Lee Kai Xuan
/
mbed-os
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbed-os
by 
erkin yucel
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * struct { 00084 * NameType name_type; 00085 * select (name_type) { 00086 * case host_name: HostName; 00087 * } name; 00088 * } ServerName; 00089 * 00090 * enum { 00091 * host_name(0), (255) 00092 * } NameType; 00093 * 00094 * opaque HostName<1..2^16-1>; 00095 * 00096 * struct { 00097 * ServerName server_name_list<1..2^16-1> 00098 * } ServerNameList; 00099 */ 00100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00102 00103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00105 00106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00108 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00112 00113 memcpy( p, ssl->hostname, hostname_len ); 00114 00115 *olen = hostname_len + 9; 00116 } 00117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00118 00119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00121 unsigned char *buf, 00122 size_t *olen ) 00123 { 00124 unsigned char *p = buf; 00125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00126 00127 *olen = 0; 00128 00129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00130 return; 00131 00132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00133 00134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00135 { 00136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00137 return; 00138 } 00139 00140 /* 00141 * Secure renegotiation 00142 */ 00143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00145 00146 *p++ = 0x00; 00147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00148 *p++ = ssl->verify_data_len & 0xFF; 00149 00150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00151 00152 *olen = 5 + ssl->verify_data_len; 00153 } 00154 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00155 00156 /* 00157 * Only if we handle at least one key exchange that needs signatures. 00158 */ 00159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00162 unsigned char *buf, 00163 size_t *olen ) 00164 { 00165 unsigned char *p = buf; 00166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00167 size_t sig_alg_len = 0; 00168 const int *md; 00169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00170 unsigned char *sig_alg_list = buf + 6; 00171 #endif 00172 00173 *olen = 0; 00174 00175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00176 return; 00177 00178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00179 00180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00181 { 00182 #if defined(MBEDTLS_ECDSA_C) 00183 sig_alg_len += 2; 00184 #endif 00185 #if defined(MBEDTLS_RSA_C) 00186 sig_alg_len += 2; 00187 #endif 00188 } 00189 00190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00191 { 00192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00193 return; 00194 } 00195 00196 /* 00197 * Prepare signature_algorithms extension (TLS 1.2) 00198 */ 00199 sig_alg_len = 0; 00200 00201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00202 { 00203 #if defined(MBEDTLS_ECDSA_C) 00204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00206 #endif 00207 #if defined(MBEDTLS_RSA_C) 00208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00210 #endif 00211 } 00212 00213 /* 00214 * enum { 00215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00216 * sha512(6), (255) 00217 * } HashAlgorithm; 00218 * 00219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00220 * SignatureAlgorithm; 00221 * 00222 * struct { 00223 * HashAlgorithm hash; 00224 * SignatureAlgorithm signature; 00225 * } SignatureAndHashAlgorithm; 00226 * 00227 * SignatureAndHashAlgorithm 00228 * supported_signature_algorithms<2..2^16-2>; 00229 */ 00230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00232 00233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00235 00236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00238 00239 *olen = 6 + sig_alg_len; 00240 } 00241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00243 00244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00252 unsigned char *elliptic_curve_list = p + 6; 00253 size_t elliptic_curve_len = 0; 00254 const mbedtls_ecp_curve_info *info; 00255 #if defined(MBEDTLS_ECP_C) 00256 const mbedtls_ecp_group_id *grp_id; 00257 #else 00258 ((void) ssl); 00259 #endif 00260 00261 *olen = 0; 00262 00263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00264 00265 #if defined(MBEDTLS_ECP_C) 00266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00267 { 00268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00269 #else 00270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00271 { 00272 #endif 00273 if( info == NULL ) 00274 { 00275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00276 return; 00277 } 00278 00279 elliptic_curve_len += 2; 00280 } 00281 00282 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00283 { 00284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00285 return; 00286 } 00287 00288 elliptic_curve_len = 0; 00289 00290 #if defined(MBEDTLS_ECP_C) 00291 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00292 { 00293 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00294 #else 00295 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00296 { 00297 #endif 00298 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00299 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00300 } 00301 00302 if( elliptic_curve_len == 0 ) 00303 return; 00304 00305 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00306 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00307 00308 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00309 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00310 00311 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00312 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00313 00314 *olen = 6 + elliptic_curve_len; 00315 } 00316 00317 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00318 unsigned char *buf, 00319 size_t *olen ) 00320 { 00321 unsigned char *p = buf; 00322 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00323 00324 *olen = 0; 00325 00326 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00327 00328 if( end < p || (size_t)( end - p ) < 6 ) 00329 { 00330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00331 return; 00332 } 00333 00334 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00335 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00336 00337 *p++ = 0x00; 00338 *p++ = 2; 00339 00340 *p++ = 1; 00341 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00342 00343 *olen = 6; 00344 } 00345 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00346 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00347 00348 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00349 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00350 unsigned char *buf, 00351 size_t *olen ) 00352 { 00353 int ret; 00354 unsigned char *p = buf; 00355 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00356 size_t kkpp_len; 00357 00358 *olen = 0; 00359 00360 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00361 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00362 return; 00363 00364 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00365 00366 if( end - p < 4 ) 00367 { 00368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00369 return; 00370 } 00371 00372 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00373 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00374 00375 /* 00376 * We may need to send ClientHello multiple times for Hello verification. 00377 * We don't want to compute fresh values every time (both for performance 00378 * and consistency reasons), so cache the extension content. 00379 */ 00380 if( ssl->handshake->ecjpake_cache == NULL || 00381 ssl->handshake->ecjpake_cache_len == 0 ) 00382 { 00383 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00384 00385 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00386 p + 2, end - p - 2, &kkpp_len, 00387 ssl->conf->f_rng, ssl->conf->p_rng ); 00388 if( ret != 0 ) 00389 { 00390 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00391 return; 00392 } 00393 00394 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00395 if( ssl->handshake->ecjpake_cache == NULL ) 00396 { 00397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00398 return; 00399 } 00400 00401 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00402 ssl->handshake->ecjpake_cache_len = kkpp_len; 00403 } 00404 else 00405 { 00406 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00407 00408 kkpp_len = ssl->handshake->ecjpake_cache_len; 00409 00410 if( (size_t)( end - p - 2 ) < kkpp_len ) 00411 { 00412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00413 return; 00414 } 00415 00416 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00417 } 00418 00419 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00420 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00421 00422 *olen = kkpp_len + 4; 00423 } 00424 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00425 00426 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00427 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00428 unsigned char *buf, 00429 size_t *olen ) 00430 { 00431 unsigned char *p = buf; 00432 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00433 00434 *olen = 0; 00435 00436 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00437 return; 00438 } 00439 00440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00441 00442 if( end < p || (size_t)( end - p ) < 5 ) 00443 { 00444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00445 return; 00446 } 00447 00448 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00449 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00450 00451 *p++ = 0x00; 00452 *p++ = 1; 00453 00454 *p++ = ssl->conf->mfl_code; 00455 00456 *olen = 5; 00457 } 00458 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00459 00460 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00461 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00462 unsigned char *buf, size_t *olen ) 00463 { 00464 unsigned char *p = buf; 00465 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00466 00467 *olen = 0; 00468 00469 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00470 { 00471 return; 00472 } 00473 00474 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00475 00476 if( end < p || (size_t)( end - p ) < 4 ) 00477 { 00478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00479 return; 00480 } 00481 00482 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00483 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00484 00485 *p++ = 0x00; 00486 *p++ = 0x00; 00487 00488 *olen = 4; 00489 } 00490 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00491 00492 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00493 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00494 unsigned char *buf, size_t *olen ) 00495 { 00496 unsigned char *p = buf; 00497 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00498 00499 *olen = 0; 00500 00501 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00502 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00503 { 00504 return; 00505 } 00506 00507 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00508 "extension" ) ); 00509 00510 if( end < p || (size_t)( end - p ) < 4 ) 00511 { 00512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00513 return; 00514 } 00515 00516 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00517 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00518 00519 *p++ = 0x00; 00520 *p++ = 0x00; 00521 00522 *olen = 4; 00523 } 00524 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00525 00526 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00527 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00528 unsigned char *buf, size_t *olen ) 00529 { 00530 unsigned char *p = buf; 00531 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00532 00533 *olen = 0; 00534 00535 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00536 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00537 { 00538 return; 00539 } 00540 00541 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00542 "extension" ) ); 00543 00544 if( end < p || (size_t)( end - p ) < 4 ) 00545 { 00546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00547 return; 00548 } 00549 00550 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00551 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00552 00553 *p++ = 0x00; 00554 *p++ = 0x00; 00555 00556 *olen = 4; 00557 } 00558 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00559 00560 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00561 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00562 unsigned char *buf, size_t *olen ) 00563 { 00564 unsigned char *p = buf; 00565 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00566 size_t tlen = ssl->session_negotiate->ticket_len; 00567 00568 *olen = 0; 00569 00570 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00571 { 00572 return; 00573 } 00574 00575 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00576 00577 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00578 { 00579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00580 return; 00581 } 00582 00583 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00585 00586 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00587 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00588 00589 *olen = 4; 00590 00591 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00592 { 00593 return; 00594 } 00595 00596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00597 00598 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00599 00600 *olen += tlen; 00601 } 00602 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00603 00604 #if defined(MBEDTLS_SSL_ALPN) 00605 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00606 unsigned char *buf, size_t *olen ) 00607 { 00608 unsigned char *p = buf; 00609 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00610 size_t alpnlen = 0; 00611 const char **cur; 00612 00613 *olen = 0; 00614 00615 if( ssl->conf->alpn_list == NULL ) 00616 { 00617 return; 00618 } 00619 00620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00621 00622 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00623 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00624 00625 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00626 { 00627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00628 return; 00629 } 00630 00631 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00632 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00633 00634 /* 00635 * opaque ProtocolName<1..2^8-1>; 00636 * 00637 * struct { 00638 * ProtocolName protocol_name_list<2..2^16-1> 00639 * } ProtocolNameList; 00640 */ 00641 00642 /* Skip writing extension and list length for now */ 00643 p += 4; 00644 00645 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00646 { 00647 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00648 memcpy( p + 1, *cur, *p ); 00649 p += 1 + *p; 00650 } 00651 00652 *olen = p - buf; 00653 00654 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00655 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00656 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00657 00658 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00659 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00660 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00661 } 00662 #endif /* MBEDTLS_SSL_ALPN */ 00663 00664 /* 00665 * Generate random bytes for ClientHello 00666 */ 00667 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00668 { 00669 int ret; 00670 unsigned char *p = ssl->handshake->randbytes; 00671 #if defined(MBEDTLS_HAVE_TIME) 00672 mbedtls_time_t t; 00673 #endif 00674 00675 /* 00676 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00677 */ 00678 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00679 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00680 ssl->handshake->verify_cookie != NULL ) 00681 { 00682 return( 0 ); 00683 } 00684 #endif 00685 00686 #if defined(MBEDTLS_HAVE_TIME) 00687 t = mbedtls_time( NULL ); 00688 *p++ = (unsigned char)( t >> 24 ); 00689 *p++ = (unsigned char)( t >> 16 ); 00690 *p++ = (unsigned char)( t >> 8 ); 00691 *p++ = (unsigned char)( t ); 00692 00693 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00694 #else 00695 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00696 return( ret ); 00697 00698 p += 4; 00699 #endif /* MBEDTLS_HAVE_TIME */ 00700 00701 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00702 return( ret ); 00703 00704 return( 0 ); 00705 } 00706 00707 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00708 { 00709 int ret; 00710 size_t i, n, olen, ext_len = 0; 00711 unsigned char *buf; 00712 unsigned char *p, *q; 00713 unsigned char offer_compress; 00714 const int *ciphersuites; 00715 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00716 00717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00718 00719 if( ssl->conf->f_rng == NULL ) 00720 { 00721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00722 return( MBEDTLS_ERR_SSL_NO_RNG ); 00723 } 00724 00725 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00726 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00727 #endif 00728 { 00729 ssl->major_ver = ssl->conf->min_major_ver; 00730 ssl->minor_ver = ssl->conf->min_minor_ver; 00731 } 00732 00733 if( ssl->conf->max_major_ver == 0 ) 00734 { 00735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00736 "consider using mbedtls_ssl_config_defaults()" ) ); 00737 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00738 } 00739 00740 /* 00741 * 0 . 0 handshake type 00742 * 1 . 3 handshake length 00743 * 4 . 5 highest version supported 00744 * 6 . 9 current UNIX time 00745 * 10 . 37 random bytes 00746 */ 00747 buf = ssl->out_msg; 00748 p = buf + 4; 00749 00750 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00751 ssl->conf->transport, p ); 00752 p += 2; 00753 00754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00755 buf[4], buf[5] ) ); 00756 00757 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00758 { 00759 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00760 return( ret ); 00761 } 00762 00763 memcpy( p, ssl->handshake->randbytes, 32 ); 00764 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00765 p += 32; 00766 00767 /* 00768 * 38 . 38 session id length 00769 * 39 . 39+n session id 00770 * 39+n . 39+n DTLS only: cookie length (1 byte) 00771 * 40+n . .. DTSL only: cookie 00772 * .. . .. ciphersuitelist length (2 bytes) 00773 * .. . .. ciphersuitelist 00774 * .. . .. compression methods length (1 byte) 00775 * .. . .. compression methods 00776 * .. . .. extensions length (2 bytes) 00777 * .. . .. extensions 00778 */ 00779 n = ssl->session_negotiate->id_len; 00780 00781 if( n < 16 || n > 32 || 00782 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00783 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00784 #endif 00785 ssl->handshake->resume == 0 ) 00786 { 00787 n = 0; 00788 } 00789 00790 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00791 /* 00792 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00793 * generate and include a Session ID in the TLS ClientHello." 00794 */ 00795 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00796 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00797 #endif 00798 { 00799 if( ssl->session_negotiate->ticket != NULL && 00800 ssl->session_negotiate->ticket_len != 0 ) 00801 { 00802 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00803 00804 if( ret != 0 ) 00805 return( ret ); 00806 00807 ssl->session_negotiate->id_len = n = 32; 00808 } 00809 } 00810 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00811 00812 *p++ = (unsigned char) n; 00813 00814 for( i = 0; i < n; i++ ) 00815 *p++ = ssl->session_negotiate->id[i]; 00816 00817 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00818 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00819 00820 /* 00821 * DTLS cookie 00822 */ 00823 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00824 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00825 { 00826 if( ssl->handshake->verify_cookie == NULL ) 00827 { 00828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00829 *p++ = 0; 00830 } 00831 else 00832 { 00833 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00834 ssl->handshake->verify_cookie, 00835 ssl->handshake->verify_cookie_len ); 00836 00837 *p++ = ssl->handshake->verify_cookie_len; 00838 memcpy( p, ssl->handshake->verify_cookie, 00839 ssl->handshake->verify_cookie_len ); 00840 p += ssl->handshake->verify_cookie_len; 00841 } 00842 } 00843 #endif 00844 00845 /* 00846 * Ciphersuite list 00847 */ 00848 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00849 00850 /* Skip writing ciphersuite length for now */ 00851 n = 0; 00852 q = p; 00853 p += 2; 00854 00855 for( i = 0; ciphersuites[i] != 0; i++ ) 00856 { 00857 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00858 00859 if( ciphersuite_info == NULL ) 00860 continue; 00861 00862 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00863 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00864 continue; 00865 00866 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00867 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00868 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00869 continue; 00870 #endif 00871 00872 #if defined(MBEDTLS_ARC4_C) 00873 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00874 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00875 continue; 00876 #endif 00877 00878 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00879 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00880 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00881 continue; 00882 #endif 00883 00884 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00885 ciphersuites[i] ) ); 00886 00887 n++; 00888 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00889 *p++ = (unsigned char)( ciphersuites[i] ); 00890 } 00891 00892 /* 00893 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00894 */ 00895 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00896 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00897 #endif 00898 { 00899 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00900 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00901 n++; 00902 } 00903 00904 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00905 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00906 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00907 { 00908 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00909 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00910 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00911 n++; 00912 } 00913 #endif 00914 00915 *q++ = (unsigned char)( n >> 7 ); 00916 *q++ = (unsigned char)( n << 1 ); 00917 00918 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00919 00920 #if defined(MBEDTLS_ZLIB_SUPPORT) 00921 offer_compress = 1; 00922 #else 00923 offer_compress = 0; 00924 #endif 00925 00926 /* 00927 * We don't support compression with DTLS right now: is many records come 00928 * in the same datagram, uncompressing one could overwrite the next one. 00929 * We don't want to add complexity for handling that case unless there is 00930 * an actual need for it. 00931 */ 00932 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00933 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00934 offer_compress = 0; 00935 #endif 00936 00937 if( offer_compress ) 00938 { 00939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00941 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00942 00943 *p++ = 2; 00944 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00945 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00946 } 00947 else 00948 { 00949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00950 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00951 MBEDTLS_SSL_COMPRESS_NULL ) ); 00952 00953 *p++ = 1; 00954 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00955 } 00956 00957 // First write extensions, then the total length 00958 // 00959 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00960 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00961 ext_len += olen; 00962 #endif 00963 00964 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00965 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00966 ext_len += olen; 00967 #endif 00968 00969 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00970 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00971 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00972 ext_len += olen; 00973 #endif 00974 00975 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00976 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00977 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00978 ext_len += olen; 00979 00980 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00985 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 00986 ext_len += olen; 00987 #endif 00988 00989 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00990 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00991 ext_len += olen; 00992 #endif 00993 00994 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00995 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01000 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01005 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_ALPN) 01010 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01015 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01016 ext_len += olen; 01017 #endif 01018 01019 /* olen unused if all extensions are disabled */ 01020 ((void) olen); 01021 01022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01023 ext_len ) ); 01024 01025 if( ext_len > 0 ) 01026 { 01027 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01028 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01029 p += ext_len; 01030 } 01031 01032 ssl->out_msglen = p - buf; 01033 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01034 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01035 01036 ssl->state++; 01037 01038 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01039 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01040 mbedtls_ssl_send_flight_completed( ssl ); 01041 #endif 01042 01043 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01044 { 01045 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01046 return( ret ); 01047 } 01048 01049 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01050 01051 return( 0 ); 01052 } 01053 01054 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01055 const unsigned char *buf, 01056 size_t len ) 01057 { 01058 int ret; 01059 01060 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01061 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01062 { 01063 /* Check verify-data in constant-time. The length OTOH is no secret */ 01064 if( len != 1 + ssl->verify_data_len * 2 || 01065 buf[0] != ssl->verify_data_len * 2 || 01066 mbedtls_ssl_safer_memcmp( buf + 1, 01067 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01068 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01069 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01070 { 01071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01072 01073 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01074 return( ret ); 01075 01076 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01077 } 01078 } 01079 else 01080 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01081 { 01082 if( len != 1 || buf[0] != 0x00 ) 01083 { 01084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01085 01086 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01087 return( ret ); 01088 01089 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01090 } 01091 01092 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01093 } 01094 01095 return( 0 ); 01096 } 01097 01098 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01099 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01100 const unsigned char *buf, 01101 size_t len ) 01102 { 01103 /* 01104 * server should use the extension only if we did, 01105 * and if so the server's value should match ours (and len is always 1) 01106 */ 01107 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01108 len != 1 || 01109 buf[0] != ssl->conf->mfl_code ) 01110 { 01111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01112 } 01113 01114 return( 0 ); 01115 } 01116 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01117 01118 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01119 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01120 const unsigned char *buf, 01121 size_t len ) 01122 { 01123 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01124 len != 0 ) 01125 { 01126 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01127 } 01128 01129 ((void) buf); 01130 01131 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01132 01133 return( 0 ); 01134 } 01135 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01136 01137 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01138 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01139 const unsigned char *buf, 01140 size_t len ) 01141 { 01142 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01143 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01144 len != 0 ) 01145 { 01146 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01147 } 01148 01149 ((void) buf); 01150 01151 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01152 01153 return( 0 ); 01154 } 01155 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01156 01157 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01158 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01159 const unsigned char *buf, 01160 size_t len ) 01161 { 01162 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01163 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01164 len != 0 ) 01165 { 01166 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01167 } 01168 01169 ((void) buf); 01170 01171 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01172 01173 return( 0 ); 01174 } 01175 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01176 01177 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01178 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01179 const unsigned char *buf, 01180 size_t len ) 01181 { 01182 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01183 len != 0 ) 01184 { 01185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01186 } 01187 01188 ((void) buf); 01189 01190 ssl->handshake->new_session_ticket = 1; 01191 01192 return( 0 ); 01193 } 01194 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01195 01196 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01197 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01198 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01199 const unsigned char *buf, 01200 size_t len ) 01201 { 01202 size_t list_size; 01203 const unsigned char *p; 01204 01205 list_size = buf[0]; 01206 if( list_size + 1 != len ) 01207 { 01208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01209 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01210 } 01211 01212 p = buf + 1; 01213 while( list_size > 0 ) 01214 { 01215 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01216 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01217 { 01218 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01219 ssl->handshake->ecdh_ctx.point_format = p[0]; 01220 #endif 01221 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01222 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01223 #endif 01224 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01225 return( 0 ); 01226 } 01227 01228 list_size--; 01229 p++; 01230 } 01231 01232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01233 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01234 } 01235 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01236 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01237 01238 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01239 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01240 const unsigned char *buf, 01241 size_t len ) 01242 { 01243 int ret; 01244 01245 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01246 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01247 { 01248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01249 return( 0 ); 01250 } 01251 01252 /* If we got here, we no longer need our cached extension */ 01253 mbedtls_free( ssl->handshake->ecjpake_cache ); 01254 ssl->handshake->ecjpake_cache = NULL; 01255 ssl->handshake->ecjpake_cache_len = 0; 01256 01257 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01258 buf, len ) ) != 0 ) 01259 { 01260 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01261 return( ret ); 01262 } 01263 01264 return( 0 ); 01265 } 01266 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01267 01268 #if defined(MBEDTLS_SSL_ALPN) 01269 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01270 const unsigned char *buf, size_t len ) 01271 { 01272 size_t list_len, name_len; 01273 const char **p; 01274 01275 /* If we didn't send it, the server shouldn't send it */ 01276 if( ssl->conf->alpn_list == NULL ) 01277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01278 01279 /* 01280 * opaque ProtocolName<1..2^8-1>; 01281 * 01282 * struct { 01283 * ProtocolName protocol_name_list<2..2^16-1> 01284 * } ProtocolNameList; 01285 * 01286 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01287 */ 01288 01289 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01290 if( len < 4 ) 01291 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01292 01293 list_len = ( buf[0] << 8 ) | buf[1]; 01294 if( list_len != len - 2 ) 01295 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01296 01297 name_len = buf[2]; 01298 if( name_len != list_len - 1 ) 01299 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01300 01301 /* Check that the server chosen protocol was in our list and save it */ 01302 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01303 { 01304 if( name_len == strlen( *p ) && 01305 memcmp( buf + 3, *p, name_len ) == 0 ) 01306 { 01307 ssl->alpn_chosen = *p; 01308 return( 0 ); 01309 } 01310 } 01311 01312 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01313 } 01314 #endif /* MBEDTLS_SSL_ALPN */ 01315 01316 /* 01317 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01318 */ 01319 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01320 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01321 { 01322 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01323 int major_ver, minor_ver; 01324 unsigned char cookie_len; 01325 01326 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01327 01328 /* 01329 * struct { 01330 * ProtocolVersion server_version; 01331 * opaque cookie<0..2^8-1>; 01332 * } HelloVerifyRequest; 01333 */ 01334 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01335 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01336 p += 2; 01337 01338 /* 01339 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01340 * even is lower than our min version. 01341 */ 01342 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01343 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01344 major_ver > ssl->conf->max_major_ver || 01345 minor_ver > ssl->conf->max_minor_ver ) 01346 { 01347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01348 01349 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01350 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01351 01352 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01353 } 01354 01355 cookie_len = *p++; 01356 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01357 01358 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01359 { 01360 MBEDTLS_SSL_DEBUG_MSG( 1, 01361 ( "cookie length does not match incoming message size" ) ); 01362 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01363 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01364 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01365 } 01366 01367 mbedtls_free( ssl->handshake->verify_cookie ); 01368 01369 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01370 if( ssl->handshake->verify_cookie == NULL ) 01371 { 01372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01373 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01374 } 01375 01376 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01377 ssl->handshake->verify_cookie_len = cookie_len; 01378 01379 /* Start over at ClientHello */ 01380 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01381 mbedtls_ssl_reset_checksum( ssl ); 01382 01383 mbedtls_ssl_recv_flight_completed( ssl ); 01384 01385 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01386 01387 return( 0 ); 01388 } 01389 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01390 01391 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01392 { 01393 int ret, i; 01394 size_t n; 01395 size_t ext_len; 01396 unsigned char *buf, *ext; 01397 unsigned char comp; 01398 #if defined(MBEDTLS_ZLIB_SUPPORT) 01399 int accept_comp; 01400 #endif 01401 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01402 int renegotiation_info_seen = 0; 01403 #endif 01404 int handshake_failure = 0; 01405 const mbedtls_ssl_ciphersuite_t *suite_info; 01406 #if defined(MBEDTLS_DEBUG_C) 01407 uint32_t t; 01408 #endif 01409 01410 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01411 01412 buf = ssl->in_msg; 01413 01414 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01415 { 01416 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01417 return( ret ); 01418 } 01419 01420 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01421 { 01422 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01423 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01424 { 01425 ssl->renego_records_seen++; 01426 01427 if( ssl->conf->renego_max_records >= 0 && 01428 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01429 { 01430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01431 "but not honored by server" ) ); 01432 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01433 } 01434 01435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01436 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01437 } 01438 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01439 01440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01441 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01442 } 01443 01444 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01445 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01446 { 01447 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01448 { 01449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01450 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01451 return( ssl_parse_hello_verify_request( ssl ) ); 01452 } 01453 else 01454 { 01455 /* We made it through the verification process */ 01456 mbedtls_free( ssl->handshake->verify_cookie ); 01457 ssl->handshake->verify_cookie = NULL; 01458 ssl->handshake->verify_cookie_len = 0; 01459 } 01460 } 01461 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01462 01463 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01464 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01465 { 01466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01467 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01468 } 01469 01470 /* 01471 * 0 . 1 server_version 01472 * 2 . 33 random (maybe including 4 bytes of Unix time) 01473 * 34 . 34 session_id length = n 01474 * 35 . 34+n session_id 01475 * 35+n . 36+n cipher_suite 01476 * 37+n . 37+n compression_method 01477 * 01478 * 38+n . 39+n extensions length (optional) 01479 * 40+n . .. extensions 01480 */ 01481 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01482 01483 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01484 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01485 ssl->conf->transport, buf + 0 ); 01486 01487 if( ssl->major_ver < ssl->conf->min_major_ver || 01488 ssl->minor_ver < ssl->conf->min_minor_ver || 01489 ssl->major_ver > ssl->conf->max_major_ver || 01490 ssl->minor_ver > ssl->conf->max_minor_ver ) 01491 { 01492 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01493 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01494 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01495 ssl->major_ver, ssl->minor_ver, 01496 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01497 01498 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01499 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01500 01501 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01502 } 01503 01504 #if defined(MBEDTLS_DEBUG_C) 01505 t = ( (uint32_t) buf[2] << 24 ) 01506 | ( (uint32_t) buf[3] << 16 ) 01507 | ( (uint32_t) buf[4] << 8 ) 01508 | ( (uint32_t) buf[5] ); 01509 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01510 #endif 01511 01512 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01513 01514 n = buf[34]; 01515 01516 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01517 01518 if( n > 32 ) 01519 { 01520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01521 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01522 } 01523 01524 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01525 { 01526 ext_len = ( ( buf[38 + n] << 8 ) 01527 | ( buf[39 + n] ) ); 01528 01529 if( ( ext_len > 0 && ext_len < 4 ) || 01530 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01531 { 01532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01533 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01534 } 01535 } 01536 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01537 { 01538 ext_len = 0; 01539 } 01540 else 01541 { 01542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01543 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01544 } 01545 01546 /* ciphersuite (used later) */ 01547 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01548 01549 /* 01550 * Read and check compression 01551 */ 01552 comp = buf[37 + n]; 01553 01554 #if defined(MBEDTLS_ZLIB_SUPPORT) 01555 /* See comments in ssl_write_client_hello() */ 01556 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01557 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01558 accept_comp = 0; 01559 else 01560 #endif 01561 accept_comp = 1; 01562 01563 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01564 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01565 #else /* MBEDTLS_ZLIB_SUPPORT */ 01566 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01567 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01568 { 01569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01570 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01571 } 01572 01573 /* 01574 * Initialize update checksum functions 01575 */ 01576 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01577 01578 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01579 { 01580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01581 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01582 } 01583 01584 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01585 01586 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01587 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01588 01589 /* 01590 * Check if the session can be resumed 01591 */ 01592 if( ssl->handshake->resume == 0 || n == 0 || 01593 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01594 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01595 #endif 01596 ssl->session_negotiate->ciphersuite != i || 01597 ssl->session_negotiate->compression != comp || 01598 ssl->session_negotiate->id_len != n || 01599 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01600 { 01601 ssl->state++; 01602 ssl->handshake->resume = 0; 01603 #if defined(MBEDTLS_HAVE_TIME) 01604 ssl->session_negotiate->start = mbedtls_time( NULL ); 01605 #endif 01606 ssl->session_negotiate->ciphersuite = i; 01607 ssl->session_negotiate->compression = comp; 01608 ssl->session_negotiate->id_len = n; 01609 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01610 } 01611 else 01612 { 01613 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01614 01615 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01616 { 01617 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01618 return( ret ); 01619 } 01620 } 01621 01622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01623 ssl->handshake->resume ? "a" : "no" ) ); 01624 01625 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01627 01628 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01629 if( suite_info == NULL 01630 #if defined(MBEDTLS_ARC4_C) 01631 || ( ssl->conf->arc4_disabled && 01632 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01633 #endif 01634 ) 01635 { 01636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01637 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01638 } 01639 01640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01641 01642 i = 0; 01643 while( 1 ) 01644 { 01645 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01646 { 01647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01648 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01649 } 01650 01651 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01652 ssl->session_negotiate->ciphersuite ) 01653 { 01654 break; 01655 } 01656 } 01657 01658 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01659 #if defined(MBEDTLS_ZLIB_SUPPORT) 01660 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01661 #endif 01662 ) 01663 { 01664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01665 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01666 } 01667 ssl->session_negotiate->compression = comp; 01668 01669 ext = buf + 40 + n; 01670 01671 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01672 01673 while( ext_len ) 01674 { 01675 unsigned int ext_id = ( ( ext[0] << 8 ) 01676 | ( ext[1] ) ); 01677 unsigned int ext_size = ( ( ext[2] << 8 ) 01678 | ( ext[3] ) ); 01679 01680 if( ext_size + 4 > ext_len ) 01681 { 01682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01683 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01684 } 01685 01686 switch( ext_id ) 01687 { 01688 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01689 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01690 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01691 renegotiation_info_seen = 1; 01692 #endif 01693 01694 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01695 ext_size ) ) != 0 ) 01696 return( ret ); 01697 01698 break; 01699 01700 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01701 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01702 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01703 01704 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01705 ext + 4, ext_size ) ) != 0 ) 01706 { 01707 return( ret ); 01708 } 01709 01710 break; 01711 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01712 01713 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01714 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01715 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01716 01717 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01718 ext + 4, ext_size ) ) != 0 ) 01719 { 01720 return( ret ); 01721 } 01722 01723 break; 01724 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01725 01726 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01727 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01729 01730 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01731 ext + 4, ext_size ) ) != 0 ) 01732 { 01733 return( ret ); 01734 } 01735 01736 break; 01737 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01738 01739 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01740 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01742 01743 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01744 ext + 4, ext_size ) ) != 0 ) 01745 { 01746 return( ret ); 01747 } 01748 01749 break; 01750 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01751 01752 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01753 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01755 01756 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01757 ext + 4, ext_size ) ) != 0 ) 01758 { 01759 return( ret ); 01760 } 01761 01762 break; 01763 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01764 01765 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01766 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01767 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01769 01770 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01771 ext + 4, ext_size ) ) != 0 ) 01772 { 01773 return( ret ); 01774 } 01775 01776 break; 01777 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01778 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01779 01780 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01781 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01782 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01783 01784 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01785 ext + 4, ext_size ) ) != 0 ) 01786 { 01787 return( ret ); 01788 } 01789 01790 break; 01791 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01792 01793 #if defined(MBEDTLS_SSL_ALPN) 01794 case MBEDTLS_TLS_EXT_ALPN: 01795 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01796 01797 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01798 return( ret ); 01799 01800 break; 01801 #endif /* MBEDTLS_SSL_ALPN */ 01802 01803 default: 01804 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01805 ext_id ) ); 01806 } 01807 01808 ext_len -= 4 + ext_size; 01809 ext += 4 + ext_size; 01810 01811 if( ext_len > 0 && ext_len < 4 ) 01812 { 01813 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01814 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01815 } 01816 } 01817 01818 /* 01819 * Renegotiation security checks 01820 */ 01821 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01822 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01823 { 01824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01825 handshake_failure = 1; 01826 } 01827 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01828 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01829 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01830 renegotiation_info_seen == 0 ) 01831 { 01832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01833 handshake_failure = 1; 01834 } 01835 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01836 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01837 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01838 { 01839 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01840 handshake_failure = 1; 01841 } 01842 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01843 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01844 renegotiation_info_seen == 1 ) 01845 { 01846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01847 handshake_failure = 1; 01848 } 01849 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01850 01851 if( handshake_failure == 1 ) 01852 { 01853 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01854 return( ret ); 01855 01856 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01857 } 01858 01859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01860 01861 return( 0 ); 01862 } 01863 01864 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01865 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01866 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01867 unsigned char *end ) 01868 { 01869 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01870 01871 /* 01872 * Ephemeral DH parameters: 01873 * 01874 * struct { 01875 * opaque dh_p<1..2^16-1>; 01876 * opaque dh_g<1..2^16-1>; 01877 * opaque dh_Ys<1..2^16-1>; 01878 * } ServerDHParams; 01879 */ 01880 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01881 { 01882 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01883 return( ret ); 01884 } 01885 01886 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01887 { 01888 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01889 ssl->handshake->dhm_ctx.len * 8, 01890 ssl->conf->dhm_min_bitlen ) ); 01891 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01892 } 01893 01894 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01895 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01896 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01897 01898 return( ret ); 01899 } 01900 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01901 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01902 01903 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01904 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01905 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01906 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01907 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01908 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01909 { 01910 const mbedtls_ecp_curve_info *curve_info; 01911 01912 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01913 if( curve_info == NULL ) 01914 { 01915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01916 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01917 } 01918 01919 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01920 01921 #if defined(MBEDTLS_ECP_C) 01922 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01923 #else 01924 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01925 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01926 #endif 01927 return( -1 ); 01928 01929 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01930 01931 return( 0 ); 01932 } 01933 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01934 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01935 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01936 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01937 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01938 01939 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01940 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01941 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01942 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 01943 unsigned char **p, 01944 unsigned char *end ) 01945 { 01946 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01947 01948 /* 01949 * Ephemeral ECDH parameters: 01950 * 01951 * struct { 01952 * ECParameters curve_params; 01953 * ECPoint public; 01954 * } ServerECDHParams; 01955 */ 01956 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 01957 (const unsigned char **) p, end ) ) != 0 ) 01958 { 01959 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 01960 return( ret ); 01961 } 01962 01963 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01964 { 01965 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01966 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01967 } 01968 01969 return( ret ); 01970 } 01971 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01972 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01973 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01974 01975 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01976 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 01977 unsigned char **p, 01978 unsigned char *end ) 01979 { 01980 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01981 size_t len; 01982 ((void) ssl); 01983 01984 /* 01985 * PSK parameters: 01986 * 01987 * opaque psk_identity_hint<0..2^16-1>; 01988 */ 01989 len = (*p)[0] << 8 | (*p)[1]; 01990 *p += 2; 01991 01992 if( (*p) + len > end ) 01993 { 01994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01995 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01996 } 01997 01998 /* 01999 * Note: we currently ignore the PKS identity hint, as we only allow one 02000 * PSK to be provisionned on the client. This could be changed later if 02001 * someone needs that feature. 02002 */ 02003 *p += len; 02004 ret = 0; 02005 02006 return( ret ); 02007 } 02008 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02009 02010 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02011 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02012 /* 02013 * Generate a pre-master secret and encrypt it with the server's RSA key 02014 */ 02015 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02016 size_t offset, size_t *olen, 02017 size_t pms_offset ) 02018 { 02019 int ret; 02020 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02021 unsigned char *p = ssl->handshake->premaster + pms_offset; 02022 02023 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02024 { 02025 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02026 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02027 } 02028 02029 /* 02030 * Generate (part of) the pre-master as 02031 * struct { 02032 * ProtocolVersion client_version; 02033 * opaque random[46]; 02034 * } PreMasterSecret; 02035 */ 02036 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02037 ssl->conf->transport, p ); 02038 02039 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02040 { 02041 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02042 return( ret ); 02043 } 02044 02045 ssl->handshake->pmslen = 48; 02046 02047 if( ssl->session_negotiate->peer_cert == NULL ) 02048 { 02049 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02050 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02051 } 02052 02053 /* 02054 * Now write it out, encrypted 02055 */ 02056 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02057 MBEDTLS_PK_RSA ) ) 02058 { 02059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02060 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02061 } 02062 02063 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02064 p, ssl->handshake->pmslen, 02065 ssl->out_msg + offset + len_bytes, olen, 02066 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02067 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02068 { 02069 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02070 return( ret ); 02071 } 02072 02073 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02074 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02075 if( len_bytes == 2 ) 02076 { 02077 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02078 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02079 *olen += 2; 02080 } 02081 #endif 02082 02083 return( 0 ); 02084 } 02085 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02086 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02087 02088 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02089 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02090 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02091 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02092 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02093 unsigned char **p, 02094 unsigned char *end, 02095 mbedtls_md_type_t *md_alg, 02096 mbedtls_pk_type_t *pk_alg ) 02097 { 02098 ((void) ssl); 02099 *md_alg = MBEDTLS_MD_NONE; 02100 *pk_alg = MBEDTLS_PK_NONE; 02101 02102 /* Only in TLS 1.2 */ 02103 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02104 { 02105 return( 0 ); 02106 } 02107 02108 if( (*p) + 2 > end ) 02109 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02110 02111 /* 02112 * Get hash algorithm 02113 */ 02114 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02115 { 02116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02117 "HashAlgorithm %d", *(p)[0] ) ); 02118 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02119 } 02120 02121 /* 02122 * Get signature algorithm 02123 */ 02124 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02125 { 02126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02127 "SignatureAlgorithm %d", (*p)[1] ) ); 02128 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02129 } 02130 02131 /* 02132 * Check if the hash is acceptable 02133 */ 02134 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02135 { 02136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm " 02137 "that was not offered" ) ); 02138 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02139 } 02140 02141 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02143 *p += 2; 02144 02145 return( 0 ); 02146 } 02147 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02148 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02149 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02150 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02151 02152 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02153 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02154 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02155 { 02156 int ret; 02157 const mbedtls_ecp_keypair *peer_key; 02158 02159 if( ssl->session_negotiate->peer_cert == NULL ) 02160 { 02161 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02162 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02163 } 02164 02165 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02166 MBEDTLS_PK_ECKEY ) ) 02167 { 02168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02169 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02170 } 02171 02172 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02173 02174 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02175 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02176 { 02177 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02178 return( ret ); 02179 } 02180 02181 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02182 { 02183 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02184 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02185 } 02186 02187 return( ret ); 02188 } 02189 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02190 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02191 02192 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02193 { 02194 int ret; 02195 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02196 unsigned char *p, *end; 02197 02198 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02199 02200 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02201 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02202 { 02203 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02204 ssl->state++; 02205 return( 0 ); 02206 } 02207 ((void) p); 02208 ((void) end); 02209 #endif 02210 02211 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02212 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02213 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02214 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02215 { 02216 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02217 { 02218 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02219 return( ret ); 02220 } 02221 02222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02223 ssl->state++; 02224 return( 0 ); 02225 } 02226 ((void) p); 02227 ((void) end); 02228 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02229 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02230 02231 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02232 { 02233 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02234 return( ret ); 02235 } 02236 02237 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02238 { 02239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02240 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02241 } 02242 02243 /* 02244 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02245 * doesn't use a psk_identity_hint 02246 */ 02247 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02248 { 02249 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02250 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02251 { 02252 ssl->record_read = 1; 02253 goto exit; 02254 } 02255 02256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02257 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02258 } 02259 02260 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02261 end = ssl->in_msg + ssl->in_hslen; 02262 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02263 02264 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02265 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02266 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02267 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02268 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02269 { 02270 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02271 { 02272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02273 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02274 } 02275 } /* FALLTROUGH */ 02276 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02277 02278 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02279 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02280 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02281 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02282 ; /* nothing more to do */ 02283 else 02284 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02285 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02286 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02287 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02288 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02289 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02290 { 02291 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02292 { 02293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02295 } 02296 } 02297 else 02298 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02299 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02300 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02301 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02302 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02303 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02304 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02305 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02306 { 02307 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02308 { 02309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02310 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02311 } 02312 } 02313 else 02314 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02315 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02316 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02317 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02318 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02319 { 02320 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02321 p, end - p ); 02322 if( ret != 0 ) 02323 { 02324 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02325 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02326 } 02327 } 02328 else 02329 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02330 { 02331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02332 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02333 } 02334 02335 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02336 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02337 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02338 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02339 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02340 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02341 { 02342 size_t sig_len, hashlen; 02343 unsigned char hash[64]; 02344 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02345 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02346 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02347 size_t params_len = p - params; 02348 02349 /* 02350 * Handle the digitally-signed structure 02351 */ 02352 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02353 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02354 { 02355 if( ssl_parse_signature_algorithm( ssl, &p, end, 02356 &md_alg, &pk_alg ) != 0 ) 02357 { 02358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02359 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02360 } 02361 02362 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02363 { 02364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02365 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02366 } 02367 } 02368 else 02369 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02370 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02371 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02372 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02373 { 02374 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02375 02376 /* Default hash for ECDSA is SHA-1 */ 02377 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02378 md_alg = MBEDTLS_MD_SHA1; 02379 } 02380 else 02381 #endif 02382 { 02383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02384 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02385 } 02386 02387 /* 02388 * Read signature 02389 */ 02390 sig_len = ( p[0] << 8 ) | p[1]; 02391 p += 2; 02392 02393 if( end != p + sig_len ) 02394 { 02395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02396 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02397 } 02398 02399 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02400 02401 /* 02402 * Compute the hash that has been signed 02403 */ 02404 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02405 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02406 if( md_alg == MBEDTLS_MD_NONE ) 02407 { 02408 mbedtls_md5_context mbedtls_md5; 02409 mbedtls_sha1_context mbedtls_sha1; 02410 02411 mbedtls_md5_init( &mbedtls_md5 ); 02412 mbedtls_sha1_init( &mbedtls_sha1 ); 02413 02414 hashlen = 36; 02415 02416 /* 02417 * digitally-signed struct { 02418 * opaque md5_hash[16]; 02419 * opaque sha_hash[20]; 02420 * }; 02421 * 02422 * md5_hash 02423 * MD5(ClientHello.random + ServerHello.random 02424 * + ServerParams); 02425 * sha_hash 02426 * SHA(ClientHello.random + ServerHello.random 02427 * + ServerParams); 02428 */ 02429 mbedtls_md5_starts( &mbedtls_md5 ); 02430 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02431 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 02432 mbedtls_md5_finish( &mbedtls_md5, hash ); 02433 02434 mbedtls_sha1_starts( &mbedtls_sha1 ); 02435 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02436 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 02437 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02438 02439 mbedtls_md5_free( &mbedtls_md5 ); 02440 mbedtls_sha1_free( &mbedtls_sha1 ); 02441 } 02442 else 02443 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02444 MBEDTLS_SSL_PROTO_TLS1_1 */ 02445 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02446 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02447 if( md_alg != MBEDTLS_MD_NONE ) 02448 { 02449 mbedtls_md_context_t ctx; 02450 02451 mbedtls_md_init( &ctx ); 02452 02453 /* Info from md_alg will be used instead */ 02454 hashlen = 0; 02455 02456 /* 02457 * digitally-signed struct { 02458 * opaque client_random[32]; 02459 * opaque server_random[32]; 02460 * ServerDHParams params; 02461 * }; 02462 */ 02463 if( ( ret = mbedtls_md_setup( &ctx, 02464 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 02465 { 02466 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02467 return( ret ); 02468 } 02469 02470 mbedtls_md_starts( &ctx ); 02471 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02472 mbedtls_md_update( &ctx, params, params_len ); 02473 mbedtls_md_finish( &ctx, hash ); 02474 mbedtls_md_free( &ctx ); 02475 } 02476 else 02477 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02478 MBEDTLS_SSL_PROTO_TLS1_2 */ 02479 { 02480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02481 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02482 } 02483 02484 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02485 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02486 02487 if( ssl->session_negotiate->peer_cert == NULL ) 02488 { 02489 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02490 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02491 } 02492 02493 /* 02494 * Verify signature 02495 */ 02496 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02497 { 02498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02499 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02500 } 02501 02502 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02503 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02504 { 02505 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02506 return( ret ); 02507 } 02508 } 02509 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02510 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02511 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02512 02513 exit: 02514 ssl->state++; 02515 02516 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02517 02518 return( 0 ); 02519 } 02520 02521 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02522 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02523 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02524 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02525 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02526 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02527 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02528 { 02529 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02530 02531 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02532 02533 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02534 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02535 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02536 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02537 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02538 { 02539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02540 ssl->state++; 02541 return( 0 ); 02542 } 02543 02544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02545 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02546 } 02547 #else 02548 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02549 { 02550 int ret; 02551 unsigned char *buf; 02552 size_t n = 0; 02553 size_t cert_type_len = 0, dn_len = 0; 02554 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02555 02556 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02557 02558 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02559 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02560 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02561 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02562 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02563 { 02564 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02565 ssl->state++; 02566 return( 0 ); 02567 } 02568 02569 if( ssl->record_read == 0 ) 02570 { 02571 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02572 { 02573 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02574 return( ret ); 02575 } 02576 02577 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02578 { 02579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02580 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02581 } 02582 02583 ssl->record_read = 1; 02584 } 02585 02586 ssl->client_auth = 0; 02587 ssl->state++; 02588 02589 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) 02590 ssl->client_auth++; 02591 02592 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02593 ssl->client_auth ? "a" : "no" ) ); 02594 02595 if( ssl->client_auth == 0 ) 02596 goto exit; 02597 02598 ssl->record_read = 0; 02599 02600 /* 02601 * struct { 02602 * ClientCertificateType certificate_types<1..2^8-1>; 02603 * SignatureAndHashAlgorithm 02604 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02605 * DistinguishedName certificate_authorities<0..2^16-1>; 02606 * } CertificateRequest; 02607 * 02608 * Since we only support a single certificate on clients, let's just 02609 * ignore all the information that's supposed to help us pick a 02610 * certificate. 02611 * 02612 * We could check that our certificate matches the request, and bail out 02613 * if it doesn't, but it's simpler to just send the certificate anyway, 02614 * and give the server the opportunity to decide if it should terminate 02615 * the connection when it doesn't like our certificate. 02616 * 02617 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02618 * point we only have one hash available (see comments in 02619 * write_certificate_verify), so let's just use what we have. 02620 * 02621 * However, we still minimally parse the message to check it is at least 02622 * superficially sane. 02623 */ 02624 buf = ssl->in_msg; 02625 02626 /* certificate_types */ 02627 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02628 n = cert_type_len; 02629 02630 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02631 { 02632 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02633 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02634 } 02635 02636 /* supported_signature_algorithms */ 02637 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02638 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02639 { 02640 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02641 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02642 #if defined(MBEDTLS_DEBUG_C) 02643 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02644 size_t i; 02645 02646 for( i = 0; i < sig_alg_len; i += 2 ) 02647 { 02648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d,%d", sig_alg[i], sig_alg[i + 1] ) ); 02649 } 02650 #endif 02651 02652 n += 2 + sig_alg_len; 02653 02654 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02655 { 02656 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02657 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02658 } 02659 } 02660 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02661 02662 /* certificate_authorities */ 02663 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02664 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02665 02666 n += dn_len; 02667 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02668 { 02669 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02670 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02671 } 02672 02673 exit: 02674 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02675 02676 return( 0 ); 02677 } 02678 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02679 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02680 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 02681 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02682 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 02683 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02684 02685 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02686 { 02687 int ret; 02688 02689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02690 02691 if( ssl->record_read == 0 ) 02692 { 02693 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02694 { 02695 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02696 return( ret ); 02697 } 02698 02699 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02700 { 02701 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02702 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02703 } 02704 } 02705 ssl->record_read = 0; 02706 02707 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02708 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02709 { 02710 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02711 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02712 } 02713 02714 ssl->state++; 02715 02716 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02717 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02718 mbedtls_ssl_recv_flight_completed( ssl ); 02719 #endif 02720 02721 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02722 02723 return( 0 ); 02724 } 02725 02726 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02727 { 02728 int ret; 02729 size_t i, n; 02730 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02731 02732 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02733 02734 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02735 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02736 { 02737 /* 02738 * DHM key exchange -- send G^X mod P 02739 */ 02740 n = ssl->handshake->dhm_ctx.len; 02741 02742 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02743 ssl->out_msg[5] = (unsigned char)( n ); 02744 i = 6; 02745 02746 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02747 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02748 &ssl->out_msg[i], n, 02749 ssl->conf->f_rng, ssl->conf->p_rng ); 02750 if( ret != 0 ) 02751 { 02752 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02753 return( ret ); 02754 } 02755 02756 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02757 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02758 02759 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02760 ssl->handshake->premaster, 02761 MBEDTLS_PREMASTER_SIZE, 02762 &ssl->handshake->pmslen, 02763 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02764 { 02765 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02766 return( ret ); 02767 } 02768 02769 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02770 } 02771 else 02772 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02773 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02774 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02775 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02776 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02777 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02778 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02779 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02780 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02781 { 02782 /* 02783 * ECDH key exchange -- send client public value 02784 */ 02785 i = 4; 02786 02787 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02788 &n, 02789 &ssl->out_msg[i], 1000, 02790 ssl->conf->f_rng, ssl->conf->p_rng ); 02791 if( ret != 0 ) 02792 { 02793 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02794 return( ret ); 02795 } 02796 02797 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02798 02799 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02800 &ssl->handshake->pmslen, 02801 ssl->handshake->premaster, 02802 MBEDTLS_MPI_MAX_SIZE, 02803 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02804 { 02805 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02806 return( ret ); 02807 } 02808 02809 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02810 } 02811 else 02812 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02813 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02814 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02815 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02816 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02817 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02818 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02819 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02820 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02821 { 02822 /* 02823 * opaque psk_identity<0..2^16-1>; 02824 */ 02825 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02826 { 02827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02828 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02829 } 02830 02831 i = 4; 02832 n = ssl->conf->psk_identity_len; 02833 02834 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02835 { 02836 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02837 "SSL buffer too short" ) ); 02838 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02839 } 02840 02841 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02842 ssl->out_msg[i++] = (unsigned char)( n ); 02843 02844 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02845 i += ssl->conf->psk_identity_len; 02846 02847 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02848 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02849 { 02850 n = 0; 02851 } 02852 else 02853 #endif 02854 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02855 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02856 { 02857 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02858 return( ret ); 02859 } 02860 else 02861 #endif 02862 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02863 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02864 { 02865 /* 02866 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02867 */ 02868 n = ssl->handshake->dhm_ctx.len; 02869 02870 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02871 { 02872 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02873 " or SSL buffer too short" ) ); 02874 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02875 } 02876 02877 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02878 ssl->out_msg[i++] = (unsigned char)( n ); 02879 02880 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02881 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02882 &ssl->out_msg[i], n, 02883 ssl->conf->f_rng, ssl->conf->p_rng ); 02884 if( ret != 0 ) 02885 { 02886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02887 return( ret ); 02888 } 02889 } 02890 else 02891 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02892 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02893 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02894 { 02895 /* 02896 * ClientECDiffieHellmanPublic public; 02897 */ 02898 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02899 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02900 ssl->conf->f_rng, ssl->conf->p_rng ); 02901 if( ret != 0 ) 02902 { 02903 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02904 return( ret ); 02905 } 02906 02907 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02908 } 02909 else 02910 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02911 { 02912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02913 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02914 } 02915 02916 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02917 ciphersuite_info->key_exchange ) ) != 0 ) 02918 { 02919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02920 return( ret ); 02921 } 02922 } 02923 else 02924 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02925 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02926 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02927 { 02928 i = 4; 02929 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02930 return( ret ); 02931 } 02932 else 02933 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02934 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02935 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02936 { 02937 i = 4; 02938 02939 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02940 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02941 ssl->conf->f_rng, ssl->conf->p_rng ); 02942 if( ret != 0 ) 02943 { 02944 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02945 return( ret ); 02946 } 02947 02948 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02949 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02950 ssl->conf->f_rng, ssl->conf->p_rng ); 02951 if( ret != 0 ) 02952 { 02953 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02954 return( ret ); 02955 } 02956 } 02957 else 02958 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02959 { 02960 ((void) ciphersuite_info); 02961 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02962 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02963 } 02964 02965 ssl->out_msglen = i + n; 02966 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02967 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 02968 02969 ssl->state++; 02970 02971 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02972 { 02973 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02974 return( ret ); 02975 } 02976 02977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02978 02979 return( 0 ); 02980 } 02981 02982 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02983 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02984 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02985 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02986 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02987 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02988 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 02989 { 02990 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02991 int ret; 02992 02993 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02994 02995 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02996 { 02997 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02998 return( ret ); 02999 } 03000 03001 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03002 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03003 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03004 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03005 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03006 { 03007 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03008 ssl->state++; 03009 return( 0 ); 03010 } 03011 03012 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03013 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03014 } 03015 #else 03016 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03017 { 03018 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03019 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03020 size_t n = 0, offset = 0; 03021 unsigned char hash[48]; 03022 unsigned char *hash_start = hash; 03023 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03024 unsigned int hashlen; 03025 03026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03027 03028 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03029 { 03030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03031 return( ret ); 03032 } 03033 03034 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03035 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03036 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03037 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03038 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03039 { 03040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03041 ssl->state++; 03042 return( 0 ); 03043 } 03044 03045 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03046 { 03047 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03048 ssl->state++; 03049 return( 0 ); 03050 } 03051 03052 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03053 { 03054 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03055 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03056 } 03057 03058 /* 03059 * Make an RSA signature of the handshake digests 03060 */ 03061 ssl->handshake->calc_verify( ssl, hash ); 03062 03063 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03064 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03065 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03066 { 03067 /* 03068 * digitally-signed struct { 03069 * opaque md5_hash[16]; 03070 * opaque sha_hash[20]; 03071 * }; 03072 * 03073 * md5_hash 03074 * MD5(handshake_messages); 03075 * 03076 * sha_hash 03077 * SHA(handshake_messages); 03078 */ 03079 hashlen = 36; 03080 md_alg = MBEDTLS_MD_NONE; 03081 03082 /* 03083 * For ECDSA, default hash is SHA-1 only 03084 */ 03085 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03086 { 03087 hash_start += 16; 03088 hashlen -= 16; 03089 md_alg = MBEDTLS_MD_SHA1; 03090 } 03091 } 03092 else 03093 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03094 MBEDTLS_SSL_PROTO_TLS1_1 */ 03095 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03096 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03097 { 03098 /* 03099 * digitally-signed struct { 03100 * opaque handshake_messages[handshake_messages_length]; 03101 * }; 03102 * 03103 * Taking shortcut here. We assume that the server always allows the 03104 * PRF Hash function and has sent it in the allowed signature 03105 * algorithms list received in the Certificate Request message. 03106 * 03107 * Until we encounter a server that does not, we will take this 03108 * shortcut. 03109 * 03110 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03111 * in order to satisfy 'weird' needs from the server side. 03112 */ 03113 if( ssl->transform_negotiate->ciphersuite_info->mac == 03114 MBEDTLS_MD_SHA384 ) 03115 { 03116 md_alg = MBEDTLS_MD_SHA384; 03117 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03118 } 03119 else 03120 { 03121 md_alg = MBEDTLS_MD_SHA256; 03122 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03123 } 03124 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03125 03126 /* Info from md_alg will be used instead */ 03127 hashlen = 0; 03128 offset = 2; 03129 } 03130 else 03131 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03132 { 03133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03134 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03135 } 03136 03137 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03138 ssl->out_msg + 6 + offset, &n, 03139 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03140 { 03141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03142 return( ret ); 03143 } 03144 03145 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03146 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03147 03148 ssl->out_msglen = 6 + n + offset; 03149 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03150 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03151 03152 ssl->state++; 03153 03154 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03155 { 03156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03157 return( ret ); 03158 } 03159 03160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03161 03162 return( ret ); 03163 } 03164 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03165 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03166 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03167 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03168 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03169 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03170 03171 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03172 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03173 { 03174 int ret; 03175 uint32_t lifetime; 03176 size_t ticket_len; 03177 unsigned char *ticket; 03178 const unsigned char *msg; 03179 03180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03181 03182 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03183 { 03184 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03185 return( ret ); 03186 } 03187 03188 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03189 { 03190 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03191 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03192 } 03193 03194 /* 03195 * struct { 03196 * uint32 ticket_lifetime_hint; 03197 * opaque ticket<0..2^16-1>; 03198 * } NewSessionTicket; 03199 * 03200 * 0 . 3 ticket_lifetime_hint 03201 * 4 . 5 ticket_len (n) 03202 * 6 . 5+n ticket content 03203 */ 03204 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03205 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03206 { 03207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03208 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03209 } 03210 03211 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03212 03213 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03214 ( msg[2] << 8 ) | ( msg[3] ); 03215 03216 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03217 03218 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03219 { 03220 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03221 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03222 } 03223 03224 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03225 03226 /* We're not waiting for a NewSessionTicket message any more */ 03227 ssl->handshake->new_session_ticket = 0; 03228 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03229 03230 /* 03231 * Zero-length ticket means the server changed his mind and doesn't want 03232 * to send a ticket after all, so just forget it 03233 */ 03234 if( ticket_len == 0 ) 03235 return( 0 ); 03236 03237 mbedtls_zeroize( ssl->session_negotiate->ticket, 03238 ssl->session_negotiate->ticket_len ); 03239 mbedtls_free( ssl->session_negotiate->ticket ); 03240 ssl->session_negotiate->ticket = NULL; 03241 ssl->session_negotiate->ticket_len = 0; 03242 03243 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03244 { 03245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03246 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03247 } 03248 03249 memcpy( ticket, msg + 6, ticket_len ); 03250 03251 ssl->session_negotiate->ticket = ticket; 03252 ssl->session_negotiate->ticket_len = ticket_len; 03253 ssl->session_negotiate->ticket_lifetime = lifetime; 03254 03255 /* 03256 * RFC 5077 section 3.4: 03257 * "If the client receives a session ticket from the server, then it 03258 * discards any Session ID that was sent in the ServerHello." 03259 */ 03260 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03261 ssl->session_negotiate->id_len = 0; 03262 03263 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03264 03265 return( 0 ); 03266 } 03267 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03268 03269 /* 03270 * SSL handshake -- client side -- single step 03271 */ 03272 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03273 { 03274 int ret = 0; 03275 03276 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03277 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03278 03279 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03280 03281 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03282 return( ret ); 03283 03284 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03285 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03286 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03287 { 03288 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03289 return( ret ); 03290 } 03291 #endif 03292 03293 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03294 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03295 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03296 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03297 ssl->handshake->new_session_ticket != 0 ) 03298 { 03299 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03300 } 03301 #endif 03302 03303 switch( ssl->state ) 03304 { 03305 case MBEDTLS_SSL_HELLO_REQUEST: 03306 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03307 break; 03308 03309 /* 03310 * ==> ClientHello 03311 */ 03312 case MBEDTLS_SSL_CLIENT_HELLO: 03313 ret = ssl_write_client_hello( ssl ); 03314 break; 03315 03316 /* 03317 * <== ServerHello 03318 * Certificate 03319 * ( ServerKeyExchange ) 03320 * ( CertificateRequest ) 03321 * ServerHelloDone 03322 */ 03323 case MBEDTLS_SSL_SERVER_HELLO: 03324 ret = ssl_parse_server_hello( ssl ); 03325 break; 03326 03327 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03328 ret = mbedtls_ssl_parse_certificate( ssl ); 03329 break; 03330 03331 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03332 ret = ssl_parse_server_key_exchange( ssl ); 03333 break; 03334 03335 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03336 ret = ssl_parse_certificate_request( ssl ); 03337 break; 03338 03339 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03340 ret = ssl_parse_server_hello_done( ssl ); 03341 break; 03342 03343 /* 03344 * ==> ( Certificate/Alert ) 03345 * ClientKeyExchange 03346 * ( CertificateVerify ) 03347 * ChangeCipherSpec 03348 * Finished 03349 */ 03350 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03351 ret = mbedtls_ssl_write_certificate( ssl ); 03352 break; 03353 03354 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03355 ret = ssl_write_client_key_exchange( ssl ); 03356 break; 03357 03358 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03359 ret = ssl_write_certificate_verify( ssl ); 03360 break; 03361 03362 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03363 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03364 break; 03365 03366 case MBEDTLS_SSL_CLIENT_FINISHED: 03367 ret = mbedtls_ssl_write_finished( ssl ); 03368 break; 03369 03370 /* 03371 * <== ( NewSessionTicket ) 03372 * ChangeCipherSpec 03373 * Finished 03374 */ 03375 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03376 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03377 ret = ssl_parse_new_session_ticket( ssl ); 03378 break; 03379 #endif 03380 03381 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03382 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03383 break; 03384 03385 case MBEDTLS_SSL_SERVER_FINISHED: 03386 ret = mbedtls_ssl_parse_finished( ssl ); 03387 break; 03388 03389 case MBEDTLS_SSL_FLUSH_BUFFERS: 03390 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03391 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03392 break; 03393 03394 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03395 mbedtls_ssl_handshake_wrapup( ssl ); 03396 break; 03397 03398 default: 03399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03400 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03401 } 03402 03403 return( ret ); 03404 } 03405 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 13:16:12 by
1.7.2