_len; |
| maclobdell | 0:f7c60d3e7b8a | 1512 | if( msg_len > ext_offset ) |
| maclobdell | 0:f7c60d3e7b8a | 1513 | { |
| maclobdell | 0:f7c60d3e7b8a | 1514 | if( msg_len < ext_offset + 2 ) |
| maclobdell | 0:f7c60d3e7b8a | 1515 | { |
| maclobdell | 0:f7c60d3e7b8a | 1516 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1517 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1518 | } |
| maclobdell | 0:f7c60d3e7b8a | 1519 | |
| maclobdell | 0:f7c60d3e7b8a | 1520 | ext_len = ( buf[ext_offset + 0] << 8 ) |
| maclobdell | 0:f7c60d3e7b8a | 1521 | | ( buf[ext_offset + 1] ); |
| maclobdell | 0:f7c60d3e7b8a | 1522 | |
| maclobdell | 0:f7c60d3e7b8a | 1523 | if( ( ext_len > 0 && ext_len < 4 ) || |
| maclobdell | 0:f7c60d3e7b8a | 1524 | msg_len != ext_offset + 2 + ext_len ) |
| maclobdell | 0:f7c60d3e7b8a | 1525 | { |
| maclobdell | 0:f7c60d3e7b8a | 1526 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1527 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1528 | } |
| maclobdell | 0:f7c60d3e7b8a | 1529 | } |
| maclobdell | 0:f7c60d3e7b8a | 1530 | else |
| maclobdell | 0:f7c60d3e7b8a | 1531 | ext_len = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1532 | |
| maclobdell | 0:f7c60d3e7b8a | 1533 | ext = buf + ext_offset + 2; |
| maclobdell | 0:f7c60d3e7b8a | 1534 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1535 | |
| maclobdell | 0:f7c60d3e7b8a | 1536 | while( ext_len != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1537 | { |
| maclobdell | 0:f7c60d3e7b8a | 1538 | unsigned int ext_id = ( ( ext[0] << 8 ) |
| maclobdell | 0:f7c60d3e7b8a | 1539 | | ( ext[1] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1540 | unsigned int ext_size = ( ( ext[2] << 8 ) |
| maclobdell | 0:f7c60d3e7b8a | 1541 | | ( ext[3] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1542 | |
| maclobdell | 0:f7c60d3e7b8a | 1543 | if( ext_size + 4 > ext_len ) |
| maclobdell | 0:f7c60d3e7b8a | 1544 | { |
| maclobdell | 0:f7c60d3e7b8a | 1545 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1546 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1547 | } |
| maclobdell | 0:f7c60d3e7b8a | 1548 | switch( ext_id ) |
| maclobdell | 0:f7c60d3e7b8a | 1549 | { |
| maclobdell | 0:f7c60d3e7b8a | 1550 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| maclobdell | 0:f7c60d3e7b8a | 1551 | case MBEDTLS_TLS_EXT_SERVERNAME: |
| maclobdell | 0:f7c60d3e7b8a | 1552 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1553 | if( ssl->conf->f_sni == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 1554 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1555 | |
| maclobdell | 0:f7c60d3e7b8a | 1556 | ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1557 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1558 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1559 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1560 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| maclobdell | 0:f7c60d3e7b8a | 1561 | |
| maclobdell | 0:f7c60d3e7b8a | 1562 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| maclobdell | 0:f7c60d3e7b8a | 1563 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1564 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1565 | renegotiation_info_seen = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1566 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1567 | |
| maclobdell | 0:f7c60d3e7b8a | 1568 | ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1569 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1570 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1571 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1572 | |
| maclobdell | 0:f7c60d3e7b8a | 1573 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| maclobdell | 0:f7c60d3e7b8a | 1574 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 1575 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| maclobdell | 0:f7c60d3e7b8a | 1576 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1577 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1578 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| maclobdell | 0:f7c60d3e7b8a | 1579 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1580 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1581 | |
| maclobdell | 0:f7c60d3e7b8a | 1582 | ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1583 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1584 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1585 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1586 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
| maclobdell | 0:f7c60d3e7b8a | 1587 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 1588 | |
| maclobdell | 0:f7c60d3e7b8a | 1589 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| maclobdell | 0:f7c60d3e7b8a | 1590 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 1591 | case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: |
| maclobdell | 0:f7c60d3e7b8a | 1592 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1593 | |
| maclobdell | 0:f7c60d3e7b8a | 1594 | ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1595 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1596 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1597 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1598 | |
| maclobdell | 0:f7c60d3e7b8a | 1599 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| maclobdell | 0:f7c60d3e7b8a | 1600 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1601 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
| maclobdell | 0:f7c60d3e7b8a | 1602 | |
| maclobdell | 0:f7c60d3e7b8a | 1603 | ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1604 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1605 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1606 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1607 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| maclobdell | 0:f7c60d3e7b8a | 1608 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 1609 | |
| maclobdell | 0:f7c60d3e7b8a | 1610 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 1611 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| maclobdell | 0:f7c60d3e7b8a | 1612 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1613 | |
| maclobdell | 0:f7c60d3e7b8a | 1614 | ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1615 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1616 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1617 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1618 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 1619 | |
| maclobdell | 0:f7c60d3e7b8a | 1620 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| maclobdell | 0:f7c60d3e7b8a | 1621 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| maclobdell | 0:f7c60d3e7b8a | 1622 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1623 | |
| maclobdell | 0:f7c60d3e7b8a | 1624 | ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1625 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1626 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1627 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1628 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| maclobdell | 0:f7c60d3e7b8a | 1629 | |
| maclobdell | 0:f7c60d3e7b8a | 1630 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| maclobdell | 0:f7c60d3e7b8a | 1631 | case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: |
| maclobdell | 0:f7c60d3e7b8a | 1632 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1633 | |
| maclobdell | 0:f7c60d3e7b8a | 1634 | ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1635 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1636 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1637 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1638 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| maclobdell | 0:f7c60d3e7b8a | 1639 | |
| maclobdell | 0:f7c60d3e7b8a | 1640 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| maclobdell | 0:f7c60d3e7b8a | 1641 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| maclobdell | 0:f7c60d3e7b8a | 1642 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1643 | |
| maclobdell | 0:f7c60d3e7b8a | 1644 | ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1645 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1646 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1647 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1648 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| maclobdell | 0:f7c60d3e7b8a | 1649 | |
| maclobdell | 0:f7c60d3e7b8a | 1650 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| maclobdell | 0:f7c60d3e7b8a | 1651 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| maclobdell | 0:f7c60d3e7b8a | 1652 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1653 | |
| maclobdell | 0:f7c60d3e7b8a | 1654 | ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1655 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1656 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1657 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1658 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| maclobdell | 0:f7c60d3e7b8a | 1659 | |
| maclobdell | 0:f7c60d3e7b8a | 1660 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 1661 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| maclobdell | 0:f7c60d3e7b8a | 1662 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1663 | |
| maclobdell | 0:f7c60d3e7b8a | 1664 | ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1665 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1666 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1667 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1668 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| maclobdell | 0:f7c60d3e7b8a | 1669 | |
| maclobdell | 0:f7c60d3e7b8a | 1670 | #if defined(MBEDTLS_SSL_ALPN) |
| maclobdell | 0:f7c60d3e7b8a | 1671 | case MBEDTLS_TLS_EXT_ALPN: |
| maclobdell | 0:f7c60d3e7b8a | 1672 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1673 | |
| maclobdell | 0:f7c60d3e7b8a | 1674 | ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); |
| maclobdell | 0:f7c60d3e7b8a | 1675 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1676 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1677 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1678 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| maclobdell | 0:f7c60d3e7b8a | 1679 | |
| maclobdell | 0:f7c60d3e7b8a | 1680 | default: |
| maclobdell | 0:f7c60d3e7b8a | 1681 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", |
| maclobdell | 0:f7c60d3e7b8a | 1682 | ext_id ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1683 | } |
| maclobdell | 0:f7c60d3e7b8a | 1684 | |
| maclobdell | 0:f7c60d3e7b8a | 1685 | ext_len -= 4 + ext_size; |
| maclobdell | 0:f7c60d3e7b8a | 1686 | ext += 4 + ext_size; |
| maclobdell | 0:f7c60d3e7b8a | 1687 | |
| maclobdell | 0:f7c60d3e7b8a | 1688 | if( ext_len > 0 && ext_len < 4 ) |
| maclobdell | 0:f7c60d3e7b8a | 1689 | { |
| maclobdell | 0:f7c60d3e7b8a | 1690 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1691 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1692 | } |
| maclobdell | 0:f7c60d3e7b8a | 1693 | } |
| maclobdell | 0:f7c60d3e7b8a | 1694 | |
| maclobdell | 0:f7c60d3e7b8a | 1695 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV) |
| maclobdell | 0:f7c60d3e7b8a | 1696 | for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) |
| maclobdell | 0:f7c60d3e7b8a | 1697 | { |
| maclobdell | 0:f7c60d3e7b8a | 1698 | if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && |
| maclobdell | 0:f7c60d3e7b8a | 1699 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) |
| maclobdell | 0:f7c60d3e7b8a | 1700 | { |
| maclobdell | 0:f7c60d3e7b8a | 1701 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1702 | |
| maclobdell | 0:f7c60d3e7b8a | 1703 | if( ssl->minor_ver < ssl->conf->max_minor_ver ) |
| maclobdell | 0:f7c60d3e7b8a | 1704 | { |
| maclobdell | 0:f7c60d3e7b8a | 1705 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1706 | |
| maclobdell | 0:f7c60d3e7b8a | 1707 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 1708 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); |
| maclobdell | 0:f7c60d3e7b8a | 1709 | |
| maclobdell | 0:f7c60d3e7b8a | 1710 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1711 | } |
| maclobdell | 0:f7c60d3e7b8a | 1712 | |
| maclobdell | 0:f7c60d3e7b8a | 1713 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1714 | } |
| maclobdell | 0:f7c60d3e7b8a | 1715 | } |
| maclobdell | 0:f7c60d3e7b8a | 1716 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ |
| maclobdell | 0:f7c60d3e7b8a | 1717 | |
| maclobdell | 0:f7c60d3e7b8a | 1718 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1719 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| maclobdell | 0:f7c60d3e7b8a | 1720 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1721 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) |
| maclobdell | 0:f7c60d3e7b8a | 1722 | { |
| maclobdell | 0:f7c60d3e7b8a | 1723 | if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) |
| maclobdell | 0:f7c60d3e7b8a | 1724 | { |
| maclobdell | 0:f7c60d3e7b8a | 1725 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1726 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1727 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| maclobdell | 0:f7c60d3e7b8a | 1728 | { |
| maclobdell | 0:f7c60d3e7b8a | 1729 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1730 | |
| maclobdell | 0:f7c60d3e7b8a | 1731 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1732 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1733 | |
| maclobdell | 0:f7c60d3e7b8a | 1734 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1735 | } |
| maclobdell | 0:f7c60d3e7b8a | 1736 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1737 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| maclobdell | 0:f7c60d3e7b8a | 1738 | break; |
| maclobdell | 0:f7c60d3e7b8a | 1739 | } |
| maclobdell | 0:f7c60d3e7b8a | 1740 | } |
| maclobdell | 0:f7c60d3e7b8a | 1741 | |
| maclobdell | 0:f7c60d3e7b8a | 1742 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1743 | * Renegotiation security checks |
| maclobdell | 0:f7c60d3e7b8a | 1744 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1745 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| maclobdell | 0:f7c60d3e7b8a | 1746 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 1747 | { |
| maclobdell | 0:f7c60d3e7b8a | 1748 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1749 | handshake_failure = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1750 | } |
| maclobdell | 0:f7c60d3e7b8a | 1751 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1752 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| maclobdell | 0:f7c60d3e7b8a | 1753 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| maclobdell | 0:f7c60d3e7b8a | 1754 | renegotiation_info_seen == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1755 | { |
| maclobdell | 0:f7c60d3e7b8a | 1756 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1757 | handshake_failure = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1758 | } |
| maclobdell | 0:f7c60d3e7b8a | 1759 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| maclobdell | 0:f7c60d3e7b8a | 1760 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| maclobdell | 0:f7c60d3e7b8a | 1761 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) |
| maclobdell | 0:f7c60d3e7b8a | 1762 | { |
| maclobdell | 0:f7c60d3e7b8a | 1763 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1764 | handshake_failure = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1765 | } |
| maclobdell | 0:f7c60d3e7b8a | 1766 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| maclobdell | 0:f7c60d3e7b8a | 1767 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| maclobdell | 0:f7c60d3e7b8a | 1768 | renegotiation_info_seen == 1 ) |
| maclobdell | 0:f7c60d3e7b8a | 1769 | { |
| maclobdell | 0:f7c60d3e7b8a | 1770 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1771 | handshake_failure = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1772 | } |
| maclobdell | 0:f7c60d3e7b8a | 1773 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| maclobdell | 0:f7c60d3e7b8a | 1774 | |
| maclobdell | 0:f7c60d3e7b8a | 1775 | if( handshake_failure == 1 ) |
| maclobdell | 0:f7c60d3e7b8a | 1776 | { |
| maclobdell | 0:f7c60d3e7b8a | 1777 | if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1778 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1779 | |
| maclobdell | 0:f7c60d3e7b8a | 1780 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
| maclobdell | 0:f7c60d3e7b8a | 1781 | } |
| maclobdell | 0:f7c60d3e7b8a | 1782 | |
| maclobdell | 0:f7c60d3e7b8a | 1783 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1784 | * Search for a matching ciphersuite |
| maclobdell | 0:f7c60d3e7b8a | 1785 | * (At the end because we need information from the EC-based extensions |
| maclobdell | 0:f7c60d3e7b8a | 1786 | * and certificate from the SNI callback triggered by the SNI extension.) |
| maclobdell | 0:f7c60d3e7b8a | 1787 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1788 | got_common_suite = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1789 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; |
| maclobdell | 0:f7c60d3e7b8a | 1790 | ciphersuite_info = NULL; |
| maclobdell | 0:f7c60d3e7b8a | 1791 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
| maclobdell | 0:f7c60d3e7b8a | 1792 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) |
| maclobdell | 0:f7c60d3e7b8a | 1793 | { |
| maclobdell | 0:f7c60d3e7b8a | 1794 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| maclobdell | 0:f7c60d3e7b8a | 1795 | #else |
| maclobdell | 0:f7c60d3e7b8a | 1796 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| maclobdell | 0:f7c60d3e7b8a | 1797 | { |
| maclobdell | 0:f7c60d3e7b8a | 1798 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) |
| maclobdell | 0:f7c60d3e7b8a | 1799 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1800 | { |
| maclobdell | 0:f7c60d3e7b8a | 1801 | if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || |
| maclobdell | 0:f7c60d3e7b8a | 1802 | p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) |
| maclobdell | 0:f7c60d3e7b8a | 1803 | continue; |
| maclobdell | 0:f7c60d3e7b8a | 1804 | |
| maclobdell | 0:f7c60d3e7b8a | 1805 | got_common_suite = 1; |
| maclobdell | 0:f7c60d3e7b8a | 1806 | |
| maclobdell | 0:f7c60d3e7b8a | 1807 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
| maclobdell | 0:f7c60d3e7b8a | 1808 | &ciphersuite_info ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1809 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 1810 | |
| maclobdell | 0:f7c60d3e7b8a | 1811 | if( ciphersuite_info != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 1812 | goto have_ciphersuite; |
| maclobdell | 0:f7c60d3e7b8a | 1813 | } |
| maclobdell | 0:f7c60d3e7b8a | 1814 | } |
| maclobdell | 0:f7c60d3e7b8a | 1815 | |
| maclobdell | 0:f7c60d3e7b8a | 1816 | if( got_common_suite ) |
| maclobdell | 0:f7c60d3e7b8a | 1817 | { |
| maclobdell | 0:f7c60d3e7b8a | 1818 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
| maclobdell | 0:f7c60d3e7b8a | 1819 | "but none of them usable" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1820 | mbedtls_ssl_send_fatal_handshake_failure( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1821 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); |
| maclobdell | 0:f7c60d3e7b8a | 1822 | } |
| maclobdell | 0:f7c60d3e7b8a | 1823 | else |
| maclobdell | 0:f7c60d3e7b8a | 1824 | { |
| maclobdell | 0:f7c60d3e7b8a | 1825 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1826 | mbedtls_ssl_send_fatal_handshake_failure( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1827 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); |
| maclobdell | 0:f7c60d3e7b8a | 1828 | } |
| maclobdell | 0:f7c60d3e7b8a | 1829 | |
| maclobdell | 0:f7c60d3e7b8a | 1830 | have_ciphersuite: |
| maclobdell | 0:f7c60d3e7b8a | 1831 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1832 | |
| maclobdell | 0:f7c60d3e7b8a | 1833 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| maclobdell | 0:f7c60d3e7b8a | 1834 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 1835 | mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); |
| maclobdell | 0:f7c60d3e7b8a | 1836 | |
| maclobdell | 0:f7c60d3e7b8a | 1837 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 1838 | |
| maclobdell | 0:f7c60d3e7b8a | 1839 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 1840 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| maclobdell | 0:f7c60d3e7b8a | 1841 | mbedtls_ssl_recv_flight_completed( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 1842 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 1843 | |
| maclobdell | 0:f7c60d3e7b8a | 1844 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1845 | |
| maclobdell | 0:f7c60d3e7b8a | 1846 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 1847 | } |
| maclobdell | 0:f7c60d3e7b8a | 1848 | |
| maclobdell | 0:f7c60d3e7b8a | 1849 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| maclobdell | 0:f7c60d3e7b8a | 1850 | static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 1851 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 1852 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 1853 | { |
| maclobdell | 0:f7c60d3e7b8a | 1854 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 1855 | |
| maclobdell | 0:f7c60d3e7b8a | 1856 | if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) |
| maclobdell | 0:f7c60d3e7b8a | 1857 | { |
| maclobdell | 0:f7c60d3e7b8a | 1858 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1859 | return; |
| maclobdell | 0:f7c60d3e7b8a | 1860 | } |
| maclobdell | 0:f7c60d3e7b8a | 1861 | |
| maclobdell | 0:f7c60d3e7b8a | 1862 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1863 | |
| maclobdell | 0:f7c60d3e7b8a | 1864 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1865 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1866 | |
| maclobdell | 0:f7c60d3e7b8a | 1867 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1868 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1869 | |
| maclobdell | 0:f7c60d3e7b8a | 1870 | *olen = 4; |
| maclobdell | 0:f7c60d3e7b8a | 1871 | } |
| maclobdell | 0:f7c60d3e7b8a | 1872 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
| maclobdell | 0:f7c60d3e7b8a | 1873 | |
| maclobdell | 0:f7c60d3e7b8a | 1874 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| maclobdell | 0:f7c60d3e7b8a | 1875 | static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 1876 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 1877 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 1878 | { |
| maclobdell | 0:f7c60d3e7b8a | 1879 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 1880 | const mbedtls_ssl_ciphersuite_t *suite = NULL; |
| maclobdell | 0:f7c60d3e7b8a | 1881 | const mbedtls_cipher_info_t *cipher = NULL; |
| maclobdell | 0:f7c60d3e7b8a | 1882 | |
| maclobdell | 0:f7c60d3e7b8a | 1883 | if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
| maclobdell | 0:f7c60d3e7b8a | 1884 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1885 | { |
| maclobdell | 0:f7c60d3e7b8a | 1886 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1887 | return; |
| maclobdell | 0:f7c60d3e7b8a | 1888 | } |
| maclobdell | 0:f7c60d3e7b8a | 1889 | |
| maclobdell | 0:f7c60d3e7b8a | 1890 | /* |
| maclobdell | 0:f7c60d3e7b8a | 1891 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
| maclobdell | 0:f7c60d3e7b8a | 1892 | * from a client and then selects a stream or Authenticated Encryption |
| maclobdell | 0:f7c60d3e7b8a | 1893 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
| maclobdell | 0:f7c60d3e7b8a | 1894 | * encrypt-then-MAC response extension back to the client." |
| maclobdell | 0:f7c60d3e7b8a | 1895 | */ |
| maclobdell | 0:f7c60d3e7b8a | 1896 | if( ( suite = mbedtls_ssl_ciphersuite_from_id( |
| maclobdell | 0:f7c60d3e7b8a | 1897 | ssl->session_negotiate->ciphersuite ) ) == NULL || |
| maclobdell | 0:f7c60d3e7b8a | 1898 | ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || |
| maclobdell | 0:f7c60d3e7b8a | 1899 | cipher->mode != MBEDTLS_MODE_CBC ) |
| maclobdell | 0:f7c60d3e7b8a | 1900 | { |
| maclobdell | 0:f7c60d3e7b8a | 1901 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1902 | return; |
| maclobdell | 0:f7c60d3e7b8a | 1903 | } |
| maclobdell | 0:f7c60d3e7b8a | 1904 | |
| maclobdell | 0:f7c60d3e7b8a | 1905 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1906 | |
| maclobdell | 0:f7c60d3e7b8a | 1907 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1908 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1909 | |
| maclobdell | 0:f7c60d3e7b8a | 1910 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1911 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1912 | |
| maclobdell | 0:f7c60d3e7b8a | 1913 | *olen = 4; |
| maclobdell | 0:f7c60d3e7b8a | 1914 | } |
| maclobdell | 0:f7c60d3e7b8a | 1915 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| maclobdell | 0:f7c60d3e7b8a | 1916 | |
| maclobdell | 0:f7c60d3e7b8a | 1917 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| maclobdell | 0:f7c60d3e7b8a | 1918 | static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 1919 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 1920 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 1921 | { |
| maclobdell | 0:f7c60d3e7b8a | 1922 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 1923 | |
| maclobdell | 0:f7c60d3e7b8a | 1924 | if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
| maclobdell | 0:f7c60d3e7b8a | 1925 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1926 | { |
| maclobdell | 0:f7c60d3e7b8a | 1927 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1928 | return; |
| maclobdell | 0:f7c60d3e7b8a | 1929 | } |
| maclobdell | 0:f7c60d3e7b8a | 1930 | |
| maclobdell | 0:f7c60d3e7b8a | 1931 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " |
| maclobdell | 0:f7c60d3e7b8a | 1932 | "extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1933 | |
| maclobdell | 0:f7c60d3e7b8a | 1934 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1935 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1936 | |
| maclobdell | 0:f7c60d3e7b8a | 1937 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1938 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1939 | |
| maclobdell | 0:f7c60d3e7b8a | 1940 | *olen = 4; |
| maclobdell | 0:f7c60d3e7b8a | 1941 | } |
| maclobdell | 0:f7c60d3e7b8a | 1942 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| maclobdell | 0:f7c60d3e7b8a | 1943 | |
| maclobdell | 0:f7c60d3e7b8a | 1944 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 1945 | static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 1946 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 1947 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 1948 | { |
| maclobdell | 0:f7c60d3e7b8a | 1949 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 1950 | |
| maclobdell | 0:f7c60d3e7b8a | 1951 | if( ssl->handshake->new_session_ticket == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 1952 | { |
| maclobdell | 0:f7c60d3e7b8a | 1953 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1954 | return; |
| maclobdell | 0:f7c60d3e7b8a | 1955 | } |
| maclobdell | 0:f7c60d3e7b8a | 1956 | |
| maclobdell | 0:f7c60d3e7b8a | 1957 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1958 | |
| maclobdell | 0:f7c60d3e7b8a | 1959 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1960 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1961 | |
| maclobdell | 0:f7c60d3e7b8a | 1962 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1963 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1964 | |
| maclobdell | 0:f7c60d3e7b8a | 1965 | *olen = 4; |
| maclobdell | 0:f7c60d3e7b8a | 1966 | } |
| maclobdell | 0:f7c60d3e7b8a | 1967 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| maclobdell | 0:f7c60d3e7b8a | 1968 | |
| maclobdell | 0:f7c60d3e7b8a | 1969 | static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 1970 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 1971 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 1972 | { |
| maclobdell | 0:f7c60d3e7b8a | 1973 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 1974 | |
| maclobdell | 0:f7c60d3e7b8a | 1975 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) |
| maclobdell | 0:f7c60d3e7b8a | 1976 | { |
| maclobdell | 0:f7c60d3e7b8a | 1977 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 1978 | return; |
| maclobdell | 0:f7c60d3e7b8a | 1979 | } |
| maclobdell | 0:f7c60d3e7b8a | 1980 | |
| maclobdell | 0:f7c60d3e7b8a | 1981 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 1982 | |
| maclobdell | 0:f7c60d3e7b8a | 1983 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1984 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 1985 | |
| maclobdell | 0:f7c60d3e7b8a | 1986 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 1987 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 1988 | { |
| maclobdell | 0:f7c60d3e7b8a | 1989 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 1990 | *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; |
| maclobdell | 0:f7c60d3e7b8a | 1991 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
| maclobdell | 0:f7c60d3e7b8a | 1992 | |
| maclobdell | 0:f7c60d3e7b8a | 1993 | memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1994 | p += ssl->verify_data_len; |
| maclobdell | 0:f7c60d3e7b8a | 1995 | memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); |
| maclobdell | 0:f7c60d3e7b8a | 1996 | p += ssl->verify_data_len; |
| maclobdell | 0:f7c60d3e7b8a | 1997 | } |
| maclobdell | 0:f7c60d3e7b8a | 1998 | else |
| maclobdell | 0:f7c60d3e7b8a | 1999 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| maclobdell | 0:f7c60d3e7b8a | 2000 | { |
| maclobdell | 0:f7c60d3e7b8a | 2001 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 2002 | *p++ = 0x01; |
| maclobdell | 0:f7c60d3e7b8a | 2003 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 2004 | } |
| maclobdell | 0:f7c60d3e7b8a | 2005 | |
| maclobdell | 0:f7c60d3e7b8a | 2006 | *olen = p - buf; |
| maclobdell | 0:f7c60d3e7b8a | 2007 | } |
| maclobdell | 0:f7c60d3e7b8a | 2008 | |
| maclobdell | 0:f7c60d3e7b8a | 2009 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| maclobdell | 0:f7c60d3e7b8a | 2010 | static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 2011 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 2012 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 2013 | { |
| maclobdell | 0:f7c60d3e7b8a | 2014 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 2015 | |
| maclobdell | 0:f7c60d3e7b8a | 2016 | if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 2017 | { |
| maclobdell | 0:f7c60d3e7b8a | 2018 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2019 | return; |
| maclobdell | 0:f7c60d3e7b8a | 2020 | } |
| maclobdell | 0:f7c60d3e7b8a | 2021 | |
| maclobdell | 0:f7c60d3e7b8a | 2022 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2023 | |
| maclobdell | 0:f7c60d3e7b8a | 2024 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2025 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2026 | |
| maclobdell | 0:f7c60d3e7b8a | 2027 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 2028 | *p++ = 1; |
| maclobdell | 0:f7c60d3e7b8a | 2029 | |
| maclobdell | 0:f7c60d3e7b8a | 2030 | *p++ = ssl->session_negotiate->mfl_code; |
| maclobdell | 0:f7c60d3e7b8a | 2031 | |
| maclobdell | 0:f7c60d3e7b8a | 2032 | *olen = 5; |
| maclobdell | 0:f7c60d3e7b8a | 2033 | } |
| maclobdell | 0:f7c60d3e7b8a | 2034 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| maclobdell | 0:f7c60d3e7b8a | 2035 | |
| maclobdell | 0:f7c60d3e7b8a | 2036 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2037 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2038 | static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 2039 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 2040 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 2041 | { |
| maclobdell | 0:f7c60d3e7b8a | 2042 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 2043 | ((void) ssl); |
| maclobdell | 0:f7c60d3e7b8a | 2044 | |
| maclobdell | 0:f7c60d3e7b8a | 2045 | if( ( ssl->handshake->cli_exts & |
| maclobdell | 0:f7c60d3e7b8a | 2046 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2047 | { |
| maclobdell | 0:f7c60d3e7b8a | 2048 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2049 | return; |
| maclobdell | 0:f7c60d3e7b8a | 2050 | } |
| maclobdell | 0:f7c60d3e7b8a | 2051 | |
| maclobdell | 0:f7c60d3e7b8a | 2052 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2053 | |
| maclobdell | 0:f7c60d3e7b8a | 2054 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2055 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2056 | |
| maclobdell | 0:f7c60d3e7b8a | 2057 | *p++ = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 2058 | *p++ = 2; |
| maclobdell | 0:f7c60d3e7b8a | 2059 | |
| maclobdell | 0:f7c60d3e7b8a | 2060 | *p++ = 1; |
| maclobdell | 0:f7c60d3e7b8a | 2061 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| maclobdell | 0:f7c60d3e7b8a | 2062 | |
| maclobdell | 0:f7c60d3e7b8a | 2063 | *olen = 6; |
| maclobdell | 0:f7c60d3e7b8a | 2064 | } |
| maclobdell | 0:f7c60d3e7b8a | 2065 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2066 | |
| maclobdell | 0:f7c60d3e7b8a | 2067 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2068 | static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 2069 | unsigned char *buf, |
| maclobdell | 0:f7c60d3e7b8a | 2070 | size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 2071 | { |
| maclobdell | 0:f7c60d3e7b8a | 2072 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 2073 | unsigned char *p = buf; |
| maclobdell | 0:f7c60d3e7b8a | 2074 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; |
| maclobdell | 0:f7c60d3e7b8a | 2075 | size_t kkpp_len; |
| maclobdell | 0:f7c60d3e7b8a | 2076 | |
| maclobdell | 0:f7c60d3e7b8a | 2077 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2078 | |
| maclobdell | 0:f7c60d3e7b8a | 2079 | /* Skip costly computation if not needed */ |
| maclobdell | 0:f7c60d3e7b8a | 2080 | if( ssl->transform_negotiate->ciphersuite_info->key_exchange != |
| maclobdell | 0:f7c60d3e7b8a | 2081 | MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 2082 | return; |
| maclobdell | 0:f7c60d3e7b8a | 2083 | |
| maclobdell | 0:f7c60d3e7b8a | 2084 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2085 | |
| maclobdell | 0:f7c60d3e7b8a | 2086 | if( end - p < 4 ) |
| maclobdell | 0:f7c60d3e7b8a | 2087 | { |
| maclobdell | 0:f7c60d3e7b8a | 2088 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2089 | return; |
| maclobdell | 0:f7c60d3e7b8a | 2090 | } |
| maclobdell | 0:f7c60d3e7b8a | 2091 | |
| maclobdell | 0:f7c60d3e7b8a | 2092 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2093 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2094 | |
| maclobdell | 0:f7c60d3e7b8a | 2095 | ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 2096 | p + 2, end - p - 2, &kkpp_len, |
| maclobdell | 0:f7c60d3e7b8a | 2097 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| maclobdell | 0:f7c60d3e7b8a | 2098 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2099 | { |
| maclobdell | 0:f7c60d3e7b8a | 2100 | MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2101 | return; |
| maclobdell | 0:f7c60d3e7b8a | 2102 | } |
| maclobdell | 0:f7c60d3e7b8a | 2103 | |
| maclobdell | 0:f7c60d3e7b8a | 2104 | *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2105 | *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2106 | |
| maclobdell | 0:f7c60d3e7b8a | 2107 | *olen = kkpp_len + 4; |
| maclobdell | 0:f7c60d3e7b8a | 2108 | } |
| maclobdell | 0:f7c60d3e7b8a | 2109 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2110 | |
| maclobdell | 0:f7c60d3e7b8a | 2111 | #if defined(MBEDTLS_SSL_ALPN ) |
| maclobdell | 0:f7c60d3e7b8a | 2112 | static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 2113 | unsigned char *buf, size_t *olen ) |
| maclobdell | 0:f7c60d3e7b8a | 2114 | { |
| maclobdell | 0:f7c60d3e7b8a | 2115 | if( ssl->alpn_chosen == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2116 | { |
| maclobdell | 0:f7c60d3e7b8a | 2117 | *olen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2118 | return; |
| maclobdell | 0:f7c60d3e7b8a | 2119 | } |
| maclobdell | 0:f7c60d3e7b8a | 2120 | |
| maclobdell | 0:f7c60d3e7b8a | 2121 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2122 | |
| maclobdell | 0:f7c60d3e7b8a | 2123 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2124 | * 0 . 1 ext identifier |
| maclobdell | 0:f7c60d3e7b8a | 2125 | * 2 . 3 ext length |
| maclobdell | 0:f7c60d3e7b8a | 2126 | * 4 . 5 protocol list length |
| maclobdell | 0:f7c60d3e7b8a | 2127 | * 6 . 6 protocol name length |
| maclobdell | 0:f7c60d3e7b8a | 2128 | * 7 . 7+n protocol name |
| maclobdell | 0:f7c60d3e7b8a | 2129 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2130 | buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2131 | buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2132 | |
| maclobdell | 0:f7c60d3e7b8a | 2133 | *olen = 7 + strlen( ssl->alpn_chosen ); |
| maclobdell | 0:f7c60d3e7b8a | 2134 | |
| maclobdell | 0:f7c60d3e7b8a | 2135 | buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2136 | buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2137 | |
| maclobdell | 0:f7c60d3e7b8a | 2138 | buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2139 | buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2140 | |
| maclobdell | 0:f7c60d3e7b8a | 2141 | buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2142 | |
| maclobdell | 0:f7c60d3e7b8a | 2143 | memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); |
| maclobdell | 0:f7c60d3e7b8a | 2144 | } |
| maclobdell | 0:f7c60d3e7b8a | 2145 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ |
| maclobdell | 0:f7c60d3e7b8a | 2146 | |
| maclobdell | 0:f7c60d3e7b8a | 2147 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| maclobdell | 0:f7c60d3e7b8a | 2148 | static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 2149 | { |
| maclobdell | 0:f7c60d3e7b8a | 2150 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 2151 | unsigned char *p = ssl->out_msg + 4; |
| maclobdell | 0:f7c60d3e7b8a | 2152 | unsigned char *cookie_len_byte; |
| maclobdell | 0:f7c60d3e7b8a | 2153 | |
| maclobdell | 0:f7c60d3e7b8a | 2154 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2155 | |
| maclobdell | 0:f7c60d3e7b8a | 2156 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2157 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 2158 | * ProtocolVersion server_version; |
| maclobdell | 0:f7c60d3e7b8a | 2159 | * opaque cookie<0..2^8-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2160 | * } HelloVerifyRequest; |
| maclobdell | 0:f7c60d3e7b8a | 2161 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2162 | |
| maclobdell | 0:f7c60d3e7b8a | 2163 | /* The RFC is not clear on this point, but sending the actual negotiated |
| maclobdell | 0:f7c60d3e7b8a | 2164 | * version looks like the most interoperable thing to do. */ |
| maclobdell | 0:f7c60d3e7b8a | 2165 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| maclobdell | 0:f7c60d3e7b8a | 2166 | ssl->conf->transport, p ); |
| maclobdell | 0:f7c60d3e7b8a | 2167 | MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); |
| maclobdell | 0:f7c60d3e7b8a | 2168 | p += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2169 | |
| maclobdell | 0:f7c60d3e7b8a | 2170 | /* If we get here, f_cookie_check is not null */ |
| maclobdell | 0:f7c60d3e7b8a | 2171 | if( ssl->conf->f_cookie_write == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2172 | { |
| maclobdell | 0:f7c60d3e7b8a | 2173 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2174 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 2175 | } |
| maclobdell | 0:f7c60d3e7b8a | 2176 | |
| maclobdell | 0:f7c60d3e7b8a | 2177 | /* Skip length byte until we know the length */ |
| maclobdell | 0:f7c60d3e7b8a | 2178 | cookie_len_byte = p++; |
| maclobdell | 0:f7c60d3e7b8a | 2179 | |
| maclobdell | 0:f7c60d3e7b8a | 2180 | if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, |
| maclobdell | 0:f7c60d3e7b8a | 2181 | &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, |
| maclobdell | 0:f7c60d3e7b8a | 2182 | ssl->cli_id, ssl->cli_id_len ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2183 | { |
| maclobdell | 0:f7c60d3e7b8a | 2184 | MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2185 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2186 | } |
| maclobdell | 0:f7c60d3e7b8a | 2187 | |
| maclobdell | 0:f7c60d3e7b8a | 2188 | *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2189 | |
| maclobdell | 0:f7c60d3e7b8a | 2190 | MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); |
| maclobdell | 0:f7c60d3e7b8a | 2191 | |
| maclobdell | 0:f7c60d3e7b8a | 2192 | ssl->out_msglen = p - ssl->out_msg; |
| maclobdell | 0:f7c60d3e7b8a | 2193 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| maclobdell | 0:f7c60d3e7b8a | 2194 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| maclobdell | 0:f7c60d3e7b8a | 2195 | |
| maclobdell | 0:f7c60d3e7b8a | 2196 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; |
| maclobdell | 0:f7c60d3e7b8a | 2197 | |
| maclobdell | 0:f7c60d3e7b8a | 2198 | if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2199 | { |
| maclobdell | 0:f7c60d3e7b8a | 2200 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2201 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2202 | } |
| maclobdell | 0:f7c60d3e7b8a | 2203 | |
| maclobdell | 0:f7c60d3e7b8a | 2204 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2205 | |
| maclobdell | 0:f7c60d3e7b8a | 2206 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 2207 | } |
| maclobdell | 0:f7c60d3e7b8a | 2208 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| maclobdell | 0:f7c60d3e7b8a | 2209 | |
| maclobdell | 0:f7c60d3e7b8a | 2210 | static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 2211 | { |
| maclobdell | 0:f7c60d3e7b8a | 2212 | #if defined(MBEDTLS_HAVE_TIME) |
| maclobdell | 0:f7c60d3e7b8a | 2213 | time_t t; |
| maclobdell | 0:f7c60d3e7b8a | 2214 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2215 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 2216 | size_t olen, ext_len = 0, n; |
| maclobdell | 0:f7c60d3e7b8a | 2217 | unsigned char *buf, *p; |
| maclobdell | 0:f7c60d3e7b8a | 2218 | |
| maclobdell | 0:f7c60d3e7b8a | 2219 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2220 | |
| maclobdell | 0:f7c60d3e7b8a | 2221 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| maclobdell | 0:f7c60d3e7b8a | 2222 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| maclobdell | 0:f7c60d3e7b8a | 2223 | ssl->handshake->verify_cookie_len != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2224 | { |
| maclobdell | 0:f7c60d3e7b8a | 2225 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2226 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2227 | |
| maclobdell | 0:f7c60d3e7b8a | 2228 | return( ssl_write_hello_verify_request( ssl ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2229 | } |
| maclobdell | 0:f7c60d3e7b8a | 2230 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| maclobdell | 0:f7c60d3e7b8a | 2231 | |
| maclobdell | 0:f7c60d3e7b8a | 2232 | if( ssl->conf->f_rng == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2233 | { |
| maclobdell | 0:f7c60d3e7b8a | 2234 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); |
| maclobdell | 0:f7c60d3e7b8a | 2235 | return( MBEDTLS_ERR_SSL_NO_RNG ); |
| maclobdell | 0:f7c60d3e7b8a | 2236 | } |
| maclobdell | 0:f7c60d3e7b8a | 2237 | |
| maclobdell | 0:f7c60d3e7b8a | 2238 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2239 | * 0 . 0 handshake type |
| maclobdell | 0:f7c60d3e7b8a | 2240 | * 1 . 3 handshake length |
| maclobdell | 0:f7c60d3e7b8a | 2241 | * 4 . 5 protocol version |
| maclobdell | 0:f7c60d3e7b8a | 2242 | * 6 . 9 UNIX time() |
| maclobdell | 0:f7c60d3e7b8a | 2243 | * 10 . 37 random bytes |
| maclobdell | 0:f7c60d3e7b8a | 2244 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2245 | buf = ssl->out_msg; |
| maclobdell | 0:f7c60d3e7b8a | 2246 | p = buf + 4; |
| maclobdell | 0:f7c60d3e7b8a | 2247 | |
| maclobdell | 0:f7c60d3e7b8a | 2248 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| maclobdell | 0:f7c60d3e7b8a | 2249 | ssl->conf->transport, p ); |
| maclobdell | 0:f7c60d3e7b8a | 2250 | p += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2251 | |
| maclobdell | 0:f7c60d3e7b8a | 2252 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", |
| maclobdell | 0:f7c60d3e7b8a | 2253 | buf[4], buf[5] ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2254 | |
| maclobdell | 0:f7c60d3e7b8a | 2255 | #if defined(MBEDTLS_HAVE_TIME) |
| maclobdell | 0:f7c60d3e7b8a | 2256 | t = time( NULL ); |
| maclobdell | 0:f7c60d3e7b8a | 2257 | *p++ = (unsigned char)( t >> 24 ); |
| maclobdell | 0:f7c60d3e7b8a | 2258 | *p++ = (unsigned char)( t >> 16 ); |
| maclobdell | 0:f7c60d3e7b8a | 2259 | *p++ = (unsigned char)( t >> 8 ); |
| maclobdell | 0:f7c60d3e7b8a | 2260 | *p++ = (unsigned char)( t ); |
| maclobdell | 0:f7c60d3e7b8a | 2261 | |
| maclobdell | 0:f7c60d3e7b8a | 2262 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2263 | #else |
| maclobdell | 0:f7c60d3e7b8a | 2264 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2265 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2266 | |
| maclobdell | 0:f7c60d3e7b8a | 2267 | p += 4; |
| maclobdell | 0:f7c60d3e7b8a | 2268 | #endif /* MBEDTLS_HAVE_TIME */ |
| maclobdell | 0:f7c60d3e7b8a | 2269 | |
| maclobdell | 0:f7c60d3e7b8a | 2270 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2271 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2272 | |
| maclobdell | 0:f7c60d3e7b8a | 2273 | p += 28; |
| maclobdell | 0:f7c60d3e7b8a | 2274 | |
| maclobdell | 0:f7c60d3e7b8a | 2275 | memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); |
| maclobdell | 0:f7c60d3e7b8a | 2276 | |
| maclobdell | 0:f7c60d3e7b8a | 2277 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); |
| maclobdell | 0:f7c60d3e7b8a | 2278 | |
| maclobdell | 0:f7c60d3e7b8a | 2279 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2280 | * Resume is 0 by default, see ssl_handshake_init(). |
| maclobdell | 0:f7c60d3e7b8a | 2281 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). |
| maclobdell | 0:f7c60d3e7b8a | 2282 | * If not, try looking up session ID in our cache. |
| maclobdell | 0:f7c60d3e7b8a | 2283 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2284 | if( ssl->handshake->resume == 0 && |
| maclobdell | 0:f7c60d3e7b8a | 2285 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| maclobdell | 0:f7c60d3e7b8a | 2286 | ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && |
| maclobdell | 0:f7c60d3e7b8a | 2287 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2288 | ssl->session_negotiate->id_len != 0 && |
| maclobdell | 0:f7c60d3e7b8a | 2289 | ssl->conf->f_get_cache != NULL && |
| maclobdell | 0:f7c60d3e7b8a | 2290 | ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2291 | { |
| maclobdell | 0:f7c60d3e7b8a | 2292 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2293 | ssl->handshake->resume = 1; |
| maclobdell | 0:f7c60d3e7b8a | 2294 | } |
| maclobdell | 0:f7c60d3e7b8a | 2295 | |
| maclobdell | 0:f7c60d3e7b8a | 2296 | if( ssl->handshake->resume == 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2297 | { |
| maclobdell | 0:f7c60d3e7b8a | 2298 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2299 | * New session, create a new session id, |
| maclobdell | 0:f7c60d3e7b8a | 2300 | * unless we're about to issue a session ticket |
| maclobdell | 0:f7c60d3e7b8a | 2301 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2302 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 2303 | |
| maclobdell | 0:f7c60d3e7b8a | 2304 | #if defined(MBEDTLS_HAVE_TIME) |
| maclobdell | 0:f7c60d3e7b8a | 2305 | ssl->session_negotiate->start = time( NULL ); |
| maclobdell | 0:f7c60d3e7b8a | 2306 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2307 | |
| maclobdell | 0:f7c60d3e7b8a | 2308 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 2309 | if( ssl->handshake->new_session_ticket != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2310 | { |
| maclobdell | 0:f7c60d3e7b8a | 2311 | ssl->session_negotiate->id_len = n = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2312 | memset( ssl->session_negotiate->id, 0, 32 ); |
| maclobdell | 0:f7c60d3e7b8a | 2313 | } |
| maclobdell | 0:f7c60d3e7b8a | 2314 | else |
| maclobdell | 0:f7c60d3e7b8a | 2315 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| maclobdell | 0:f7c60d3e7b8a | 2316 | { |
| maclobdell | 0:f7c60d3e7b8a | 2317 | ssl->session_negotiate->id_len = n = 32; |
| maclobdell | 0:f7c60d3e7b8a | 2318 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, |
| maclobdell | 0:f7c60d3e7b8a | 2319 | n ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2320 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2321 | } |
| maclobdell | 0:f7c60d3e7b8a | 2322 | } |
| maclobdell | 0:f7c60d3e7b8a | 2323 | else |
| maclobdell | 0:f7c60d3e7b8a | 2324 | { |
| maclobdell | 0:f7c60d3e7b8a | 2325 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2326 | * Resuming a session |
| maclobdell | 0:f7c60d3e7b8a | 2327 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2328 | n = ssl->session_negotiate->id_len; |
| maclobdell | 0:f7c60d3e7b8a | 2329 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| maclobdell | 0:f7c60d3e7b8a | 2330 | |
| maclobdell | 0:f7c60d3e7b8a | 2331 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2332 | { |
| maclobdell | 0:f7c60d3e7b8a | 2333 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2334 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2335 | } |
| maclobdell | 0:f7c60d3e7b8a | 2336 | } |
| maclobdell | 0:f7c60d3e7b8a | 2337 | |
| maclobdell | 0:f7c60d3e7b8a | 2338 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2339 | * 38 . 38 session id length |
| maclobdell | 0:f7c60d3e7b8a | 2340 | * 39 . 38+n session id |
| maclobdell | 0:f7c60d3e7b8a | 2341 | * 39+n . 40+n chosen ciphersuite |
| maclobdell | 0:f7c60d3e7b8a | 2342 | * 41+n . 41+n chosen compression alg. |
| maclobdell | 0:f7c60d3e7b8a | 2343 | * 42+n . 43+n extensions length |
| maclobdell | 0:f7c60d3e7b8a | 2344 | * 44+n . 43+n+m extensions |
| maclobdell | 0:f7c60d3e7b8a | 2345 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2346 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
| maclobdell | 0:f7c60d3e7b8a | 2347 | memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2348 | p += ssl->session_negotiate->id_len; |
| maclobdell | 0:f7c60d3e7b8a | 2349 | |
| maclobdell | 0:f7c60d3e7b8a | 2350 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2351 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); |
| maclobdell | 0:f7c60d3e7b8a | 2352 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", |
| maclobdell | 0:f7c60d3e7b8a | 2353 | ssl->handshake->resume ? "a" : "no" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2354 | |
| maclobdell | 0:f7c60d3e7b8a | 2355 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); |
| maclobdell | 0:f7c60d3e7b8a | 2356 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); |
| maclobdell | 0:f7c60d3e7b8a | 2357 | *p++ = (unsigned char)( ssl->session_negotiate->compression ); |
| maclobdell | 0:f7c60d3e7b8a | 2358 | |
| maclobdell | 0:f7c60d3e7b8a | 2359 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", |
| maclobdell | 0:f7c60d3e7b8a | 2360 | mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2361 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", |
| maclobdell | 0:f7c60d3e7b8a | 2362 | ssl->session_negotiate->compression ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2363 | |
| maclobdell | 0:f7c60d3e7b8a | 2364 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2365 | * First write extensions, then the total length |
| maclobdell | 0:f7c60d3e7b8a | 2366 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2367 | ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2368 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2369 | |
| maclobdell | 0:f7c60d3e7b8a | 2370 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| maclobdell | 0:f7c60d3e7b8a | 2371 | ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2372 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2373 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2374 | |
| maclobdell | 0:f7c60d3e7b8a | 2375 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
| maclobdell | 0:f7c60d3e7b8a | 2376 | ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2377 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2378 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2379 | |
| maclobdell | 0:f7c60d3e7b8a | 2380 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| maclobdell | 0:f7c60d3e7b8a | 2381 | ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2382 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2383 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2384 | |
| maclobdell | 0:f7c60d3e7b8a | 2385 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| maclobdell | 0:f7c60d3e7b8a | 2386 | ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2387 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2388 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2389 | |
| maclobdell | 0:f7c60d3e7b8a | 2390 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 2391 | ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2392 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2393 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2394 | |
| maclobdell | 0:f7c60d3e7b8a | 2395 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2396 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2397 | ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2398 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2399 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2400 | |
| maclobdell | 0:f7c60d3e7b8a | 2401 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2402 | ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2403 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2404 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2405 | |
| maclobdell | 0:f7c60d3e7b8a | 2406 | #if defined(MBEDTLS_SSL_ALPN) |
| maclobdell | 0:f7c60d3e7b8a | 2407 | ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); |
| maclobdell | 0:f7c60d3e7b8a | 2408 | ext_len += olen; |
| maclobdell | 0:f7c60d3e7b8a | 2409 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2410 | |
| maclobdell | 0:f7c60d3e7b8a | 2411 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2412 | |
| maclobdell | 0:f7c60d3e7b8a | 2413 | if( ext_len > 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2414 | { |
| maclobdell | 0:f7c60d3e7b8a | 2415 | *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2416 | *p++ = (unsigned char)( ( ext_len ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 2417 | p += ext_len; |
| maclobdell | 0:f7c60d3e7b8a | 2418 | } |
| maclobdell | 0:f7c60d3e7b8a | 2419 | |
| maclobdell | 0:f7c60d3e7b8a | 2420 | ssl->out_msglen = p - buf; |
| maclobdell | 0:f7c60d3e7b8a | 2421 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| maclobdell | 0:f7c60d3e7b8a | 2422 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; |
| maclobdell | 0:f7c60d3e7b8a | 2423 | |
| maclobdell | 0:f7c60d3e7b8a | 2424 | ret = mbedtls_ssl_write_record( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 2425 | |
| maclobdell | 0:f7c60d3e7b8a | 2426 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2427 | |
| maclobdell | 0:f7c60d3e7b8a | 2428 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2429 | } |
| maclobdell | 0:f7c60d3e7b8a | 2430 | |
| maclobdell | 0:f7c60d3e7b8a | 2431 | #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ |
| maclobdell | 0:f7c60d3e7b8a | 2432 | !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ |
| maclobdell | 0:f7c60d3e7b8a | 2433 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ |
| maclobdell | 0:f7c60d3e7b8a | 2434 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2435 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 2436 | { |
| maclobdell | 0:f7c60d3e7b8a | 2437 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 2438 | |
| maclobdell | 0:f7c60d3e7b8a | 2439 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2440 | |
| maclobdell | 0:f7c60d3e7b8a | 2441 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2442 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2443 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2444 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2445 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 2446 | { |
| maclobdell | 0:f7c60d3e7b8a | 2447 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2448 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 2449 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 2450 | } |
| maclobdell | 0:f7c60d3e7b8a | 2451 | |
| maclobdell | 0:f7c60d3e7b8a | 2452 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2453 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 2454 | } |
| maclobdell | 0:f7c60d3e7b8a | 2455 | #else |
| maclobdell | 0:f7c60d3e7b8a | 2456 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 2457 | { |
| maclobdell | 0:f7c60d3e7b8a | 2458 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| maclobdell | 0:f7c60d3e7b8a | 2459 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 2460 | size_t dn_size, total_dn_size; /* excluding length bytes */ |
| maclobdell | 0:f7c60d3e7b8a | 2461 | size_t ct_len, sa_len; /* including length bytes */ |
| maclobdell | 0:f7c60d3e7b8a | 2462 | unsigned char *buf, *p; |
| maclobdell | 0:f7c60d3e7b8a | 2463 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; |
| maclobdell | 0:f7c60d3e7b8a | 2464 | const mbedtls_x509_crt *crt; |
| maclobdell | 0:f7c60d3e7b8a | 2465 | int authmode; |
| maclobdell | 0:f7c60d3e7b8a | 2466 | |
| maclobdell | 0:f7c60d3e7b8a | 2467 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2468 | |
| maclobdell | 0:f7c60d3e7b8a | 2469 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 2470 | |
| maclobdell | 0:f7c60d3e7b8a | 2471 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| maclobdell | 0:f7c60d3e7b8a | 2472 | if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) |
| maclobdell | 0:f7c60d3e7b8a | 2473 | authmode = ssl->handshake->sni_authmode; |
| maclobdell | 0:f7c60d3e7b8a | 2474 | else |
| maclobdell | 0:f7c60d3e7b8a | 2475 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2476 | authmode = ssl->conf->authmode; |
| maclobdell | 0:f7c60d3e7b8a | 2477 | |
| maclobdell | 0:f7c60d3e7b8a | 2478 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2479 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2480 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2481 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2482 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || |
| maclobdell | 0:f7c60d3e7b8a | 2483 | authmode == MBEDTLS_SSL_VERIFY_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 2484 | { |
| maclobdell | 0:f7c60d3e7b8a | 2485 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2486 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 2487 | } |
| maclobdell | 0:f7c60d3e7b8a | 2488 | |
| maclobdell | 0:f7c60d3e7b8a | 2489 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2490 | * 0 . 0 handshake type |
| maclobdell | 0:f7c60d3e7b8a | 2491 | * 1 . 3 handshake length |
| maclobdell | 0:f7c60d3e7b8a | 2492 | * 4 . 4 cert type count |
| maclobdell | 0:f7c60d3e7b8a | 2493 | * 5 .. m-1 cert types |
| maclobdell | 0:f7c60d3e7b8a | 2494 | * m .. m+1 sig alg length (TLS 1.2 only) |
| maclobdell | 0:f7c60d3e7b8a | 2495 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
| maclobdell | 0:f7c60d3e7b8a | 2496 | * n .. n+1 length of all DNs |
| maclobdell | 0:f7c60d3e7b8a | 2497 | * n+2 .. n+3 length of DN 1 |
| maclobdell | 0:f7c60d3e7b8a | 2498 | * n+4 .. ... Distinguished Name #1 |
| maclobdell | 0:f7c60d3e7b8a | 2499 | * ... .. ... length of DN 2, etc. |
| maclobdell | 0:f7c60d3e7b8a | 2500 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2501 | buf = ssl->out_msg; |
| maclobdell | 0:f7c60d3e7b8a | 2502 | p = buf + 4; |
| maclobdell | 0:f7c60d3e7b8a | 2503 | |
| maclobdell | 0:f7c60d3e7b8a | 2504 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2505 | * Supported certificate types |
| maclobdell | 0:f7c60d3e7b8a | 2506 | * |
| maclobdell | 0:f7c60d3e7b8a | 2507 | * ClientCertificateType certificate_types<1..2^8-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2508 | * enum { (255) } ClientCertificateType; |
| maclobdell | 0:f7c60d3e7b8a | 2509 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2510 | ct_len = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2511 | |
| maclobdell | 0:f7c60d3e7b8a | 2512 | #if defined(MBEDTLS_RSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 2513 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; |
| maclobdell | 0:f7c60d3e7b8a | 2514 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2515 | #if defined(MBEDTLS_ECDSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 2516 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; |
| maclobdell | 0:f7c60d3e7b8a | 2517 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2518 | |
| maclobdell | 0:f7c60d3e7b8a | 2519 | p[0] = (unsigned char) ct_len++; |
| maclobdell | 0:f7c60d3e7b8a | 2520 | p += ct_len; |
| maclobdell | 0:f7c60d3e7b8a | 2521 | |
| maclobdell | 0:f7c60d3e7b8a | 2522 | sa_len = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2523 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 2524 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2525 | * Add signature_algorithms for verify (TLS 1.2) |
| maclobdell | 0:f7c60d3e7b8a | 2526 | * |
| maclobdell | 0:f7c60d3e7b8a | 2527 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
| maclobdell | 0:f7c60d3e7b8a | 2528 | * |
| maclobdell | 0:f7c60d3e7b8a | 2529 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 2530 | * HashAlgorithm hash; |
| maclobdell | 0:f7c60d3e7b8a | 2531 | * SignatureAlgorithm signature; |
| maclobdell | 0:f7c60d3e7b8a | 2532 | * } SignatureAndHashAlgorithm; |
| maclobdell | 0:f7c60d3e7b8a | 2533 | * |
| maclobdell | 0:f7c60d3e7b8a | 2534 | * enum { (255) } HashAlgorithm; |
| maclobdell | 0:f7c60d3e7b8a | 2535 | * enum { (255) } SignatureAlgorithm; |
| maclobdell | 0:f7c60d3e7b8a | 2536 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2537 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 2538 | { |
| maclobdell | 0:f7c60d3e7b8a | 2539 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2540 | * Only use current running hash algorithm that is already required |
| maclobdell | 0:f7c60d3e7b8a | 2541 | * for requested ciphersuite. |
| maclobdell | 0:f7c60d3e7b8a | 2542 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2543 | ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256; |
| maclobdell | 0:f7c60d3e7b8a | 2544 | |
| maclobdell | 0:f7c60d3e7b8a | 2545 | if( ssl->transform_negotiate->ciphersuite_info->mac == |
| maclobdell | 0:f7c60d3e7b8a | 2546 | MBEDTLS_MD_SHA384 ) |
| maclobdell | 0:f7c60d3e7b8a | 2547 | { |
| maclobdell | 0:f7c60d3e7b8a | 2548 | ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384; |
| maclobdell | 0:f7c60d3e7b8a | 2549 | } |
| maclobdell | 0:f7c60d3e7b8a | 2550 | |
| maclobdell | 0:f7c60d3e7b8a | 2551 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2552 | * Supported signature algorithms |
| maclobdell | 0:f7c60d3e7b8a | 2553 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2554 | #if defined(MBEDTLS_RSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 2555 | p[2 + sa_len++] = ssl->handshake->verify_sig_alg; |
| maclobdell | 0:f7c60d3e7b8a | 2556 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; |
| maclobdell | 0:f7c60d3e7b8a | 2557 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2558 | #if defined(MBEDTLS_ECDSA_C) |
| maclobdell | 0:f7c60d3e7b8a | 2559 | p[2 + sa_len++] = ssl->handshake->verify_sig_alg; |
| maclobdell | 0:f7c60d3e7b8a | 2560 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; |
| maclobdell | 0:f7c60d3e7b8a | 2561 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2562 | |
| maclobdell | 0:f7c60d3e7b8a | 2563 | p[0] = (unsigned char)( sa_len >> 8 ); |
| maclobdell | 0:f7c60d3e7b8a | 2564 | p[1] = (unsigned char)( sa_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2565 | sa_len += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2566 | p += sa_len; |
| maclobdell | 0:f7c60d3e7b8a | 2567 | } |
| maclobdell | 0:f7c60d3e7b8a | 2568 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| maclobdell | 0:f7c60d3e7b8a | 2569 | |
| maclobdell | 0:f7c60d3e7b8a | 2570 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2571 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2572 | * opaque DistinguishedName<1..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2573 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2574 | p += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2575 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| maclobdell | 0:f7c60d3e7b8a | 2576 | if( ssl->handshake->sni_ca_chain != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2577 | crt = ssl->handshake->sni_ca_chain; |
| maclobdell | 0:f7c60d3e7b8a | 2578 | else |
| maclobdell | 0:f7c60d3e7b8a | 2579 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2580 | crt = ssl->conf->ca_chain; |
| maclobdell | 0:f7c60d3e7b8a | 2581 | |
| maclobdell | 0:f7c60d3e7b8a | 2582 | total_dn_size = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2583 | while( crt != NULL && crt->version != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2584 | { |
| maclobdell | 0:f7c60d3e7b8a | 2585 | dn_size = crt->subject_raw.len; |
| maclobdell | 0:f7c60d3e7b8a | 2586 | |
| maclobdell | 0:f7c60d3e7b8a | 2587 | if( end < p || (size_t)( end - p ) < 2 + dn_size ) |
| maclobdell | 0:f7c60d3e7b8a | 2588 | { |
| maclobdell | 0:f7c60d3e7b8a | 2589 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2590 | break; |
| maclobdell | 0:f7c60d3e7b8a | 2591 | } |
| maclobdell | 0:f7c60d3e7b8a | 2592 | |
| maclobdell | 0:f7c60d3e7b8a | 2593 | *p++ = (unsigned char)( dn_size >> 8 ); |
| maclobdell | 0:f7c60d3e7b8a | 2594 | *p++ = (unsigned char)( dn_size ); |
| maclobdell | 0:f7c60d3e7b8a | 2595 | memcpy( p, crt->subject_raw.p, dn_size ); |
| maclobdell | 0:f7c60d3e7b8a | 2596 | p += dn_size; |
| maclobdell | 0:f7c60d3e7b8a | 2597 | |
| maclobdell | 0:f7c60d3e7b8a | 2598 | MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); |
| maclobdell | 0:f7c60d3e7b8a | 2599 | |
| maclobdell | 0:f7c60d3e7b8a | 2600 | total_dn_size += 2 + dn_size; |
| maclobdell | 0:f7c60d3e7b8a | 2601 | crt = crt->next; |
| maclobdell | 0:f7c60d3e7b8a | 2602 | } |
| maclobdell | 0:f7c60d3e7b8a | 2603 | |
| maclobdell | 0:f7c60d3e7b8a | 2604 | ssl->out_msglen = p - buf; |
| maclobdell | 0:f7c60d3e7b8a | 2605 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| maclobdell | 0:f7c60d3e7b8a | 2606 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; |
| maclobdell | 0:f7c60d3e7b8a | 2607 | ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); |
| maclobdell | 0:f7c60d3e7b8a | 2608 | ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); |
| maclobdell | 0:f7c60d3e7b8a | 2609 | |
| maclobdell | 0:f7c60d3e7b8a | 2610 | ret = mbedtls_ssl_write_record( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 2611 | |
| maclobdell | 0:f7c60d3e7b8a | 2612 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2613 | |
| maclobdell | 0:f7c60d3e7b8a | 2614 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2615 | } |
| maclobdell | 0:f7c60d3e7b8a | 2616 | #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 2617 | !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 2618 | !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 2619 | !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2620 | |
| maclobdell | 0:f7c60d3e7b8a | 2621 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2622 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2623 | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 2624 | { |
| maclobdell | 0:f7c60d3e7b8a | 2625 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 2626 | |
| maclobdell | 0:f7c60d3e7b8a | 2627 | if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) |
| maclobdell | 0:f7c60d3e7b8a | 2628 | { |
| maclobdell | 0:f7c60d3e7b8a | 2629 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2630 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
| maclobdell | 0:f7c60d3e7b8a | 2631 | } |
| maclobdell | 0:f7c60d3e7b8a | 2632 | |
| maclobdell | 0:f7c60d3e7b8a | 2633 | if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 2634 | mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), |
| maclobdell | 0:f7c60d3e7b8a | 2635 | MBEDTLS_ECDH_OURS ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2636 | { |
| maclobdell | 0:f7c60d3e7b8a | 2637 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2638 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2639 | } |
| maclobdell | 0:f7c60d3e7b8a | 2640 | |
| maclobdell | 0:f7c60d3e7b8a | 2641 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 2642 | } |
| maclobdell | 0:f7c60d3e7b8a | 2643 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| maclobdell | 0:f7c60d3e7b8a | 2644 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2645 | |
| maclobdell | 0:f7c60d3e7b8a | 2646 | static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 2647 | { |
| maclobdell | 0:f7c60d3e7b8a | 2648 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 2649 | size_t n = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2650 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| maclobdell | 0:f7c60d3e7b8a | 2651 | ssl->transform_negotiate->ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 2652 | |
| maclobdell | 0:f7c60d3e7b8a | 2653 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2654 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2655 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2656 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2657 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2658 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2659 | unsigned char *p = ssl->out_msg + 4; |
| maclobdell | 0:f7c60d3e7b8a | 2660 | unsigned char *dig_signed = p; |
| maclobdell | 0:f7c60d3e7b8a | 2661 | size_t dig_signed_len = 0, len; |
| maclobdell | 0:f7c60d3e7b8a | 2662 | ((void) dig_signed); |
| maclobdell | 0:f7c60d3e7b8a | 2663 | ((void) dig_signed_len); |
| maclobdell | 0:f7c60d3e7b8a | 2664 | ((void) len); |
| maclobdell | 0:f7c60d3e7b8a | 2665 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2666 | |
| maclobdell | 0:f7c60d3e7b8a | 2667 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2668 | |
| maclobdell | 0:f7c60d3e7b8a | 2669 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2670 | defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2671 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2672 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 2673 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2674 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 2675 | { |
| maclobdell | 0:f7c60d3e7b8a | 2676 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2677 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 2678 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 2679 | } |
| maclobdell | 0:f7c60d3e7b8a | 2680 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2681 | |
| maclobdell | 0:f7c60d3e7b8a | 2682 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2683 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2684 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 2685 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
| maclobdell | 0:f7c60d3e7b8a | 2686 | { |
| maclobdell | 0:f7c60d3e7b8a | 2687 | ssl_get_ecdh_params_from_cert( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 2688 | |
| maclobdell | 0:f7c60d3e7b8a | 2689 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2690 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 2691 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 2692 | } |
| maclobdell | 0:f7c60d3e7b8a | 2693 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2694 | |
| maclobdell | 0:f7c60d3e7b8a | 2695 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2696 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 2697 | { |
| maclobdell | 0:f7c60d3e7b8a | 2698 | size_t jlen; |
| maclobdell | 0:f7c60d3e7b8a | 2699 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; |
| maclobdell | 0:f7c60d3e7b8a | 2700 | |
| maclobdell | 0:f7c60d3e7b8a | 2701 | ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 2702 | p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng ); |
| maclobdell | 0:f7c60d3e7b8a | 2703 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2704 | { |
| maclobdell | 0:f7c60d3e7b8a | 2705 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2706 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2707 | } |
| maclobdell | 0:f7c60d3e7b8a | 2708 | |
| maclobdell | 0:f7c60d3e7b8a | 2709 | p += jlen; |
| maclobdell | 0:f7c60d3e7b8a | 2710 | n += jlen; |
| maclobdell | 0:f7c60d3e7b8a | 2711 | } |
| maclobdell | 0:f7c60d3e7b8a | 2712 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2713 | |
| maclobdell | 0:f7c60d3e7b8a | 2714 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2715 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2716 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 2717 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 2718 | { |
| maclobdell | 0:f7c60d3e7b8a | 2719 | /* TODO: Support identity hints */ |
| maclobdell | 0:f7c60d3e7b8a | 2720 | *(p++) = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 2721 | *(p++) = 0x00; |
| maclobdell | 0:f7c60d3e7b8a | 2722 | |
| maclobdell | 0:f7c60d3e7b8a | 2723 | n += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2724 | } |
| maclobdell | 0:f7c60d3e7b8a | 2725 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 2726 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2727 | |
| maclobdell | 0:f7c60d3e7b8a | 2728 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2729 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2730 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 2731 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 2732 | { |
| maclobdell | 0:f7c60d3e7b8a | 2733 | if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2734 | { |
| maclobdell | 0:f7c60d3e7b8a | 2735 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2736 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| maclobdell | 0:f7c60d3e7b8a | 2737 | } |
| maclobdell | 0:f7c60d3e7b8a | 2738 | |
| maclobdell | 0:f7c60d3e7b8a | 2739 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2740 | * Ephemeral DH parameters: |
| maclobdell | 0:f7c60d3e7b8a | 2741 | * |
| maclobdell | 0:f7c60d3e7b8a | 2742 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 2743 | * opaque dh_p<1..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2744 | * opaque dh_g<1..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2745 | * opaque dh_Ys<1..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 2746 | * } ServerDHParams; |
| maclobdell | 0:f7c60d3e7b8a | 2747 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2748 | if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || |
| maclobdell | 0:f7c60d3e7b8a | 2749 | ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2750 | { |
| maclobdell | 0:f7c60d3e7b8a | 2751 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2752 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2753 | } |
| maclobdell | 0:f7c60d3e7b8a | 2754 | |
| maclobdell | 0:f7c60d3e7b8a | 2755 | if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 2756 | (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), |
| maclobdell | 0:f7c60d3e7b8a | 2757 | p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2758 | { |
| maclobdell | 0:f7c60d3e7b8a | 2759 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2760 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2761 | } |
| maclobdell | 0:f7c60d3e7b8a | 2762 | |
| maclobdell | 0:f7c60d3e7b8a | 2763 | dig_signed = p; |
| maclobdell | 0:f7c60d3e7b8a | 2764 | dig_signed_len = len; |
| maclobdell | 0:f7c60d3e7b8a | 2765 | |
| maclobdell | 0:f7c60d3e7b8a | 2766 | p += len; |
| maclobdell | 0:f7c60d3e7b8a | 2767 | n += len; |
| maclobdell | 0:f7c60d3e7b8a | 2768 | |
| maclobdell | 0:f7c60d3e7b8a | 2769 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); |
| maclobdell | 0:f7c60d3e7b8a | 2770 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); |
| maclobdell | 0:f7c60d3e7b8a | 2771 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); |
| maclobdell | 0:f7c60d3e7b8a | 2772 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); |
| maclobdell | 0:f7c60d3e7b8a | 2773 | } |
| maclobdell | 0:f7c60d3e7b8a | 2774 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 2775 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2776 | |
| maclobdell | 0:f7c60d3e7b8a | 2777 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2778 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 2779 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| maclobdell | 0:f7c60d3e7b8a | 2780 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 2781 | { |
| maclobdell | 0:f7c60d3e7b8a | 2782 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2783 | * Ephemeral ECDH parameters: |
| maclobdell | 0:f7c60d3e7b8a | 2784 | * |
| maclobdell | 0:f7c60d3e7b8a | 2785 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 2786 | * ECParameters curve_params; |
| maclobdell | 0:f7c60d3e7b8a | 2787 | * ECPoint public; |
| maclobdell | 0:f7c60d3e7b8a | 2788 | * } ServerECDHParams; |
| maclobdell | 0:f7c60d3e7b8a | 2789 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2790 | const mbedtls_ecp_curve_info **curve = NULL; |
| maclobdell | 0:f7c60d3e7b8a | 2791 | const mbedtls_ecp_group_id *gid; |
| maclobdell | 0:f7c60d3e7b8a | 2792 | |
| maclobdell | 0:f7c60d3e7b8a | 2793 | /* Match our preference list against the offered curves */ |
| maclobdell | 0:f7c60d3e7b8a | 2794 | for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) |
| maclobdell | 0:f7c60d3e7b8a | 2795 | for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) |
| maclobdell | 0:f7c60d3e7b8a | 2796 | if( (*curve)->grp_id == *gid ) |
| maclobdell | 0:f7c60d3e7b8a | 2797 | goto curve_matching_done; |
| maclobdell | 0:f7c60d3e7b8a | 2798 | |
| maclobdell | 0:f7c60d3e7b8a | 2799 | curve_matching_done: |
| maclobdell | 0:f7c60d3e7b8a | 2800 | if( curve == NULL || *curve == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2801 | { |
| maclobdell | 0:f7c60d3e7b8a | 2802 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2803 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); |
| maclobdell | 0:f7c60d3e7b8a | 2804 | } |
| maclobdell | 0:f7c60d3e7b8a | 2805 | |
| maclobdell | 0:f7c60d3e7b8a | 2806 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2807 | |
| maclobdell | 0:f7c60d3e7b8a | 2808 | if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp, |
| maclobdell | 0:f7c60d3e7b8a | 2809 | (*curve)->grp_id ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2810 | { |
| maclobdell | 0:f7c60d3e7b8a | 2811 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2812 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2813 | } |
| maclobdell | 0:f7c60d3e7b8a | 2814 | |
| maclobdell | 0:f7c60d3e7b8a | 2815 | if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, |
| maclobdell | 0:f7c60d3e7b8a | 2816 | p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, |
| maclobdell | 0:f7c60d3e7b8a | 2817 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2818 | { |
| maclobdell | 0:f7c60d3e7b8a | 2819 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2820 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2821 | } |
| maclobdell | 0:f7c60d3e7b8a | 2822 | |
| maclobdell | 0:f7c60d3e7b8a | 2823 | dig_signed = p; |
| maclobdell | 0:f7c60d3e7b8a | 2824 | dig_signed_len = len; |
| maclobdell | 0:f7c60d3e7b8a | 2825 | |
| maclobdell | 0:f7c60d3e7b8a | 2826 | p += len; |
| maclobdell | 0:f7c60d3e7b8a | 2827 | n += len; |
| maclobdell | 0:f7c60d3e7b8a | 2828 | |
| maclobdell | 0:f7c60d3e7b8a | 2829 | MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); |
| maclobdell | 0:f7c60d3e7b8a | 2830 | } |
| maclobdell | 0:f7c60d3e7b8a | 2831 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2832 | |
| maclobdell | 0:f7c60d3e7b8a | 2833 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2834 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2835 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 2836 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 2837 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 2838 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) |
| maclobdell | 0:f7c60d3e7b8a | 2839 | { |
| maclobdell | 0:f7c60d3e7b8a | 2840 | size_t signature_len = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2841 | unsigned int hashlen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2842 | unsigned char hash[64]; |
| maclobdell | 0:f7c60d3e7b8a | 2843 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
| maclobdell | 0:f7c60d3e7b8a | 2844 | |
| maclobdell | 0:f7c60d3e7b8a | 2845 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2846 | * Choose hash algorithm. NONE means MD5 + SHA1 here. |
| maclobdell | 0:f7c60d3e7b8a | 2847 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2848 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 2849 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 2850 | { |
| maclobdell | 0:f7c60d3e7b8a | 2851 | md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg ); |
| maclobdell | 0:f7c60d3e7b8a | 2852 | |
| maclobdell | 0:f7c60d3e7b8a | 2853 | if( md_alg == MBEDTLS_MD_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 2854 | { |
| maclobdell | 0:f7c60d3e7b8a | 2855 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2856 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 2857 | } |
| maclobdell | 0:f7c60d3e7b8a | 2858 | } |
| maclobdell | 0:f7c60d3e7b8a | 2859 | else |
| maclobdell | 0:f7c60d3e7b8a | 2860 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| maclobdell | 0:f7c60d3e7b8a | 2861 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2862 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| maclobdell | 0:f7c60d3e7b8a | 2863 | if( ciphersuite_info->key_exchange == |
| maclobdell | 0:f7c60d3e7b8a | 2864 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) |
| maclobdell | 0:f7c60d3e7b8a | 2865 | { |
| maclobdell | 0:f7c60d3e7b8a | 2866 | md_alg = MBEDTLS_MD_SHA1; |
| maclobdell | 0:f7c60d3e7b8a | 2867 | } |
| maclobdell | 0:f7c60d3e7b8a | 2868 | else |
| maclobdell | 0:f7c60d3e7b8a | 2869 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 2870 | { |
| maclobdell | 0:f7c60d3e7b8a | 2871 | md_alg = MBEDTLS_MD_NONE; |
| maclobdell | 0:f7c60d3e7b8a | 2872 | } |
| maclobdell | 0:f7c60d3e7b8a | 2873 | |
| maclobdell | 0:f7c60d3e7b8a | 2874 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2875 | * Compute the hash to be signed |
| maclobdell | 0:f7c60d3e7b8a | 2876 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2877 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2878 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| maclobdell | 0:f7c60d3e7b8a | 2879 | if( md_alg == MBEDTLS_MD_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 2880 | { |
| maclobdell | 0:f7c60d3e7b8a | 2881 | mbedtls_md5_context mbedtls_md5; |
| maclobdell | 0:f7c60d3e7b8a | 2882 | mbedtls_sha1_context mbedtls_sha1; |
| maclobdell | 0:f7c60d3e7b8a | 2883 | |
| maclobdell | 0:f7c60d3e7b8a | 2884 | mbedtls_md5_init( &mbedtls_md5 ); |
| maclobdell | 0:f7c60d3e7b8a | 2885 | mbedtls_sha1_init( &mbedtls_sha1 ); |
| maclobdell | 0:f7c60d3e7b8a | 2886 | |
| maclobdell | 0:f7c60d3e7b8a | 2887 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2888 | * digitally-signed struct { |
| maclobdell | 0:f7c60d3e7b8a | 2889 | * opaque md5_hash[16]; |
| maclobdell | 0:f7c60d3e7b8a | 2890 | * opaque sha_hash[20]; |
| maclobdell | 0:f7c60d3e7b8a | 2891 | * }; |
| maclobdell | 0:f7c60d3e7b8a | 2892 | * |
| maclobdell | 0:f7c60d3e7b8a | 2893 | * md5_hash |
| maclobdell | 0:f7c60d3e7b8a | 2894 | * MD5(ClientHello.random + ServerHello.random |
| maclobdell | 0:f7c60d3e7b8a | 2895 | * + ServerParams); |
| maclobdell | 0:f7c60d3e7b8a | 2896 | * sha_hash |
| maclobdell | 0:f7c60d3e7b8a | 2897 | * SHA(ClientHello.random + ServerHello.random |
| maclobdell | 0:f7c60d3e7b8a | 2898 | * + ServerParams); |
| maclobdell | 0:f7c60d3e7b8a | 2899 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2900 | mbedtls_md5_starts( &mbedtls_md5 ); |
| maclobdell | 0:f7c60d3e7b8a | 2901 | mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); |
| maclobdell | 0:f7c60d3e7b8a | 2902 | mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2903 | mbedtls_md5_finish( &mbedtls_md5, hash ); |
| maclobdell | 0:f7c60d3e7b8a | 2904 | |
| maclobdell | 0:f7c60d3e7b8a | 2905 | mbedtls_sha1_starts( &mbedtls_sha1 ); |
| maclobdell | 0:f7c60d3e7b8a | 2906 | mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); |
| maclobdell | 0:f7c60d3e7b8a | 2907 | mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2908 | mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); |
| maclobdell | 0:f7c60d3e7b8a | 2909 | |
| maclobdell | 0:f7c60d3e7b8a | 2910 | hashlen = 36; |
| maclobdell | 0:f7c60d3e7b8a | 2911 | |
| maclobdell | 0:f7c60d3e7b8a | 2912 | mbedtls_md5_free( &mbedtls_md5 ); |
| maclobdell | 0:f7c60d3e7b8a | 2913 | mbedtls_sha1_free( &mbedtls_sha1 ); |
| maclobdell | 0:f7c60d3e7b8a | 2914 | } |
| maclobdell | 0:f7c60d3e7b8a | 2915 | else |
| maclobdell | 0:f7c60d3e7b8a | 2916 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
| maclobdell | 0:f7c60d3e7b8a | 2917 | MBEDTLS_SSL_PROTO_TLS1_1 */ |
| maclobdell | 0:f7c60d3e7b8a | 2918 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
| maclobdell | 0:f7c60d3e7b8a | 2919 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 2920 | if( md_alg != MBEDTLS_MD_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 2921 | { |
| maclobdell | 0:f7c60d3e7b8a | 2922 | mbedtls_md_context_t ctx; |
| maclobdell | 0:f7c60d3e7b8a | 2923 | const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); |
| maclobdell | 0:f7c60d3e7b8a | 2924 | |
| maclobdell | 0:f7c60d3e7b8a | 2925 | mbedtls_md_init( &ctx ); |
| maclobdell | 0:f7c60d3e7b8a | 2926 | |
| maclobdell | 0:f7c60d3e7b8a | 2927 | /* Info from md_alg will be used instead */ |
| maclobdell | 0:f7c60d3e7b8a | 2928 | hashlen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 2929 | |
| maclobdell | 0:f7c60d3e7b8a | 2930 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2931 | * digitally-signed struct { |
| maclobdell | 0:f7c60d3e7b8a | 2932 | * opaque client_random[32]; |
| maclobdell | 0:f7c60d3e7b8a | 2933 | * opaque server_random[32]; |
| maclobdell | 0:f7c60d3e7b8a | 2934 | * ServerDHParams params; |
| maclobdell | 0:f7c60d3e7b8a | 2935 | * }; |
| maclobdell | 0:f7c60d3e7b8a | 2936 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2937 | if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2938 | { |
| maclobdell | 0:f7c60d3e7b8a | 2939 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2940 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2941 | } |
| maclobdell | 0:f7c60d3e7b8a | 2942 | |
| maclobdell | 0:f7c60d3e7b8a | 2943 | mbedtls_md_starts( &ctx ); |
| maclobdell | 0:f7c60d3e7b8a | 2944 | mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); |
| maclobdell | 0:f7c60d3e7b8a | 2945 | mbedtls_md_update( &ctx, dig_signed, dig_signed_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2946 | mbedtls_md_finish( &ctx, hash ); |
| maclobdell | 0:f7c60d3e7b8a | 2947 | mbedtls_md_free( &ctx ); |
| maclobdell | 0:f7c60d3e7b8a | 2948 | } |
| maclobdell | 0:f7c60d3e7b8a | 2949 | else |
| maclobdell | 0:f7c60d3e7b8a | 2950 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ |
| maclobdell | 0:f7c60d3e7b8a | 2951 | MBEDTLS_SSL_PROTO_TLS1_2 */ |
| maclobdell | 0:f7c60d3e7b8a | 2952 | { |
| maclobdell | 0:f7c60d3e7b8a | 2953 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2954 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 2955 | } |
| maclobdell | 0:f7c60d3e7b8a | 2956 | |
| maclobdell | 0:f7c60d3e7b8a | 2957 | MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : |
| maclobdell | 0:f7c60d3e7b8a | 2958 | (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2959 | |
| maclobdell | 0:f7c60d3e7b8a | 2960 | /* |
| maclobdell | 0:f7c60d3e7b8a | 2961 | * Make the signature |
| maclobdell | 0:f7c60d3e7b8a | 2962 | */ |
| maclobdell | 0:f7c60d3e7b8a | 2963 | if( mbedtls_ssl_own_key( ssl ) == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 2964 | { |
| maclobdell | 0:f7c60d3e7b8a | 2965 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2966 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| maclobdell | 0:f7c60d3e7b8a | 2967 | } |
| maclobdell | 0:f7c60d3e7b8a | 2968 | |
| maclobdell | 0:f7c60d3e7b8a | 2969 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 2970 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 2971 | { |
| maclobdell | 0:f7c60d3e7b8a | 2972 | *(p++) = ssl->handshake->sig_alg; |
| maclobdell | 0:f7c60d3e7b8a | 2973 | *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); |
| maclobdell | 0:f7c60d3e7b8a | 2974 | |
| maclobdell | 0:f7c60d3e7b8a | 2975 | n += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2976 | } |
| maclobdell | 0:f7c60d3e7b8a | 2977 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| maclobdell | 0:f7c60d3e7b8a | 2978 | |
| maclobdell | 0:f7c60d3e7b8a | 2979 | if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, |
| maclobdell | 0:f7c60d3e7b8a | 2980 | p + 2 , &signature_len, |
| maclobdell | 0:f7c60d3e7b8a | 2981 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 2982 | { |
| maclobdell | 0:f7c60d3e7b8a | 2983 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2984 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 2985 | } |
| maclobdell | 0:f7c60d3e7b8a | 2986 | |
| maclobdell | 0:f7c60d3e7b8a | 2987 | *(p++) = (unsigned char)( signature_len >> 8 ); |
| maclobdell | 0:f7c60d3e7b8a | 2988 | *(p++) = (unsigned char)( signature_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2989 | n += 2; |
| maclobdell | 0:f7c60d3e7b8a | 2990 | |
| maclobdell | 0:f7c60d3e7b8a | 2991 | MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); |
| maclobdell | 0:f7c60d3e7b8a | 2992 | |
| maclobdell | 0:f7c60d3e7b8a | 2993 | n += signature_len; |
| maclobdell | 0:f7c60d3e7b8a | 2994 | } |
| maclobdell | 0:f7c60d3e7b8a | 2995 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || |
| maclobdell | 0:f7c60d3e7b8a | 2996 | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 2997 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 2998 | |
| maclobdell | 0:f7c60d3e7b8a | 2999 | ssl->out_msglen = 4 + n; |
| maclobdell | 0:f7c60d3e7b8a | 3000 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| maclobdell | 0:f7c60d3e7b8a | 3001 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; |
| maclobdell | 0:f7c60d3e7b8a | 3002 | |
| maclobdell | 0:f7c60d3e7b8a | 3003 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 3004 | |
| maclobdell | 0:f7c60d3e7b8a | 3005 | if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3006 | { |
| maclobdell | 0:f7c60d3e7b8a | 3007 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3008 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3009 | } |
| maclobdell | 0:f7c60d3e7b8a | 3010 | |
| maclobdell | 0:f7c60d3e7b8a | 3011 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3012 | |
| maclobdell | 0:f7c60d3e7b8a | 3013 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3014 | } |
| maclobdell | 0:f7c60d3e7b8a | 3015 | |
| maclobdell | 0:f7c60d3e7b8a | 3016 | static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 3017 | { |
| maclobdell | 0:f7c60d3e7b8a | 3018 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 3019 | |
| maclobdell | 0:f7c60d3e7b8a | 3020 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3021 | |
| maclobdell | 0:f7c60d3e7b8a | 3022 | ssl->out_msglen = 4; |
| maclobdell | 0:f7c60d3e7b8a | 3023 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| maclobdell | 0:f7c60d3e7b8a | 3024 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; |
| maclobdell | 0:f7c60d3e7b8a | 3025 | |
| maclobdell | 0:f7c60d3e7b8a | 3026 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 3027 | |
| maclobdell | 0:f7c60d3e7b8a | 3028 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 3029 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| maclobdell | 0:f7c60d3e7b8a | 3030 | mbedtls_ssl_send_flight_completed( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3031 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3032 | |
| maclobdell | 0:f7c60d3e7b8a | 3033 | if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3034 | { |
| maclobdell | 0:f7c60d3e7b8a | 3035 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3036 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3037 | } |
| maclobdell | 0:f7c60d3e7b8a | 3038 | |
| maclobdell | 0:f7c60d3e7b8a | 3039 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3040 | |
| maclobdell | 0:f7c60d3e7b8a | 3041 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3042 | } |
| maclobdell | 0:f7c60d3e7b8a | 3043 | |
| maclobdell | 0:f7c60d3e7b8a | 3044 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3045 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3046 | static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, |
| maclobdell | 0:f7c60d3e7b8a | 3047 | const unsigned char *end ) |
| maclobdell | 0:f7c60d3e7b8a | 3048 | { |
| maclobdell | 0:f7c60d3e7b8a | 3049 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| maclobdell | 0:f7c60d3e7b8a | 3050 | size_t n; |
| maclobdell | 0:f7c60d3e7b8a | 3051 | |
| maclobdell | 0:f7c60d3e7b8a | 3052 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3053 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
| maclobdell | 0:f7c60d3e7b8a | 3054 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3055 | if( *p + 2 > end ) |
| maclobdell | 0:f7c60d3e7b8a | 3056 | { |
| maclobdell | 0:f7c60d3e7b8a | 3057 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3058 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3059 | } |
| maclobdell | 0:f7c60d3e7b8a | 3060 | |
| maclobdell | 0:f7c60d3e7b8a | 3061 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
| maclobdell | 0:f7c60d3e7b8a | 3062 | *p += 2; |
| maclobdell | 0:f7c60d3e7b8a | 3063 | |
| maclobdell | 0:f7c60d3e7b8a | 3064 | if( *p + n > end ) |
| maclobdell | 0:f7c60d3e7b8a | 3065 | { |
| maclobdell | 0:f7c60d3e7b8a | 3066 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3067 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3068 | } |
| maclobdell | 0:f7c60d3e7b8a | 3069 | |
| maclobdell | 0:f7c60d3e7b8a | 3070 | if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3071 | { |
| maclobdell | 0:f7c60d3e7b8a | 3072 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3073 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
| maclobdell | 0:f7c60d3e7b8a | 3074 | } |
| maclobdell | 0:f7c60d3e7b8a | 3075 | |
| maclobdell | 0:f7c60d3e7b8a | 3076 | *p += n; |
| maclobdell | 0:f7c60d3e7b8a | 3077 | |
| maclobdell | 0:f7c60d3e7b8a | 3078 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); |
| maclobdell | 0:f7c60d3e7b8a | 3079 | |
| maclobdell | 0:f7c60d3e7b8a | 3080 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3081 | } |
| maclobdell | 0:f7c60d3e7b8a | 3082 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 3083 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3084 | |
| maclobdell | 0:f7c60d3e7b8a | 3085 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3086 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3087 | static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, |
| maclobdell | 0:f7c60d3e7b8a | 3088 | const unsigned char *p, |
| maclobdell | 0:f7c60d3e7b8a | 3089 | const unsigned char *end, |
| maclobdell | 0:f7c60d3e7b8a | 3090 | size_t pms_offset ) |
| maclobdell | 0:f7c60d3e7b8a | 3091 | { |
| maclobdell | 0:f7c60d3e7b8a | 3092 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 3093 | size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3094 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
| maclobdell | 0:f7c60d3e7b8a | 3095 | unsigned char ver[2]; |
| maclobdell | 0:f7c60d3e7b8a | 3096 | unsigned char fake_pms[48], peer_pms[48]; |
| maclobdell | 0:f7c60d3e7b8a | 3097 | unsigned char mask; |
| maclobdell | 0:f7c60d3e7b8a | 3098 | size_t i, peer_pmslen; |
| maclobdell | 0:f7c60d3e7b8a | 3099 | unsigned int diff; |
| maclobdell | 0:f7c60d3e7b8a | 3100 | |
| maclobdell | 0:f7c60d3e7b8a | 3101 | if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) |
| maclobdell | 0:f7c60d3e7b8a | 3102 | { |
| maclobdell | 0:f7c60d3e7b8a | 3103 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3104 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| maclobdell | 0:f7c60d3e7b8a | 3105 | } |
| maclobdell | 0:f7c60d3e7b8a | 3106 | |
| maclobdell | 0:f7c60d3e7b8a | 3107 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3108 | * Decrypt the premaster using own private RSA key |
| maclobdell | 0:f7c60d3e7b8a | 3109 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3110 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3111 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 3112 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3113 | { |
| maclobdell | 0:f7c60d3e7b8a | 3114 | if( *p++ != ( ( len >> 8 ) & 0xFF ) || |
| maclobdell | 0:f7c60d3e7b8a | 3115 | *p++ != ( ( len ) & 0xFF ) ) |
| maclobdell | 0:f7c60d3e7b8a | 3116 | { |
| maclobdell | 0:f7c60d3e7b8a | 3117 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3118 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3119 | } |
| maclobdell | 0:f7c60d3e7b8a | 3120 | } |
| maclobdell | 0:f7c60d3e7b8a | 3121 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3122 | |
| maclobdell | 0:f7c60d3e7b8a | 3123 | if( p + len != end ) |
| maclobdell | 0:f7c60d3e7b8a | 3124 | { |
| maclobdell | 0:f7c60d3e7b8a | 3125 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3126 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3127 | } |
| maclobdell | 0:f7c60d3e7b8a | 3128 | |
| maclobdell | 0:f7c60d3e7b8a | 3129 | mbedtls_ssl_write_version( ssl->handshake->max_major_ver, |
| maclobdell | 0:f7c60d3e7b8a | 3130 | ssl->handshake->max_minor_ver, |
| maclobdell | 0:f7c60d3e7b8a | 3131 | ssl->conf->transport, ver ); |
| maclobdell | 0:f7c60d3e7b8a | 3132 | |
| maclobdell | 0:f7c60d3e7b8a | 3133 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3134 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
| maclobdell | 0:f7c60d3e7b8a | 3135 | * must not cause the connection to end immediately; instead, send a |
| maclobdell | 0:f7c60d3e7b8a | 3136 | * bad_record_mac later in the handshake. |
| maclobdell | 0:f7c60d3e7b8a | 3137 | * Also, avoid data-dependant branches here to protect against |
| maclobdell | 0:f7c60d3e7b8a | 3138 | * timing-based variants. |
| maclobdell | 0:f7c60d3e7b8a | 3139 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3140 | ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3141 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3142 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3143 | |
| maclobdell | 0:f7c60d3e7b8a | 3144 | ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, |
| maclobdell | 0:f7c60d3e7b8a | 3145 | peer_pms, &peer_pmslen, |
| maclobdell | 0:f7c60d3e7b8a | 3146 | sizeof( peer_pms ), |
| maclobdell | 0:f7c60d3e7b8a | 3147 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| maclobdell | 0:f7c60d3e7b8a | 3148 | |
| maclobdell | 0:f7c60d3e7b8a | 3149 | diff = (unsigned int) ret; |
| maclobdell | 0:f7c60d3e7b8a | 3150 | diff |= peer_pmslen ^ 48; |
| maclobdell | 0:f7c60d3e7b8a | 3151 | diff |= peer_pms[0] ^ ver[0]; |
| maclobdell | 0:f7c60d3e7b8a | 3152 | diff |= peer_pms[1] ^ ver[1]; |
| maclobdell | 0:f7c60d3e7b8a | 3153 | |
| maclobdell | 0:f7c60d3e7b8a | 3154 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| maclobdell | 0:f7c60d3e7b8a | 3155 | if( diff != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3156 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3157 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3158 | |
| maclobdell | 0:f7c60d3e7b8a | 3159 | if( sizeof( ssl->handshake->premaster ) < pms_offset || |
| maclobdell | 0:f7c60d3e7b8a | 3160 | sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) |
| maclobdell | 0:f7c60d3e7b8a | 3161 | { |
| maclobdell | 0:f7c60d3e7b8a | 3162 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3163 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 3164 | } |
| maclobdell | 0:f7c60d3e7b8a | 3165 | ssl->handshake->pmslen = 48; |
| maclobdell | 0:f7c60d3e7b8a | 3166 | |
| maclobdell | 0:f7c60d3e7b8a | 3167 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ |
| maclobdell | 0:f7c60d3e7b8a | 3168 | /* MSVC has a warning about unary minus on unsigned, but this is |
| maclobdell | 0:f7c60d3e7b8a | 3169 | * well-defined and precisely what we want to do here */ |
| maclobdell | 0:f7c60d3e7b8a | 3170 | #if defined(_MSC_VER) |
| maclobdell | 0:f7c60d3e7b8a | 3171 | #pragma warning( push ) |
| maclobdell | 0:f7c60d3e7b8a | 3172 | #pragma warning( disable : 4146 ) |
| maclobdell | 0:f7c60d3e7b8a | 3173 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3174 | mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3175 | #if defined(_MSC_VER) |
| maclobdell | 0:f7c60d3e7b8a | 3176 | #pragma warning( pop ) |
| maclobdell | 0:f7c60d3e7b8a | 3177 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3178 | |
| maclobdell | 0:f7c60d3e7b8a | 3179 | for( i = 0; i < ssl->handshake->pmslen; i++ ) |
| maclobdell | 0:f7c60d3e7b8a | 3180 | pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); |
| maclobdell | 0:f7c60d3e7b8a | 3181 | |
| maclobdell | 0:f7c60d3e7b8a | 3182 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3183 | } |
| maclobdell | 0:f7c60d3e7b8a | 3184 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 3185 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3186 | |
| maclobdell | 0:f7c60d3e7b8a | 3187 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3188 | static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, |
| maclobdell | 0:f7c60d3e7b8a | 3189 | const unsigned char *end ) |
| maclobdell | 0:f7c60d3e7b8a | 3190 | { |
| maclobdell | 0:f7c60d3e7b8a | 3191 | int ret = 0; |
| maclobdell | 0:f7c60d3e7b8a | 3192 | size_t n; |
| maclobdell | 0:f7c60d3e7b8a | 3193 | |
| maclobdell | 0:f7c60d3e7b8a | 3194 | if( ssl->conf->f_psk == NULL && |
| maclobdell | 0:f7c60d3e7b8a | 3195 | ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || |
| maclobdell | 0:f7c60d3e7b8a | 3196 | ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) |
| maclobdell | 0:f7c60d3e7b8a | 3197 | { |
| maclobdell | 0:f7c60d3e7b8a | 3198 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3199 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| maclobdell | 0:f7c60d3e7b8a | 3200 | } |
| maclobdell | 0:f7c60d3e7b8a | 3201 | |
| maclobdell | 0:f7c60d3e7b8a | 3202 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3203 | * Receive client pre-shared key identity name |
| maclobdell | 0:f7c60d3e7b8a | 3204 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3205 | if( *p + 2 > end ) |
| maclobdell | 0:f7c60d3e7b8a | 3206 | { |
| maclobdell | 0:f7c60d3e7b8a | 3207 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3208 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3209 | } |
| maclobdell | 0:f7c60d3e7b8a | 3210 | |
| maclobdell | 0:f7c60d3e7b8a | 3211 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
| maclobdell | 0:f7c60d3e7b8a | 3212 | *p += 2; |
| maclobdell | 0:f7c60d3e7b8a | 3213 | |
| maclobdell | 0:f7c60d3e7b8a | 3214 | if( n < 1 || n > 65535 || *p + n > end ) |
| maclobdell | 0:f7c60d3e7b8a | 3215 | { |
| maclobdell | 0:f7c60d3e7b8a | 3216 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3217 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3218 | } |
| maclobdell | 0:f7c60d3e7b8a | 3219 | |
| maclobdell | 0:f7c60d3e7b8a | 3220 | if( ssl->conf->f_psk != NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 3221 | { |
| maclobdell | 0:f7c60d3e7b8a | 3222 | if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3223 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| maclobdell | 0:f7c60d3e7b8a | 3224 | } |
| maclobdell | 0:f7c60d3e7b8a | 3225 | else |
| maclobdell | 0:f7c60d3e7b8a | 3226 | { |
| maclobdell | 0:f7c60d3e7b8a | 3227 | /* Identity is not a big secret since clients send it in the clear, |
| maclobdell | 0:f7c60d3e7b8a | 3228 | * but treat it carefully anyway, just in case */ |
| maclobdell | 0:f7c60d3e7b8a | 3229 | if( n != ssl->conf->psk_identity_len || |
| maclobdell | 0:f7c60d3e7b8a | 3230 | mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3231 | { |
| maclobdell | 0:f7c60d3e7b8a | 3232 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| maclobdell | 0:f7c60d3e7b8a | 3233 | } |
| maclobdell | 0:f7c60d3e7b8a | 3234 | } |
| maclobdell | 0:f7c60d3e7b8a | 3235 | |
| maclobdell | 0:f7c60d3e7b8a | 3236 | if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) |
| maclobdell | 0:f7c60d3e7b8a | 3237 | { |
| maclobdell | 0:f7c60d3e7b8a | 3238 | MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); |
| maclobdell | 0:f7c60d3e7b8a | 3239 | if( ( ret = mbedtls_ssl_send_alert_message( ssl, |
| maclobdell | 0:f7c60d3e7b8a | 3240 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| maclobdell | 0:f7c60d3e7b8a | 3241 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3242 | { |
| maclobdell | 0:f7c60d3e7b8a | 3243 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3244 | } |
| maclobdell | 0:f7c60d3e7b8a | 3245 | |
| maclobdell | 0:f7c60d3e7b8a | 3246 | return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); |
| maclobdell | 0:f7c60d3e7b8a | 3247 | } |
| maclobdell | 0:f7c60d3e7b8a | 3248 | |
| maclobdell | 0:f7c60d3e7b8a | 3249 | *p += n; |
| maclobdell | 0:f7c60d3e7b8a | 3250 | |
| maclobdell | 0:f7c60d3e7b8a | 3251 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3252 | } |
| maclobdell | 0:f7c60d3e7b8a | 3253 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3254 | |
| maclobdell | 0:f7c60d3e7b8a | 3255 | static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 3256 | { |
| maclobdell | 0:f7c60d3e7b8a | 3257 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 3258 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 3259 | unsigned char *p, *end; |
| maclobdell | 0:f7c60d3e7b8a | 3260 | |
| maclobdell | 0:f7c60d3e7b8a | 3261 | ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 3262 | |
| maclobdell | 0:f7c60d3e7b8a | 3263 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3264 | |
| maclobdell | 0:f7c60d3e7b8a | 3265 | if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3266 | { |
| maclobdell | 0:f7c60d3e7b8a | 3267 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3268 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3269 | } |
| maclobdell | 0:f7c60d3e7b8a | 3270 | |
| maclobdell | 0:f7c60d3e7b8a | 3271 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3272 | end = ssl->in_msg + ssl->in_hslen; |
| maclobdell | 0:f7c60d3e7b8a | 3273 | |
| maclobdell | 0:f7c60d3e7b8a | 3274 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 3275 | { |
| maclobdell | 0:f7c60d3e7b8a | 3276 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3277 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3278 | } |
| maclobdell | 0:f7c60d3e7b8a | 3279 | |
| maclobdell | 0:f7c60d3e7b8a | 3280 | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) |
| maclobdell | 0:f7c60d3e7b8a | 3281 | { |
| maclobdell | 0:f7c60d3e7b8a | 3282 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3283 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3284 | } |
| maclobdell | 0:f7c60d3e7b8a | 3285 | |
| maclobdell | 0:f7c60d3e7b8a | 3286 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3287 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) |
| maclobdell | 0:f7c60d3e7b8a | 3288 | { |
| maclobdell | 0:f7c60d3e7b8a | 3289 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3290 | { |
| maclobdell | 0:f7c60d3e7b8a | 3291 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3292 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3293 | } |
| maclobdell | 0:f7c60d3e7b8a | 3294 | |
| maclobdell | 0:f7c60d3e7b8a | 3295 | if( p != end ) |
| maclobdell | 0:f7c60d3e7b8a | 3296 | { |
| maclobdell | 0:f7c60d3e7b8a | 3297 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3298 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3299 | } |
| maclobdell | 0:f7c60d3e7b8a | 3300 | |
| maclobdell | 0:f7c60d3e7b8a | 3301 | if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 3302 | ssl->handshake->premaster, |
| maclobdell | 0:f7c60d3e7b8a | 3303 | MBEDTLS_PREMASTER_SIZE, |
| maclobdell | 0:f7c60d3e7b8a | 3304 | &ssl->handshake->pmslen, |
| maclobdell | 0:f7c60d3e7b8a | 3305 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3306 | { |
| maclobdell | 0:f7c60d3e7b8a | 3307 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3308 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); |
| maclobdell | 0:f7c60d3e7b8a | 3309 | } |
| maclobdell | 0:f7c60d3e7b8a | 3310 | |
| maclobdell | 0:f7c60d3e7b8a | 3311 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); |
| maclobdell | 0:f7c60d3e7b8a | 3312 | } |
| maclobdell | 0:f7c60d3e7b8a | 3313 | else |
| maclobdell | 0:f7c60d3e7b8a | 3314 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3315 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3316 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3317 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3318 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3319 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 3320 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| maclobdell | 0:f7c60d3e7b8a | 3321 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| maclobdell | 0:f7c60d3e7b8a | 3322 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
| maclobdell | 0:f7c60d3e7b8a | 3323 | { |
| maclobdell | 0:f7c60d3e7b8a | 3324 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 3325 | p, end - p) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3326 | { |
| maclobdell | 0:f7c60d3e7b8a | 3327 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3328 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
| maclobdell | 0:f7c60d3e7b8a | 3329 | } |
| maclobdell | 0:f7c60d3e7b8a | 3330 | |
| maclobdell | 0:f7c60d3e7b8a | 3331 | MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); |
| maclobdell | 0:f7c60d3e7b8a | 3332 | |
| maclobdell | 0:f7c60d3e7b8a | 3333 | if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 3334 | &ssl->handshake->pmslen, |
| maclobdell | 0:f7c60d3e7b8a | 3335 | ssl->handshake->premaster, |
| maclobdell | 0:f7c60d3e7b8a | 3336 | MBEDTLS_MPI_MAX_SIZE, |
| maclobdell | 0:f7c60d3e7b8a | 3337 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3338 | { |
| maclobdell | 0:f7c60d3e7b8a | 3339 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3340 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); |
| maclobdell | 0:f7c60d3e7b8a | 3341 | } |
| maclobdell | 0:f7c60d3e7b8a | 3342 | |
| maclobdell | 0:f7c60d3e7b8a | 3343 | MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); |
| maclobdell | 0:f7c60d3e7b8a | 3344 | } |
| maclobdell | 0:f7c60d3e7b8a | 3345 | else |
| maclobdell | 0:f7c60d3e7b8a | 3346 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 3347 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 3348 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| maclobdell | 0:f7c60d3e7b8a | 3349 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3350 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3351 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 3352 | { |
| maclobdell | 0:f7c60d3e7b8a | 3353 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3354 | { |
| maclobdell | 0:f7c60d3e7b8a | 3355 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3356 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3357 | } |
| maclobdell | 0:f7c60d3e7b8a | 3358 | |
| maclobdell | 0:f7c60d3e7b8a | 3359 | if( p != end ) |
| maclobdell | 0:f7c60d3e7b8a | 3360 | { |
| maclobdell | 0:f7c60d3e7b8a | 3361 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3362 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3363 | } |
| maclobdell | 0:f7c60d3e7b8a | 3364 | |
| maclobdell | 0:f7c60d3e7b8a | 3365 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| maclobdell | 0:f7c60d3e7b8a | 3366 | ciphersuite_info->key_exchange ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3367 | { |
| maclobdell | 0:f7c60d3e7b8a | 3368 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3369 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3370 | } |
| maclobdell | 0:f7c60d3e7b8a | 3371 | } |
| maclobdell | 0:f7c60d3e7b8a | 3372 | else |
| maclobdell | 0:f7c60d3e7b8a | 3373 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3374 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3375 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 3376 | { |
| maclobdell | 0:f7c60d3e7b8a | 3377 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3378 | { |
| maclobdell | 0:f7c60d3e7b8a | 3379 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3380 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3381 | } |
| maclobdell | 0:f7c60d3e7b8a | 3382 | |
| maclobdell | 0:f7c60d3e7b8a | 3383 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3384 | { |
| maclobdell | 0:f7c60d3e7b8a | 3385 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3386 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3387 | } |
| maclobdell | 0:f7c60d3e7b8a | 3388 | |
| maclobdell | 0:f7c60d3e7b8a | 3389 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| maclobdell | 0:f7c60d3e7b8a | 3390 | ciphersuite_info->key_exchange ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3391 | { |
| maclobdell | 0:f7c60d3e7b8a | 3392 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3393 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3394 | } |
| maclobdell | 0:f7c60d3e7b8a | 3395 | } |
| maclobdell | 0:f7c60d3e7b8a | 3396 | else |
| maclobdell | 0:f7c60d3e7b8a | 3397 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3398 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3399 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 3400 | { |
| maclobdell | 0:f7c60d3e7b8a | 3401 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3402 | { |
| maclobdell | 0:f7c60d3e7b8a | 3403 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3404 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3405 | } |
| maclobdell | 0:f7c60d3e7b8a | 3406 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3407 | { |
| maclobdell | 0:f7c60d3e7b8a | 3408 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3409 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3410 | } |
| maclobdell | 0:f7c60d3e7b8a | 3411 | |
| maclobdell | 0:f7c60d3e7b8a | 3412 | if( p != end ) |
| maclobdell | 0:f7c60d3e7b8a | 3413 | { |
| maclobdell | 0:f7c60d3e7b8a | 3414 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3415 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3416 | } |
| maclobdell | 0:f7c60d3e7b8a | 3417 | |
| maclobdell | 0:f7c60d3e7b8a | 3418 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| maclobdell | 0:f7c60d3e7b8a | 3419 | ciphersuite_info->key_exchange ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3420 | { |
| maclobdell | 0:f7c60d3e7b8a | 3421 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3422 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3423 | } |
| maclobdell | 0:f7c60d3e7b8a | 3424 | } |
| maclobdell | 0:f7c60d3e7b8a | 3425 | else |
| maclobdell | 0:f7c60d3e7b8a | 3426 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3427 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3428 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| maclobdell | 0:f7c60d3e7b8a | 3429 | { |
| maclobdell | 0:f7c60d3e7b8a | 3430 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3431 | { |
| maclobdell | 0:f7c60d3e7b8a | 3432 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3433 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3434 | } |
| maclobdell | 0:f7c60d3e7b8a | 3435 | |
| maclobdell | 0:f7c60d3e7b8a | 3436 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 3437 | p, end - p ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3438 | { |
| maclobdell | 0:f7c60d3e7b8a | 3439 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3440 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
| maclobdell | 0:f7c60d3e7b8a | 3441 | } |
| maclobdell | 0:f7c60d3e7b8a | 3442 | |
| maclobdell | 0:f7c60d3e7b8a | 3443 | MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); |
| maclobdell | 0:f7c60d3e7b8a | 3444 | |
| maclobdell | 0:f7c60d3e7b8a | 3445 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| maclobdell | 0:f7c60d3e7b8a | 3446 | ciphersuite_info->key_exchange ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3447 | { |
| maclobdell | 0:f7c60d3e7b8a | 3448 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3449 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3450 | } |
| maclobdell | 0:f7c60d3e7b8a | 3451 | } |
| maclobdell | 0:f7c60d3e7b8a | 3452 | else |
| maclobdell | 0:f7c60d3e7b8a | 3453 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3454 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3455 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) |
| maclobdell | 0:f7c60d3e7b8a | 3456 | { |
| maclobdell | 0:f7c60d3e7b8a | 3457 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3458 | { |
| maclobdell | 0:f7c60d3e7b8a | 3459 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3460 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3461 | } |
| maclobdell | 0:f7c60d3e7b8a | 3462 | } |
| maclobdell | 0:f7c60d3e7b8a | 3463 | else |
| maclobdell | 0:f7c60d3e7b8a | 3464 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3465 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3466 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 3467 | { |
| maclobdell | 0:f7c60d3e7b8a | 3468 | ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 3469 | p, end - p ); |
| maclobdell | 0:f7c60d3e7b8a | 3470 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3471 | { |
| maclobdell | 0:f7c60d3e7b8a | 3472 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3473 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
| maclobdell | 0:f7c60d3e7b8a | 3474 | } |
| maclobdell | 0:f7c60d3e7b8a | 3475 | |
| maclobdell | 0:f7c60d3e7b8a | 3476 | ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, |
| maclobdell | 0:f7c60d3e7b8a | 3477 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| maclobdell | 0:f7c60d3e7b8a | 3478 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| maclobdell | 0:f7c60d3e7b8a | 3479 | if( ret != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3480 | { |
| maclobdell | 0:f7c60d3e7b8a | 3481 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3482 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3483 | } |
| maclobdell | 0:f7c60d3e7b8a | 3484 | } |
| maclobdell | 0:f7c60d3e7b8a | 3485 | else |
| maclobdell | 0:f7c60d3e7b8a | 3486 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3487 | { |
| maclobdell | 0:f7c60d3e7b8a | 3488 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3489 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 3490 | } |
| maclobdell | 0:f7c60d3e7b8a | 3491 | |
| maclobdell | 0:f7c60d3e7b8a | 3492 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3493 | { |
| maclobdell | 0:f7c60d3e7b8a | 3494 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3495 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3496 | } |
| maclobdell | 0:f7c60d3e7b8a | 3497 | |
| maclobdell | 0:f7c60d3e7b8a | 3498 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 3499 | |
| maclobdell | 0:f7c60d3e7b8a | 3500 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3501 | |
| maclobdell | 0:f7c60d3e7b8a | 3502 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3503 | } |
| maclobdell | 0:f7c60d3e7b8a | 3504 | |
| maclobdell | 0:f7c60d3e7b8a | 3505 | #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ |
| maclobdell | 0:f7c60d3e7b8a | 3506 | !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ |
| maclobdell | 0:f7c60d3e7b8a | 3507 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ |
| maclobdell | 0:f7c60d3e7b8a | 3508 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| maclobdell | 0:f7c60d3e7b8a | 3509 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 3510 | { |
| maclobdell | 0:f7c60d3e7b8a | 3511 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 3512 | |
| maclobdell | 0:f7c60d3e7b8a | 3513 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3514 | |
| maclobdell | 0:f7c60d3e7b8a | 3515 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3516 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3517 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3518 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3519 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| maclobdell | 0:f7c60d3e7b8a | 3520 | { |
| maclobdell | 0:f7c60d3e7b8a | 3521 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3522 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 3523 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3524 | } |
| maclobdell | 0:f7c60d3e7b8a | 3525 | |
| maclobdell | 0:f7c60d3e7b8a | 3526 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3527 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 3528 | } |
| maclobdell | 0:f7c60d3e7b8a | 3529 | #else |
| maclobdell | 0:f7c60d3e7b8a | 3530 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 3531 | { |
| maclobdell | 0:f7c60d3e7b8a | 3532 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| maclobdell | 0:f7c60d3e7b8a | 3533 | size_t i, sig_len; |
| maclobdell | 0:f7c60d3e7b8a | 3534 | unsigned char hash[48]; |
| maclobdell | 0:f7c60d3e7b8a | 3535 | unsigned char *hash_start = hash; |
| maclobdell | 0:f7c60d3e7b8a | 3536 | size_t hashlen; |
| maclobdell | 0:f7c60d3e7b8a | 3537 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 3538 | mbedtls_pk_type_t pk_alg; |
| maclobdell | 0:f7c60d3e7b8a | 3539 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3540 | mbedtls_md_type_t md_alg; |
| maclobdell | 0:f7c60d3e7b8a | 3541 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
| maclobdell | 0:f7c60d3e7b8a | 3542 | |
| maclobdell | 0:f7c60d3e7b8a | 3543 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3544 | |
| maclobdell | 0:f7c60d3e7b8a | 3545 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3546 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3547 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3548 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| maclobdell | 0:f7c60d3e7b8a | 3549 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || |
| maclobdell | 0:f7c60d3e7b8a | 3550 | ssl->session_negotiate->peer_cert == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 3551 | { |
| maclobdell | 0:f7c60d3e7b8a | 3552 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3553 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 3554 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3555 | } |
| maclobdell | 0:f7c60d3e7b8a | 3556 | |
| maclobdell | 0:f7c60d3e7b8a | 3557 | /* Needs to be done before read_record() to exclude current message */ |
| maclobdell | 0:f7c60d3e7b8a | 3558 | ssl->handshake->calc_verify( ssl, hash ); |
| maclobdell | 0:f7c60d3e7b8a | 3559 | |
| maclobdell | 0:f7c60d3e7b8a | 3560 | if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3561 | { |
| maclobdell | 0:f7c60d3e7b8a | 3562 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3563 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3564 | } |
| maclobdell | 0:f7c60d3e7b8a | 3565 | |
| maclobdell | 0:f7c60d3e7b8a | 3566 | ssl->state++; |
| maclobdell | 0:f7c60d3e7b8a | 3567 | |
| maclobdell | 0:f7c60d3e7b8a | 3568 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| maclobdell | 0:f7c60d3e7b8a | 3569 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) |
| maclobdell | 0:f7c60d3e7b8a | 3570 | { |
| maclobdell | 0:f7c60d3e7b8a | 3571 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3572 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3573 | } |
| maclobdell | 0:f7c60d3e7b8a | 3574 | |
| maclobdell | 0:f7c60d3e7b8a | 3575 | i = mbedtls_ssl_hs_hdr_len( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3576 | |
| maclobdell | 0:f7c60d3e7b8a | 3577 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3578 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 3579 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only |
| maclobdell | 0:f7c60d3e7b8a | 3580 | * opaque signature<0..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 3581 | * } DigitallySigned; |
| maclobdell | 0:f7c60d3e7b8a | 3582 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3583 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| maclobdell | 0:f7c60d3e7b8a | 3584 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| maclobdell | 0:f7c60d3e7b8a | 3585 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 3586 | { |
| maclobdell | 0:f7c60d3e7b8a | 3587 | md_alg = MBEDTLS_MD_NONE; |
| maclobdell | 0:f7c60d3e7b8a | 3588 | hashlen = 36; |
| maclobdell | 0:f7c60d3e7b8a | 3589 | |
| maclobdell | 0:f7c60d3e7b8a | 3590 | /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ |
| maclobdell | 0:f7c60d3e7b8a | 3591 | if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, |
| maclobdell | 0:f7c60d3e7b8a | 3592 | MBEDTLS_PK_ECDSA ) ) |
| maclobdell | 0:f7c60d3e7b8a | 3593 | { |
| maclobdell | 0:f7c60d3e7b8a | 3594 | hash_start += 16; |
| maclobdell | 0:f7c60d3e7b8a | 3595 | hashlen -= 16; |
| maclobdell | 0:f7c60d3e7b8a | 3596 | md_alg = MBEDTLS_MD_SHA1; |
| maclobdell | 0:f7c60d3e7b8a | 3597 | } |
| maclobdell | 0:f7c60d3e7b8a | 3598 | } |
| maclobdell | 0:f7c60d3e7b8a | 3599 | else |
| maclobdell | 0:f7c60d3e7b8a | 3600 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || |
| maclobdell | 0:f7c60d3e7b8a | 3601 | MBEDTLS_SSL_PROTO_TLS1_1 */ |
| maclobdell | 0:f7c60d3e7b8a | 3602 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| maclobdell | 0:f7c60d3e7b8a | 3603 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
| maclobdell | 0:f7c60d3e7b8a | 3604 | { |
| maclobdell | 0:f7c60d3e7b8a | 3605 | if( i + 2 > ssl->in_hslen ) |
| maclobdell | 0:f7c60d3e7b8a | 3606 | { |
| maclobdell | 0:f7c60d3e7b8a | 3607 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3608 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3609 | } |
| maclobdell | 0:f7c60d3e7b8a | 3610 | |
| maclobdell | 0:f7c60d3e7b8a | 3611 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3612 | * Hash |
| maclobdell | 0:f7c60d3e7b8a | 3613 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3614 | if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg ) |
| maclobdell | 0:f7c60d3e7b8a | 3615 | { |
| maclobdell | 0:f7c60d3e7b8a | 3616 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
| maclobdell | 0:f7c60d3e7b8a | 3617 | " for verify message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3618 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3619 | } |
| maclobdell | 0:f7c60d3e7b8a | 3620 | |
| maclobdell | 0:f7c60d3e7b8a | 3621 | md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg ); |
| maclobdell | 0:f7c60d3e7b8a | 3622 | |
| maclobdell | 0:f7c60d3e7b8a | 3623 | /* Info from md_alg will be used instead */ |
| maclobdell | 0:f7c60d3e7b8a | 3624 | hashlen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 3625 | |
| maclobdell | 0:f7c60d3e7b8a | 3626 | i++; |
| maclobdell | 0:f7c60d3e7b8a | 3627 | |
| maclobdell | 0:f7c60d3e7b8a | 3628 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3629 | * Signature |
| maclobdell | 0:f7c60d3e7b8a | 3630 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3631 | if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) |
| maclobdell | 0:f7c60d3e7b8a | 3632 | == MBEDTLS_PK_NONE ) |
| maclobdell | 0:f7c60d3e7b8a | 3633 | { |
| maclobdell | 0:f7c60d3e7b8a | 3634 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
| maclobdell | 0:f7c60d3e7b8a | 3635 | " for verify message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3636 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3637 | } |
| maclobdell | 0:f7c60d3e7b8a | 3638 | |
| maclobdell | 0:f7c60d3e7b8a | 3639 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3640 | * Check the certificate's key type matches the signature alg |
| maclobdell | 0:f7c60d3e7b8a | 3641 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3642 | if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) |
| maclobdell | 0:f7c60d3e7b8a | 3643 | { |
| maclobdell | 0:f7c60d3e7b8a | 3644 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3645 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3646 | } |
| maclobdell | 0:f7c60d3e7b8a | 3647 | |
| maclobdell | 0:f7c60d3e7b8a | 3648 | i++; |
| maclobdell | 0:f7c60d3e7b8a | 3649 | } |
| maclobdell | 0:f7c60d3e7b8a | 3650 | else |
| maclobdell | 0:f7c60d3e7b8a | 3651 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| maclobdell | 0:f7c60d3e7b8a | 3652 | { |
| maclobdell | 0:f7c60d3e7b8a | 3653 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3654 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| maclobdell | 0:f7c60d3e7b8a | 3655 | } |
| maclobdell | 0:f7c60d3e7b8a | 3656 | |
| maclobdell | 0:f7c60d3e7b8a | 3657 | if( i + 2 > ssl->in_hslen ) |
| maclobdell | 0:f7c60d3e7b8a | 3658 | { |
| maclobdell | 0:f7c60d3e7b8a | 3659 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3660 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3661 | } |
| maclobdell | 0:f7c60d3e7b8a | 3662 | |
| maclobdell | 0:f7c60d3e7b8a | 3663 | sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; |
| maclobdell | 0:f7c60d3e7b8a | 3664 | i += 2; |
| maclobdell | 0:f7c60d3e7b8a | 3665 | |
| maclobdell | 0:f7c60d3e7b8a | 3666 | if( i + sig_len != ssl->in_hslen ) |
| maclobdell | 0:f7c60d3e7b8a | 3667 | { |
| maclobdell | 0:f7c60d3e7b8a | 3668 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3669 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
| maclobdell | 0:f7c60d3e7b8a | 3670 | } |
| maclobdell | 0:f7c60d3e7b8a | 3671 | |
| maclobdell | 0:f7c60d3e7b8a | 3672 | if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, |
| maclobdell | 0:f7c60d3e7b8a | 3673 | md_alg, hash_start, hashlen, |
| maclobdell | 0:f7c60d3e7b8a | 3674 | ssl->in_msg + i, sig_len ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3675 | { |
| maclobdell | 0:f7c60d3e7b8a | 3676 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3677 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3678 | } |
| maclobdell | 0:f7c60d3e7b8a | 3679 | |
| maclobdell | 0:f7c60d3e7b8a | 3680 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3681 | |
| maclobdell | 0:f7c60d3e7b8a | 3682 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3683 | } |
| maclobdell | 0:f7c60d3e7b8a | 3684 | #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 3685 | !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && |
| maclobdell | 0:f7c60d3e7b8a | 3686 | !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ |
| maclobdell | 0:f7c60d3e7b8a | 3687 | |
| maclobdell | 0:f7c60d3e7b8a | 3688 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 3689 | static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 3690 | { |
| maclobdell | 0:f7c60d3e7b8a | 3691 | int ret; |
| maclobdell | 0:f7c60d3e7b8a | 3692 | size_t tlen; |
| maclobdell | 0:f7c60d3e7b8a | 3693 | uint32_t lifetime; |
| maclobdell | 0:f7c60d3e7b8a | 3694 | |
| maclobdell | 0:f7c60d3e7b8a | 3695 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3696 | |
| maclobdell | 0:f7c60d3e7b8a | 3697 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| maclobdell | 0:f7c60d3e7b8a | 3698 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; |
| maclobdell | 0:f7c60d3e7b8a | 3699 | |
| maclobdell | 0:f7c60d3e7b8a | 3700 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3701 | * struct { |
| maclobdell | 0:f7c60d3e7b8a | 3702 | * uint32 ticket_lifetime_hint; |
| maclobdell | 0:f7c60d3e7b8a | 3703 | * opaque ticket<0..2^16-1>; |
| maclobdell | 0:f7c60d3e7b8a | 3704 | * } NewSessionTicket; |
| maclobdell | 0:f7c60d3e7b8a | 3705 | * |
| maclobdell | 0:f7c60d3e7b8a | 3706 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
| maclobdell | 0:f7c60d3e7b8a | 3707 | * 8 . 9 ticket_len (n) |
| maclobdell | 0:f7c60d3e7b8a | 3708 | * 10 . 9+n ticket content |
| maclobdell | 0:f7c60d3e7b8a | 3709 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3710 | |
| maclobdell | 0:f7c60d3e7b8a | 3711 | if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, |
| maclobdell | 0:f7c60d3e7b8a | 3712 | ssl->session_negotiate, |
| maclobdell | 0:f7c60d3e7b8a | 3713 | ssl->out_msg + 10, |
| maclobdell | 0:f7c60d3e7b8a | 3714 | ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, |
| maclobdell | 0:f7c60d3e7b8a | 3715 | &tlen, &lifetime ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3716 | { |
| maclobdell | 0:f7c60d3e7b8a | 3717 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3718 | tlen = 0; |
| maclobdell | 0:f7c60d3e7b8a | 3719 | } |
| maclobdell | 0:f7c60d3e7b8a | 3720 | |
| maclobdell | 0:f7c60d3e7b8a | 3721 | ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; |
| maclobdell | 0:f7c60d3e7b8a | 3722 | ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; |
| maclobdell | 0:f7c60d3e7b8a | 3723 | ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; |
| maclobdell | 0:f7c60d3e7b8a | 3724 | ssl->out_msg[7] = ( lifetime ) & 0xFF; |
| maclobdell | 0:f7c60d3e7b8a | 3725 | |
| maclobdell | 0:f7c60d3e7b8a | 3726 | ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 3727 | ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); |
| maclobdell | 0:f7c60d3e7b8a | 3728 | |
| maclobdell | 0:f7c60d3e7b8a | 3729 | ssl->out_msglen = 10 + tlen; |
| maclobdell | 0:f7c60d3e7b8a | 3730 | |
| maclobdell | 0:f7c60d3e7b8a | 3731 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3732 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
| maclobdell | 0:f7c60d3e7b8a | 3733 | * ChangeCipherSpec share the same state. |
| maclobdell | 0:f7c60d3e7b8a | 3734 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3735 | ssl->handshake->new_session_ticket = 0; |
| maclobdell | 0:f7c60d3e7b8a | 3736 | |
| maclobdell | 0:f7c60d3e7b8a | 3737 | if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3738 | { |
| maclobdell | 0:f7c60d3e7b8a | 3739 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3740 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3741 | } |
| maclobdell | 0:f7c60d3e7b8a | 3742 | |
| maclobdell | 0:f7c60d3e7b8a | 3743 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3744 | |
| maclobdell | 0:f7c60d3e7b8a | 3745 | return( 0 ); |
| maclobdell | 0:f7c60d3e7b8a | 3746 | } |
| maclobdell | 0:f7c60d3e7b8a | 3747 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| maclobdell | 0:f7c60d3e7b8a | 3748 | |
| maclobdell | 0:f7c60d3e7b8a | 3749 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3750 | * SSL handshake -- server side -- single step |
| maclobdell | 0:f7c60d3e7b8a | 3751 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3752 | int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) |
| maclobdell | 0:f7c60d3e7b8a | 3753 | { |
| maclobdell | 0:f7c60d3e7b8a | 3754 | int ret = 0; |
| maclobdell | 0:f7c60d3e7b8a | 3755 | |
| maclobdell | 0:f7c60d3e7b8a | 3756 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) |
| maclobdell | 0:f7c60d3e7b8a | 3757 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| maclobdell | 0:f7c60d3e7b8a | 3758 | |
| maclobdell | 0:f7c60d3e7b8a | 3759 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3760 | |
| maclobdell | 0:f7c60d3e7b8a | 3761 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3762 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3763 | |
| maclobdell | 0:f7c60d3e7b8a | 3764 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 3765 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| maclobdell | 0:f7c60d3e7b8a | 3766 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
| maclobdell | 0:f7c60d3e7b8a | 3767 | { |
| maclobdell | 0:f7c60d3e7b8a | 3768 | if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3769 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3770 | } |
| maclobdell | 0:f7c60d3e7b8a | 3771 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3772 | |
| maclobdell | 0:f7c60d3e7b8a | 3773 | switch( ssl->state ) |
| maclobdell | 0:f7c60d3e7b8a | 3774 | { |
| maclobdell | 0:f7c60d3e7b8a | 3775 | case MBEDTLS_SSL_HELLO_REQUEST: |
| maclobdell | 0:f7c60d3e7b8a | 3776 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| maclobdell | 0:f7c60d3e7b8a | 3777 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3778 | |
| maclobdell | 0:f7c60d3e7b8a | 3779 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3780 | * <== ClientHello |
| maclobdell | 0:f7c60d3e7b8a | 3781 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3782 | case MBEDTLS_SSL_CLIENT_HELLO: |
| maclobdell | 0:f7c60d3e7b8a | 3783 | ret = ssl_parse_client_hello( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3784 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3785 | |
| maclobdell | 0:f7c60d3e7b8a | 3786 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| maclobdell | 0:f7c60d3e7b8a | 3787 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: |
| maclobdell | 0:f7c60d3e7b8a | 3788 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); |
| maclobdell | 0:f7c60d3e7b8a | 3789 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3790 | |
| maclobdell | 0:f7c60d3e7b8a | 3791 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3792 | * ==> ServerHello |
| maclobdell | 0:f7c60d3e7b8a | 3793 | * Certificate |
| maclobdell | 0:f7c60d3e7b8a | 3794 | * ( ServerKeyExchange ) |
| maclobdell | 0:f7c60d3e7b8a | 3795 | * ( CertificateRequest ) |
| maclobdell | 0:f7c60d3e7b8a | 3796 | * ServerHelloDone |
| maclobdell | 0:f7c60d3e7b8a | 3797 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3798 | case MBEDTLS_SSL_SERVER_HELLO: |
| maclobdell | 0:f7c60d3e7b8a | 3799 | ret = ssl_write_server_hello( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3800 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3801 | |
| maclobdell | 0:f7c60d3e7b8a | 3802 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| maclobdell | 0:f7c60d3e7b8a | 3803 | ret = mbedtls_ssl_write_certificate( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3804 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3805 | |
| maclobdell | 0:f7c60d3e7b8a | 3806 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| maclobdell | 0:f7c60d3e7b8a | 3807 | ret = ssl_write_server_key_exchange( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3808 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3809 | |
| maclobdell | 0:f7c60d3e7b8a | 3810 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| maclobdell | 0:f7c60d3e7b8a | 3811 | ret = ssl_write_certificate_request( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3812 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3813 | |
| maclobdell | 0:f7c60d3e7b8a | 3814 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| maclobdell | 0:f7c60d3e7b8a | 3815 | ret = ssl_write_server_hello_done( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3816 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3817 | |
| maclobdell | 0:f7c60d3e7b8a | 3818 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3819 | * <== ( Certificate/Alert ) |
| maclobdell | 0:f7c60d3e7b8a | 3820 | * ClientKeyExchange |
| maclobdell | 0:f7c60d3e7b8a | 3821 | * ( CertificateVerify ) |
| maclobdell | 0:f7c60d3e7b8a | 3822 | * ChangeCipherSpec |
| maclobdell | 0:f7c60d3e7b8a | 3823 | * Finished |
| maclobdell | 0:f7c60d3e7b8a | 3824 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3825 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| maclobdell | 0:f7c60d3e7b8a | 3826 | ret = mbedtls_ssl_parse_certificate( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3827 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3828 | |
| maclobdell | 0:f7c60d3e7b8a | 3829 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| maclobdell | 0:f7c60d3e7b8a | 3830 | ret = ssl_parse_client_key_exchange( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3831 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3832 | |
| maclobdell | 0:f7c60d3e7b8a | 3833 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| maclobdell | 0:f7c60d3e7b8a | 3834 | ret = ssl_parse_certificate_verify( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3835 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3836 | |
| maclobdell | 0:f7c60d3e7b8a | 3837 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| maclobdell | 0:f7c60d3e7b8a | 3838 | ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3839 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3840 | |
| maclobdell | 0:f7c60d3e7b8a | 3841 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| maclobdell | 0:f7c60d3e7b8a | 3842 | ret = mbedtls_ssl_parse_finished( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3843 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3844 | |
| maclobdell | 0:f7c60d3e7b8a | 3845 | /* |
| maclobdell | 0:f7c60d3e7b8a | 3846 | * ==> ( NewSessionTicket ) |
| maclobdell | 0:f7c60d3e7b8a | 3847 | * ChangeCipherSpec |
| maclobdell | 0:f7c60d3e7b8a | 3848 | * Finished |
| maclobdell | 0:f7c60d3e7b8a | 3849 | */ |
| maclobdell | 0:f7c60d3e7b8a | 3850 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| maclobdell | 0:f7c60d3e7b8a | 3851 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| maclobdell | 0:f7c60d3e7b8a | 3852 | if( ssl->handshake->new_session_ticket != 0 ) |
| maclobdell | 0:f7c60d3e7b8a | 3853 | ret = ssl_write_new_session_ticket( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3854 | else |
| maclobdell | 0:f7c60d3e7b8a | 3855 | #endif |
| maclobdell | 0:f7c60d3e7b8a | 3856 | ret = mbedtls_ssl_write_change_cipher_spec( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3857 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3858 | |
| maclobdell | 0:f7c60d3e7b8a | 3859 | case MBEDTLS_SSL_SERVER_FINISHED: |
| maclobdell | 0:f7c60d3e7b8a | 3860 | ret = mbedtls_ssl_write_finished( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3861 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3862 | |
| maclobdell | 0:f7c60d3e7b8a | 3863 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| maclobdell | 0:f7c60d3e7b8a | 3864 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3865 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| maclobdell | 0:f7c60d3e7b8a | 3866 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3867 | |
| maclobdell | 0:f7c60d3e7b8a | 3868 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| maclobdell | 0:f7c60d3e7b8a | 3869 | mbedtls_ssl_handshake_wrapup( ssl ); |
| maclobdell | 0:f7c60d3e7b8a | 3870 | break; |
| maclobdell | 0:f7c60d3e7b8a | 3871 | |
| maclobdell | 0:f7c60d3e7b8a | 3872 | default: |
| maclobdell | 0:f7c60d3e7b8a | 3873 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); |
| maclobdell | 0:f7c60d3e7b8a | 3874 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| maclobdell | 0:f7c60d3e7b8a | 3875 | } |
| maclobdell | 0:f7c60d3e7b8a | 3876 | |
| maclobdell | 0:f7c60d3e7b8a | 3877 | return( ret ); |
| maclobdell | 0:f7c60d3e7b8a | 3878 | } |
| maclobdell | 0:f7c60d3e7b8a | 3879 | #endif /* MBEDTLS_SSL_SRV_C */ |