mbedtls ported to mbed-classic
Fork of mbedtls by
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #include "mbedtls/debug.h" 00031 #include "mbedtls/ssl.h" 00032 #include "mbedtls/ssl_internal.h" 00033 00034 #include <string.h> 00035 00036 #if defined(MBEDTLS_PLATFORM_C) 00037 #include "mbedtls/platform.h" 00038 #else 00039 #include <stdlib.h> 00040 #define mbedtls_calloc calloc 00041 #define mbedtls_free free 00042 #endif 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include <time.h> 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * struct { 00084 * NameType name_type; 00085 * select (name_type) { 00086 * case host_name: HostName; 00087 * } name; 00088 * } ServerName; 00089 * 00090 * enum { 00091 * host_name(0), (255) 00092 * } NameType; 00093 * 00094 * opaque HostName<1..2^16-1>; 00095 * 00096 * struct { 00097 * ServerName server_name_list<1..2^16-1> 00098 * } ServerNameList; 00099 */ 00100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00102 00103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00105 00106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00108 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00112 00113 memcpy( p, ssl->hostname, hostname_len ); 00114 00115 *olen = hostname_len + 9; 00116 } 00117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00118 00119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00121 unsigned char *buf, 00122 size_t *olen ) 00123 { 00124 unsigned char *p = buf; 00125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00126 00127 *olen = 0; 00128 00129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00130 return; 00131 00132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00133 00134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00135 { 00136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00137 return; 00138 } 00139 00140 /* 00141 * Secure renegotiation 00142 */ 00143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00145 00146 *p++ = 0x00; 00147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00148 *p++ = ssl->verify_data_len & 0xFF; 00149 00150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00151 00152 *olen = 5 + ssl->verify_data_len; 00153 } 00154 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00155 00156 /* 00157 * Only if we handle at least one key exchange that needs signatures. 00158 */ 00159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00162 unsigned char *buf, 00163 size_t *olen ) 00164 { 00165 unsigned char *p = buf; 00166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00167 size_t sig_alg_len = 0; 00168 const int *md; 00169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00170 unsigned char *sig_alg_list = buf + 6; 00171 #endif 00172 00173 *olen = 0; 00174 00175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00176 return; 00177 00178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00179 00180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00181 { 00182 #if defined(MBEDTLS_ECDSA_C) 00183 sig_alg_len += 2; 00184 #endif 00185 #if defined(MBEDTLS_RSA_C) 00186 sig_alg_len += 2; 00187 #endif 00188 } 00189 00190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00191 { 00192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00193 return; 00194 } 00195 00196 /* 00197 * Prepare signature_algorithms extension (TLS 1.2) 00198 */ 00199 sig_alg_len = 0; 00200 00201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00202 { 00203 #if defined(MBEDTLS_ECDSA_C) 00204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00206 #endif 00207 #if defined(MBEDTLS_RSA_C) 00208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00210 #endif 00211 } 00212 00213 /* 00214 * enum { 00215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00216 * sha512(6), (255) 00217 * } HashAlgorithm; 00218 * 00219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00220 * SignatureAlgorithm; 00221 * 00222 * struct { 00223 * HashAlgorithm hash; 00224 * SignatureAlgorithm signature; 00225 * } SignatureAndHashAlgorithm; 00226 * 00227 * SignatureAndHashAlgorithm 00228 * supported_signature_algorithms<2..2^16-2>; 00229 */ 00230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00232 00233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00235 00236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00238 00239 *olen = 6 + sig_alg_len; 00240 } 00241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00243 00244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00252 unsigned char *elliptic_curve_list = p + 6; 00253 size_t elliptic_curve_len = 0; 00254 const mbedtls_ecp_curve_info *info; 00255 #if defined(MBEDTLS_ECP_C) 00256 const mbedtls_ecp_group_id *grp_id; 00257 #else 00258 ((void) ssl); 00259 #endif 00260 00261 *olen = 0; 00262 00263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00264 00265 #if defined(MBEDTLS_ECP_C) 00266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00267 { 00268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00269 #else 00270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00271 { 00272 #endif 00273 elliptic_curve_len += 2; 00274 } 00275 00276 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00277 { 00278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00279 return; 00280 } 00281 00282 elliptic_curve_len = 0; 00283 00284 #if defined(MBEDTLS_ECP_C) 00285 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00286 { 00287 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00288 #else 00289 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00290 { 00291 #endif 00292 00293 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00294 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00295 } 00296 00297 if( elliptic_curve_len == 0 ) 00298 return; 00299 00300 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00301 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00302 00303 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00304 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00305 00306 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00307 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00308 00309 *olen = 6 + elliptic_curve_len; 00310 } 00311 00312 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00313 unsigned char *buf, 00314 size_t *olen ) 00315 { 00316 unsigned char *p = buf; 00317 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00318 00319 *olen = 0; 00320 00321 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00322 00323 if( end < p || (size_t)( end - p ) < 6 ) 00324 { 00325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00326 return; 00327 } 00328 00329 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00330 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00331 00332 *p++ = 0x00; 00333 *p++ = 2; 00334 00335 *p++ = 1; 00336 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00337 00338 *olen = 6; 00339 } 00340 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00341 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00342 00343 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00344 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00345 unsigned char *buf, 00346 size_t *olen ) 00347 { 00348 int ret; 00349 unsigned char *p = buf; 00350 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00351 size_t kkpp_len; 00352 00353 *olen = 0; 00354 00355 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00356 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00357 return; 00358 00359 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00360 00361 if( end - p < 4 ) 00362 { 00363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00364 return; 00365 } 00366 00367 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00368 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00369 00370 /* 00371 * We may need to send ClientHello multiple times for Hello verification. 00372 * We don't want to compute fresh values every time (both for performance 00373 * and consistency reasons), so cache the extension content. 00374 */ 00375 if( ssl->handshake->ecjpake_cache == NULL || 00376 ssl->handshake->ecjpake_cache_len == 0 ) 00377 { 00378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00379 00380 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00381 p + 2, end - p - 2, &kkpp_len, 00382 ssl->conf->f_rng, ssl->conf->p_rng ); 00383 if( ret != 0 ) 00384 { 00385 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00386 return; 00387 } 00388 00389 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00390 if( ssl->handshake->ecjpake_cache == NULL ) 00391 { 00392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00393 return; 00394 } 00395 00396 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00397 ssl->handshake->ecjpake_cache_len = kkpp_len; 00398 } 00399 else 00400 { 00401 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00402 00403 kkpp_len = ssl->handshake->ecjpake_cache_len; 00404 00405 if( (size_t)( end - p - 2 ) < kkpp_len ) 00406 { 00407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00408 return; 00409 } 00410 00411 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00412 } 00413 00414 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00415 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00416 00417 *olen = kkpp_len + 4; 00418 } 00419 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00420 00421 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00422 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00423 unsigned char *buf, 00424 size_t *olen ) 00425 { 00426 unsigned char *p = buf; 00427 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00428 00429 *olen = 0; 00430 00431 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00432 return; 00433 } 00434 00435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00436 00437 if( end < p || (size_t)( end - p ) < 5 ) 00438 { 00439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00440 return; 00441 } 00442 00443 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00444 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00445 00446 *p++ = 0x00; 00447 *p++ = 1; 00448 00449 *p++ = ssl->conf->mfl_code; 00450 00451 *olen = 5; 00452 } 00453 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00454 00455 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00456 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00457 unsigned char *buf, size_t *olen ) 00458 { 00459 unsigned char *p = buf; 00460 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00461 00462 *olen = 0; 00463 00464 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00465 { 00466 return; 00467 } 00468 00469 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00470 00471 if( end < p || (size_t)( end - p ) < 4 ) 00472 { 00473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00474 return; 00475 } 00476 00477 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00478 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00479 00480 *p++ = 0x00; 00481 *p++ = 0x00; 00482 00483 *olen = 4; 00484 } 00485 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00486 00487 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00488 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00489 unsigned char *buf, size_t *olen ) 00490 { 00491 unsigned char *p = buf; 00492 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00493 00494 *olen = 0; 00495 00496 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00497 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00498 { 00499 return; 00500 } 00501 00502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00503 "extension" ) ); 00504 00505 if( end < p || (size_t)( end - p ) < 4 ) 00506 { 00507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00508 return; 00509 } 00510 00511 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00512 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00513 00514 *p++ = 0x00; 00515 *p++ = 0x00; 00516 00517 *olen = 4; 00518 } 00519 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00520 00521 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00522 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00523 unsigned char *buf, size_t *olen ) 00524 { 00525 unsigned char *p = buf; 00526 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00527 00528 *olen = 0; 00529 00530 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00531 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00532 { 00533 return; 00534 } 00535 00536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00537 "extension" ) ); 00538 00539 if( end < p || (size_t)( end - p ) < 4 ) 00540 { 00541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00542 return; 00543 } 00544 00545 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00546 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00547 00548 *p++ = 0x00; 00549 *p++ = 0x00; 00550 00551 *olen = 4; 00552 } 00553 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00554 00555 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00556 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00557 unsigned char *buf, size_t *olen ) 00558 { 00559 unsigned char *p = buf; 00560 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00561 size_t tlen = ssl->session_negotiate->ticket_len; 00562 00563 *olen = 0; 00564 00565 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00566 { 00567 return; 00568 } 00569 00570 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00571 00572 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00573 { 00574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00575 return; 00576 } 00577 00578 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00579 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00580 00581 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00582 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00583 00584 *olen = 4; 00585 00586 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00587 { 00588 return; 00589 } 00590 00591 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00592 00593 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00594 00595 *olen += tlen; 00596 } 00597 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00598 00599 #if defined(MBEDTLS_SSL_ALPN) 00600 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00601 unsigned char *buf, size_t *olen ) 00602 { 00603 unsigned char *p = buf; 00604 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00605 size_t alpnlen = 0; 00606 const char **cur; 00607 00608 *olen = 0; 00609 00610 if( ssl->conf->alpn_list == NULL ) 00611 { 00612 return; 00613 } 00614 00615 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00616 00617 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00618 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00619 00620 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00621 { 00622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00623 return; 00624 } 00625 00626 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00627 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00628 00629 /* 00630 * opaque ProtocolName<1..2^8-1>; 00631 * 00632 * struct { 00633 * ProtocolName protocol_name_list<2..2^16-1> 00634 * } ProtocolNameList; 00635 */ 00636 00637 /* Skip writing extension and list length for now */ 00638 p += 4; 00639 00640 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00641 { 00642 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00643 memcpy( p + 1, *cur, *p ); 00644 p += 1 + *p; 00645 } 00646 00647 *olen = p - buf; 00648 00649 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00650 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00651 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00652 00653 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00654 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00655 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00656 } 00657 #endif /* MBEDTLS_SSL_ALPN */ 00658 00659 /* 00660 * Generate random bytes for ClientHello 00661 */ 00662 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00663 { 00664 int ret; 00665 unsigned char *p = ssl->handshake->randbytes; 00666 #if defined(MBEDTLS_HAVE_TIME) 00667 time_t t; 00668 #endif 00669 00670 /* 00671 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00672 */ 00673 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00674 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00675 ssl->handshake->verify_cookie != NULL ) 00676 { 00677 return( 0 ); 00678 } 00679 #endif 00680 00681 #if defined(MBEDTLS_HAVE_TIME) 00682 t = time( NULL ); 00683 *p++ = (unsigned char)( t >> 24 ); 00684 *p++ = (unsigned char)( t >> 16 ); 00685 *p++ = (unsigned char)( t >> 8 ); 00686 *p++ = (unsigned char)( t ); 00687 00688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00689 #else 00690 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00691 return( ret ); 00692 00693 p += 4; 00694 #endif /* MBEDTLS_HAVE_TIME */ 00695 00696 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00697 return( ret ); 00698 00699 return( 0 ); 00700 } 00701 00702 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00703 { 00704 int ret; 00705 size_t i, n, olen, ext_len = 0; 00706 unsigned char *buf; 00707 unsigned char *p, *q; 00708 unsigned char offer_compress; 00709 const int *ciphersuites; 00710 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00711 00712 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00713 00714 if( ssl->conf->f_rng == NULL ) 00715 { 00716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00717 return( MBEDTLS_ERR_SSL_NO_RNG ); 00718 } 00719 00720 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00721 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00722 #endif 00723 { 00724 ssl->major_ver = ssl->conf->min_major_ver; 00725 ssl->minor_ver = ssl->conf->min_minor_ver; 00726 } 00727 00728 if( ssl->conf->max_major_ver == 0 ) 00729 { 00730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00731 "consider using mbedtls_ssl_config_defaults()" ) ); 00732 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00733 } 00734 00735 /* 00736 * 0 . 0 handshake type 00737 * 1 . 3 handshake length 00738 * 4 . 5 highest version supported 00739 * 6 . 9 current UNIX time 00740 * 10 . 37 random bytes 00741 */ 00742 buf = ssl->out_msg; 00743 p = buf + 4; 00744 00745 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00746 ssl->conf->transport, p ); 00747 p += 2; 00748 00749 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00750 buf[4], buf[5] ) ); 00751 00752 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00753 { 00754 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00755 return( ret ); 00756 } 00757 00758 memcpy( p, ssl->handshake->randbytes, 32 ); 00759 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00760 p += 32; 00761 00762 /* 00763 * 38 . 38 session id length 00764 * 39 . 39+n session id 00765 * 39+n . 39+n DTLS only: cookie length (1 byte) 00766 * 40+n . .. DTSL only: cookie 00767 * .. . .. ciphersuitelist length (2 bytes) 00768 * .. . .. ciphersuitelist 00769 * .. . .. compression methods length (1 byte) 00770 * .. . .. compression methods 00771 * .. . .. extensions length (2 bytes) 00772 * .. . .. extensions 00773 */ 00774 n = ssl->session_negotiate->id_len; 00775 00776 if( n < 16 || n > 32 || 00777 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00778 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00779 #endif 00780 ssl->handshake->resume == 0 ) 00781 { 00782 n = 0; 00783 } 00784 00785 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00786 /* 00787 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00788 * generate and include a Session ID in the TLS ClientHello." 00789 */ 00790 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00791 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00792 #endif 00793 { 00794 if( ssl->session_negotiate->ticket != NULL && 00795 ssl->session_negotiate->ticket_len != 0 ) 00796 { 00797 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00798 00799 if( ret != 0 ) 00800 return( ret ); 00801 00802 ssl->session_negotiate->id_len = n = 32; 00803 } 00804 } 00805 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00806 00807 *p++ = (unsigned char) n; 00808 00809 for( i = 0; i < n; i++ ) 00810 *p++ = ssl->session_negotiate->id[i]; 00811 00812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00813 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00814 00815 /* 00816 * DTLS cookie 00817 */ 00818 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00820 { 00821 if( ssl->handshake->verify_cookie == NULL ) 00822 { 00823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00824 *p++ = 0; 00825 } 00826 else 00827 { 00828 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00829 ssl->handshake->verify_cookie, 00830 ssl->handshake->verify_cookie_len ); 00831 00832 *p++ = ssl->handshake->verify_cookie_len; 00833 memcpy( p, ssl->handshake->verify_cookie, 00834 ssl->handshake->verify_cookie_len ); 00835 p += ssl->handshake->verify_cookie_len; 00836 } 00837 } 00838 #endif 00839 00840 /* 00841 * Ciphersuite list 00842 */ 00843 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00844 00845 /* Skip writing ciphersuite length for now */ 00846 n = 0; 00847 q = p; 00848 p += 2; 00849 00850 for( i = 0; ciphersuites[i] != 0; i++ ) 00851 { 00852 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00853 00854 if( ciphersuite_info == NULL ) 00855 continue; 00856 00857 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00858 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00859 continue; 00860 00861 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00862 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00863 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00864 continue; 00865 #endif 00866 00867 #if defined(MBEDTLS_ARC4_C) 00868 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00869 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00870 continue; 00871 #endif 00872 00873 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00874 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00875 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00876 continue; 00877 #endif 00878 00879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00880 ciphersuites[i] ) ); 00881 00882 n++; 00883 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00884 *p++ = (unsigned char)( ciphersuites[i] ); 00885 } 00886 00887 /* 00888 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00889 */ 00890 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00891 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00892 #endif 00893 { 00894 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00895 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00896 n++; 00897 } 00898 00899 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00900 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00901 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00902 { 00903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00904 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00905 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00906 n++; 00907 } 00908 #endif 00909 00910 *q++ = (unsigned char)( n >> 7 ); 00911 *q++ = (unsigned char)( n << 1 ); 00912 00913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00914 00915 #if defined(MBEDTLS_ZLIB_SUPPORT) 00916 offer_compress = 1; 00917 #else 00918 offer_compress = 0; 00919 #endif 00920 00921 /* 00922 * We don't support compression with DTLS right now: is many records come 00923 * in the same datagram, uncompressing one could overwrite the next one. 00924 * We don't want to add complexity for handling that case unless there is 00925 * an actual need for it. 00926 */ 00927 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00928 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00929 offer_compress = 0; 00930 #endif 00931 00932 if( offer_compress ) 00933 { 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00936 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00937 00938 *p++ = 2; 00939 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00940 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00941 } 00942 else 00943 { 00944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00946 MBEDTLS_SSL_COMPRESS_NULL ) ); 00947 00948 *p++ = 1; 00949 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00950 } 00951 00952 // First write extensions, then the total length 00953 // 00954 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00955 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00956 ext_len += olen; 00957 #endif 00958 00959 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00960 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00961 ext_len += olen; 00962 #endif 00963 00964 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00965 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00966 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00967 ext_len += olen; 00968 #endif 00969 00970 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00971 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00972 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00973 ext_len += olen; 00974 00975 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00976 ext_len += olen; 00977 #endif 00978 00979 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00980 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00985 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00986 ext_len += olen; 00987 #endif 00988 00989 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00990 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00991 ext_len += olen; 00992 #endif 00993 00994 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00995 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01000 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_ALPN) 01005 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01010 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 /* olen unused if all extensions are disabled */ 01015 ((void) olen); 01016 01017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01018 ext_len ) ); 01019 01020 if( ext_len > 0 ) 01021 { 01022 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01023 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01024 p += ext_len; 01025 } 01026 01027 ssl->out_msglen = p - buf; 01028 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01029 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01030 01031 ssl->state++; 01032 01033 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01034 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01035 mbedtls_ssl_send_flight_completed( ssl ); 01036 #endif 01037 01038 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01039 { 01040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01041 return( ret ); 01042 } 01043 01044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01045 01046 return( 0 ); 01047 } 01048 01049 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01050 const unsigned char *buf, 01051 size_t len ) 01052 { 01053 int ret; 01054 01055 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01056 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01057 { 01058 /* Check verify-data in constant-time. The length OTOH is no secret */ 01059 if( len != 1 + ssl->verify_data_len * 2 || 01060 buf[0] != ssl->verify_data_len * 2 || 01061 mbedtls_ssl_safer_memcmp( buf + 1, 01062 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01063 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01064 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01065 { 01066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01067 01068 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01069 return( ret ); 01070 01071 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01072 } 01073 } 01074 else 01075 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01076 { 01077 if( len != 1 || buf[0] != 0x00 ) 01078 { 01079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01080 01081 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01082 return( ret ); 01083 01084 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01085 } 01086 01087 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01088 } 01089 01090 return( 0 ); 01091 } 01092 01093 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01094 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01095 const unsigned char *buf, 01096 size_t len ) 01097 { 01098 /* 01099 * server should use the extension only if we did, 01100 * and if so the server's value should match ours (and len is always 1) 01101 */ 01102 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01103 len != 1 || 01104 buf[0] != ssl->conf->mfl_code ) 01105 { 01106 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01107 } 01108 01109 return( 0 ); 01110 } 01111 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01112 01113 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01114 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01115 const unsigned char *buf, 01116 size_t len ) 01117 { 01118 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01119 len != 0 ) 01120 { 01121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01122 } 01123 01124 ((void) buf); 01125 01126 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01127 01128 return( 0 ); 01129 } 01130 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01131 01132 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01133 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01134 const unsigned char *buf, 01135 size_t len ) 01136 { 01137 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01138 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01139 len != 0 ) 01140 { 01141 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01142 } 01143 01144 ((void) buf); 01145 01146 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01147 01148 return( 0 ); 01149 } 01150 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01151 01152 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01153 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01154 const unsigned char *buf, 01155 size_t len ) 01156 { 01157 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01158 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01159 len != 0 ) 01160 { 01161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01162 } 01163 01164 ((void) buf); 01165 01166 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01167 01168 return( 0 ); 01169 } 01170 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01171 01172 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01173 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01174 const unsigned char *buf, 01175 size_t len ) 01176 { 01177 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01178 len != 0 ) 01179 { 01180 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01181 } 01182 01183 ((void) buf); 01184 01185 ssl->handshake->new_session_ticket = 1; 01186 01187 return( 0 ); 01188 } 01189 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01190 01191 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01192 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01193 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01194 const unsigned char *buf, 01195 size_t len ) 01196 { 01197 size_t list_size; 01198 const unsigned char *p; 01199 01200 list_size = buf[0]; 01201 if( list_size + 1 != len ) 01202 { 01203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01205 } 01206 01207 p = buf + 1; 01208 while( list_size > 0 ) 01209 { 01210 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01211 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01212 { 01213 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01214 ssl->handshake->ecdh_ctx.point_format = p[0]; 01215 #endif 01216 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01217 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01218 #endif 01219 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01220 return( 0 ); 01221 } 01222 01223 list_size--; 01224 p++; 01225 } 01226 01227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01228 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01229 } 01230 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01231 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01232 01233 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01234 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01235 const unsigned char *buf, 01236 size_t len ) 01237 { 01238 int ret; 01239 01240 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01241 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01242 { 01243 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01244 return( 0 ); 01245 } 01246 01247 /* If we got here, we no longer need our cached extension */ 01248 mbedtls_free( ssl->handshake->ecjpake_cache ); 01249 ssl->handshake->ecjpake_cache = NULL; 01250 ssl->handshake->ecjpake_cache_len = 0; 01251 01252 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01253 buf, len ) ) != 0 ) 01254 { 01255 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01256 return( ret ); 01257 } 01258 01259 return( 0 ); 01260 } 01261 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01262 01263 #if defined(MBEDTLS_SSL_ALPN) 01264 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01265 const unsigned char *buf, size_t len ) 01266 { 01267 size_t list_len, name_len; 01268 const char **p; 01269 01270 /* If we didn't send it, the server shouldn't send it */ 01271 if( ssl->conf->alpn_list == NULL ) 01272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01273 01274 /* 01275 * opaque ProtocolName<1..2^8-1>; 01276 * 01277 * struct { 01278 * ProtocolName protocol_name_list<2..2^16-1> 01279 * } ProtocolNameList; 01280 * 01281 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01282 */ 01283 01284 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01285 if( len < 4 ) 01286 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01287 01288 list_len = ( buf[0] << 8 ) | buf[1]; 01289 if( list_len != len - 2 ) 01290 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01291 01292 name_len = buf[2]; 01293 if( name_len != list_len - 1 ) 01294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01295 01296 /* Check that the server chosen protocol was in our list and save it */ 01297 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01298 { 01299 if( name_len == strlen( *p ) && 01300 memcmp( buf + 3, *p, name_len ) == 0 ) 01301 { 01302 ssl->alpn_chosen = *p; 01303 return( 0 ); 01304 } 01305 } 01306 01307 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01308 } 01309 #endif /* MBEDTLS_SSL_ALPN */ 01310 01311 /* 01312 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01313 */ 01314 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01315 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01316 { 01317 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01318 int major_ver, minor_ver; 01319 unsigned char cookie_len; 01320 01321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01322 01323 /* 01324 * struct { 01325 * ProtocolVersion server_version; 01326 * opaque cookie<0..2^8-1>; 01327 * } HelloVerifyRequest; 01328 */ 01329 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01330 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01331 p += 2; 01332 01333 /* 01334 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01335 * even is lower than our min version. 01336 */ 01337 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01338 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01339 major_ver > ssl->conf->max_major_ver || 01340 minor_ver > ssl->conf->max_minor_ver ) 01341 { 01342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01343 01344 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01345 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01346 01347 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01348 } 01349 01350 cookie_len = *p++; 01351 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01352 01353 mbedtls_free( ssl->handshake->verify_cookie ); 01354 01355 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01356 if( ssl->handshake->verify_cookie == NULL ) 01357 { 01358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01359 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01360 } 01361 01362 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01363 ssl->handshake->verify_cookie_len = cookie_len; 01364 01365 /* Start over at ClientHello */ 01366 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01367 mbedtls_ssl_reset_checksum( ssl ); 01368 01369 mbedtls_ssl_recv_flight_completed( ssl ); 01370 01371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01372 01373 return( 0 ); 01374 } 01375 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01376 01377 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01378 { 01379 int ret, i; 01380 size_t n; 01381 size_t ext_len; 01382 unsigned char *buf, *ext; 01383 unsigned char comp; 01384 #if defined(MBEDTLS_ZLIB_SUPPORT) 01385 int accept_comp; 01386 #endif 01387 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01388 int renegotiation_info_seen = 0; 01389 #endif 01390 int handshake_failure = 0; 01391 const mbedtls_ssl_ciphersuite_t *suite_info; 01392 #if defined(MBEDTLS_DEBUG_C) 01393 uint32_t t; 01394 #endif 01395 01396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01397 01398 buf = ssl->in_msg; 01399 01400 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01401 { 01402 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01403 return( ret ); 01404 } 01405 01406 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01407 { 01408 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01409 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01410 { 01411 ssl->renego_records_seen++; 01412 01413 if( ssl->conf->renego_max_records >= 0 && 01414 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01415 { 01416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01417 "but not honored by server" ) ); 01418 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01419 } 01420 01421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01422 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01423 } 01424 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01425 01426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01427 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01428 } 01429 01430 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01431 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01432 { 01433 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01434 { 01435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01437 return( ssl_parse_hello_verify_request( ssl ) ); 01438 } 01439 else 01440 { 01441 /* We made it through the verification process */ 01442 mbedtls_free( ssl->handshake->verify_cookie ); 01443 ssl->handshake->verify_cookie = NULL; 01444 ssl->handshake->verify_cookie_len = 0; 01445 } 01446 } 01447 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01448 01449 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01450 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01451 { 01452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01453 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01454 } 01455 01456 /* 01457 * 0 . 1 server_version 01458 * 2 . 33 random (maybe including 4 bytes of Unix time) 01459 * 34 . 34 session_id length = n 01460 * 35 . 34+n session_id 01461 * 35+n . 36+n cipher_suite 01462 * 37+n . 37+n compression_method 01463 * 01464 * 38+n . 39+n extensions length (optional) 01465 * 40+n . .. extensions 01466 */ 01467 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01468 01469 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01470 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01471 ssl->conf->transport, buf + 0 ); 01472 01473 if( ssl->major_ver < ssl->conf->min_major_ver || 01474 ssl->minor_ver < ssl->conf->min_minor_ver || 01475 ssl->major_ver > ssl->conf->max_major_ver || 01476 ssl->minor_ver > ssl->conf->max_minor_ver ) 01477 { 01478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01479 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01480 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01481 ssl->major_ver, ssl->minor_ver, 01482 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01483 01484 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01485 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01486 01487 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01488 } 01489 01490 #if defined(MBEDTLS_DEBUG_C) 01491 t = ( (uint32_t) buf[2] << 24 ) 01492 | ( (uint32_t) buf[3] << 16 ) 01493 | ( (uint32_t) buf[4] << 8 ) 01494 | ( (uint32_t) buf[5] ); 01495 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01496 #endif 01497 01498 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01499 01500 n = buf[34]; 01501 01502 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01503 01504 if( n > 32 ) 01505 { 01506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01507 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01508 } 01509 01510 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01511 { 01512 ext_len = ( ( buf[38 + n] << 8 ) 01513 | ( buf[39 + n] ) ); 01514 01515 if( ( ext_len > 0 && ext_len < 4 ) || 01516 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01517 { 01518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01519 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01520 } 01521 } 01522 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01523 { 01524 ext_len = 0; 01525 } 01526 else 01527 { 01528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01529 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01530 } 01531 01532 /* ciphersuite (used later) */ 01533 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01534 01535 /* 01536 * Read and check compression 01537 */ 01538 comp = buf[37 + n]; 01539 01540 #if defined(MBEDTLS_ZLIB_SUPPORT) 01541 /* See comments in ssl_write_client_hello() */ 01542 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01543 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01544 accept_comp = 0; 01545 else 01546 #endif 01547 accept_comp = 1; 01548 01549 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01550 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01551 #else /* MBEDTLS_ZLIB_SUPPORT */ 01552 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01553 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01554 { 01555 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01556 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01557 } 01558 01559 /* 01560 * Initialize update checksum functions 01561 */ 01562 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01563 01564 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01565 { 01566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01567 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01568 } 01569 01570 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01571 01572 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01573 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01574 01575 /* 01576 * Check if the session can be resumed 01577 */ 01578 if( ssl->handshake->resume == 0 || n == 0 || 01579 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01580 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01581 #endif 01582 ssl->session_negotiate->ciphersuite != i || 01583 ssl->session_negotiate->compression != comp || 01584 ssl->session_negotiate->id_len != n || 01585 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01586 { 01587 ssl->state++; 01588 ssl->handshake->resume = 0; 01589 #if defined(MBEDTLS_HAVE_TIME) 01590 ssl->session_negotiate->start = time( NULL ); 01591 #endif 01592 ssl->session_negotiate->ciphersuite = i; 01593 ssl->session_negotiate->compression = comp; 01594 ssl->session_negotiate->id_len = n; 01595 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01596 } 01597 else 01598 { 01599 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01600 01601 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01602 { 01603 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01604 return( ret ); 01605 } 01606 } 01607 01608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01609 ssl->handshake->resume ? "a" : "no" ) ); 01610 01611 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01612 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01613 01614 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01615 if( suite_info == NULL 01616 #if defined(MBEDTLS_ARC4_C) 01617 || ( ssl->conf->arc4_disabled && 01618 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01619 #endif 01620 ) 01621 { 01622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01623 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01624 } 01625 01626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01627 01628 i = 0; 01629 while( 1 ) 01630 { 01631 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01632 { 01633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01634 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01635 } 01636 01637 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01638 ssl->session_negotiate->ciphersuite ) 01639 { 01640 break; 01641 } 01642 } 01643 01644 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01645 #if defined(MBEDTLS_ZLIB_SUPPORT) 01646 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01647 #endif 01648 ) 01649 { 01650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01651 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01652 } 01653 ssl->session_negotiate->compression = comp; 01654 01655 ext = buf + 40 + n; 01656 01657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01658 01659 while( ext_len ) 01660 { 01661 unsigned int ext_id = ( ( ext[0] << 8 ) 01662 | ( ext[1] ) ); 01663 unsigned int ext_size = ( ( ext[2] << 8 ) 01664 | ( ext[3] ) ); 01665 01666 if( ext_size + 4 > ext_len ) 01667 { 01668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01669 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01670 } 01671 01672 switch( ext_id ) 01673 { 01674 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01676 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01677 renegotiation_info_seen = 1; 01678 #endif 01679 01680 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01681 ext_size ) ) != 0 ) 01682 return( ret ); 01683 01684 break; 01685 01686 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01687 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01689 01690 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01691 ext + 4, ext_size ) ) != 0 ) 01692 { 01693 return( ret ); 01694 } 01695 01696 break; 01697 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01698 01699 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01700 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01701 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01702 01703 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01704 ext + 4, ext_size ) ) != 0 ) 01705 { 01706 return( ret ); 01707 } 01708 01709 break; 01710 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01711 01712 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01713 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01715 01716 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01717 ext + 4, ext_size ) ) != 0 ) 01718 { 01719 return( ret ); 01720 } 01721 01722 break; 01723 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01724 01725 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01726 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01728 01729 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01730 ext + 4, ext_size ) ) != 0 ) 01731 { 01732 return( ret ); 01733 } 01734 01735 break; 01736 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01737 01738 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01739 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01740 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01741 01742 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01743 ext + 4, ext_size ) ) != 0 ) 01744 { 01745 return( ret ); 01746 } 01747 01748 break; 01749 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01750 01751 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01752 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01753 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01755 01756 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01757 ext + 4, ext_size ) ) != 0 ) 01758 { 01759 return( ret ); 01760 } 01761 01762 break; 01763 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01764 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01765 01766 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01767 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01769 01770 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01771 ext + 4, ext_size ) ) != 0 ) 01772 { 01773 return( ret ); 01774 } 01775 01776 break; 01777 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01778 01779 #if defined(MBEDTLS_SSL_ALPN) 01780 case MBEDTLS_TLS_EXT_ALPN: 01781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01782 01783 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01784 return( ret ); 01785 01786 break; 01787 #endif /* MBEDTLS_SSL_ALPN */ 01788 01789 default: 01790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01791 ext_id ) ); 01792 } 01793 01794 ext_len -= 4 + ext_size; 01795 ext += 4 + ext_size; 01796 01797 if( ext_len > 0 && ext_len < 4 ) 01798 { 01799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01800 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01801 } 01802 } 01803 01804 /* 01805 * Renegotiation security checks 01806 */ 01807 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01808 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01809 { 01810 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01811 handshake_failure = 1; 01812 } 01813 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01814 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01815 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01816 renegotiation_info_seen == 0 ) 01817 { 01818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01819 handshake_failure = 1; 01820 } 01821 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01822 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01823 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01824 { 01825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01826 handshake_failure = 1; 01827 } 01828 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01829 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01830 renegotiation_info_seen == 1 ) 01831 { 01832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01833 handshake_failure = 1; 01834 } 01835 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01836 01837 if( handshake_failure == 1 ) 01838 { 01839 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01840 return( ret ); 01841 01842 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01843 } 01844 01845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01846 01847 return( 0 ); 01848 } 01849 01850 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01851 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01852 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01853 unsigned char *end ) 01854 { 01855 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01856 01857 /* 01858 * Ephemeral DH parameters: 01859 * 01860 * struct { 01861 * opaque dh_p<1..2^16-1>; 01862 * opaque dh_g<1..2^16-1>; 01863 * opaque dh_Ys<1..2^16-1>; 01864 * } ServerDHParams; 01865 */ 01866 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01867 { 01868 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01869 return( ret ); 01870 } 01871 01872 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01873 { 01874 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01875 ssl->handshake->dhm_ctx.len * 8, 01876 ssl->conf->dhm_min_bitlen ) ); 01877 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01878 } 01879 01880 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01881 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01882 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01883 01884 return( ret ); 01885 } 01886 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01887 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01888 01889 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01890 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01891 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01892 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01893 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01894 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01895 { 01896 const mbedtls_ecp_curve_info *curve_info; 01897 01898 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01899 if( curve_info == NULL ) 01900 { 01901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01902 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01903 } 01904 01905 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01906 01907 #if defined(MBEDTLS_ECP_C) 01908 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01909 #else 01910 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01911 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01912 #endif 01913 return( -1 ); 01914 01915 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01916 01917 return( 0 ); 01918 } 01919 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01920 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01921 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01922 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01923 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01924 01925 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01926 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01927 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01928 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 01929 unsigned char **p, 01930 unsigned char *end ) 01931 { 01932 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01933 01934 /* 01935 * Ephemeral ECDH parameters: 01936 * 01937 * struct { 01938 * ECParameters curve_params; 01939 * ECPoint public; 01940 * } ServerECDHParams; 01941 */ 01942 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 01943 (const unsigned char **) p, end ) ) != 0 ) 01944 { 01945 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 01946 return( ret ); 01947 } 01948 01949 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01950 { 01951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01953 } 01954 01955 return( ret ); 01956 } 01957 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01958 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01959 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01960 01961 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01962 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 01963 unsigned char **p, 01964 unsigned char *end ) 01965 { 01966 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01967 size_t len; 01968 ((void) ssl); 01969 01970 /* 01971 * PSK parameters: 01972 * 01973 * opaque psk_identity_hint<0..2^16-1>; 01974 */ 01975 len = (*p)[0] << 8 | (*p)[1]; 01976 *p += 2; 01977 01978 if( (*p) + len > end ) 01979 { 01980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01981 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01982 } 01983 01984 // TODO: Retrieve PSK identity hint and callback to app 01985 // 01986 *p += len; 01987 ret = 0; 01988 01989 return( ret ); 01990 } 01991 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01992 01993 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 01994 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01995 /* 01996 * Generate a pre-master secret and encrypt it with the server's RSA key 01997 */ 01998 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 01999 size_t offset, size_t *olen, 02000 size_t pms_offset ) 02001 { 02002 int ret; 02003 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02004 unsigned char *p = ssl->handshake->premaster + pms_offset; 02005 02006 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02007 { 02008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02009 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02010 } 02011 02012 /* 02013 * Generate (part of) the pre-master as 02014 * struct { 02015 * ProtocolVersion client_version; 02016 * opaque random[46]; 02017 * } PreMasterSecret; 02018 */ 02019 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02020 ssl->conf->transport, p ); 02021 02022 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02023 { 02024 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02025 return( ret ); 02026 } 02027 02028 ssl->handshake->pmslen = 48; 02029 02030 if( ssl->session_negotiate->peer_cert == NULL ) 02031 { 02032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02033 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02034 } 02035 02036 /* 02037 * Now write it out, encrypted 02038 */ 02039 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02040 MBEDTLS_PK_RSA ) ) 02041 { 02042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02043 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02044 } 02045 02046 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02047 p, ssl->handshake->pmslen, 02048 ssl->out_msg + offset + len_bytes, olen, 02049 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02050 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02051 { 02052 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02053 return( ret ); 02054 } 02055 02056 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02057 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02058 if( len_bytes == 2 ) 02059 { 02060 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02061 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02062 *olen += 2; 02063 } 02064 #endif 02065 02066 return( 0 ); 02067 } 02068 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02069 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02070 02071 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02072 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02073 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02074 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02075 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02076 unsigned char **p, 02077 unsigned char *end, 02078 mbedtls_md_type_t *md_alg, 02079 mbedtls_pk_type_t *pk_alg ) 02080 { 02081 ((void) ssl); 02082 *md_alg = MBEDTLS_MD_NONE; 02083 *pk_alg = MBEDTLS_PK_NONE; 02084 02085 /* Only in TLS 1.2 */ 02086 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02087 { 02088 return( 0 ); 02089 } 02090 02091 if( (*p) + 2 > end ) 02092 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02093 02094 /* 02095 * Get hash algorithm 02096 */ 02097 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02098 { 02099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported " 02100 "HashAlgorithm %d", *(p)[0] ) ); 02101 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02102 } 02103 02104 /* 02105 * Get signature algorithm 02106 */ 02107 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02108 { 02109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported " 02110 "SignatureAlgorithm %d", (*p)[1] ) ); 02111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02112 } 02113 02114 /* 02115 * Check if the hash is acceptable 02116 */ 02117 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02118 { 02119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm " 02120 "that was not offered" ) ); 02121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02122 } 02123 02124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02126 *p += 2; 02127 02128 return( 0 ); 02129 } 02130 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02131 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02132 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02133 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02134 02135 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02136 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02137 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02138 { 02139 int ret; 02140 const mbedtls_ecp_keypair *peer_key; 02141 02142 if( ssl->session_negotiate->peer_cert == NULL ) 02143 { 02144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02145 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02146 } 02147 02148 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02149 MBEDTLS_PK_ECKEY ) ) 02150 { 02151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02152 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02153 } 02154 02155 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02156 02157 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02158 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02159 { 02160 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02161 return( ret ); 02162 } 02163 02164 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02165 { 02166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02167 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02168 } 02169 02170 return( ret ); 02171 } 02172 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02173 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02174 02175 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02176 { 02177 int ret; 02178 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02179 unsigned char *p, *end; 02180 02181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02182 02183 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02184 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02185 { 02186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02187 ssl->state++; 02188 return( 0 ); 02189 } 02190 ((void) p); 02191 ((void) end); 02192 #endif 02193 02194 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02195 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02196 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02198 { 02199 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02200 { 02201 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02202 return( ret ); 02203 } 02204 02205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02206 ssl->state++; 02207 return( 0 ); 02208 } 02209 ((void) p); 02210 ((void) end); 02211 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02212 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02213 02214 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02215 { 02216 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02217 return( ret ); 02218 } 02219 02220 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02221 { 02222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02223 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02224 } 02225 02226 /* 02227 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02228 * doesn't use a psk_identity_hint 02229 */ 02230 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02231 { 02232 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02233 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02234 { 02235 ssl->record_read = 1; 02236 goto exit; 02237 } 02238 02239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02240 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02241 } 02242 02243 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02244 end = ssl->in_msg + ssl->in_hslen; 02245 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02246 02247 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02248 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02249 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02250 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02251 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02252 { 02253 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02254 { 02255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02256 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02257 } 02258 } /* FALLTROUGH */ 02259 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02260 02261 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02262 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02263 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02264 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02265 ; /* nothing more to do */ 02266 else 02267 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02268 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02269 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02270 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02271 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02272 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02273 { 02274 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02275 { 02276 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02278 } 02279 } 02280 else 02281 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02282 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02283 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02284 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02285 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02286 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02287 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02288 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02289 { 02290 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02291 { 02292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02293 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02294 } 02295 } 02296 else 02297 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02298 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02299 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02300 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02301 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02302 { 02303 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02304 p, end - p ); 02305 if( ret != 0 ) 02306 { 02307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02308 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02309 } 02310 } 02311 else 02312 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02313 { 02314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02316 } 02317 02318 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02319 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02320 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02321 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02322 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02323 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02324 { 02325 size_t sig_len, hashlen; 02326 unsigned char hash[64]; 02327 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02328 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02329 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02330 size_t params_len = p - params; 02331 02332 /* 02333 * Handle the digitally-signed structure 02334 */ 02335 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02336 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02337 { 02338 if( ssl_parse_signature_algorithm( ssl, &p, end, 02339 &md_alg, &pk_alg ) != 0 ) 02340 { 02341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02342 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02343 } 02344 02345 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02346 { 02347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02348 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02349 } 02350 } 02351 else 02352 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02353 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02354 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02355 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02356 { 02357 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02358 02359 /* Default hash for ECDSA is SHA-1 */ 02360 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02361 md_alg = MBEDTLS_MD_SHA1; 02362 } 02363 else 02364 #endif 02365 { 02366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02367 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02368 } 02369 02370 /* 02371 * Read signature 02372 */ 02373 sig_len = ( p[0] << 8 ) | p[1]; 02374 p += 2; 02375 02376 if( end != p + sig_len ) 02377 { 02378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02379 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02380 } 02381 02382 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02383 02384 /* 02385 * Compute the hash that has been signed 02386 */ 02387 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02388 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02389 if( md_alg == MBEDTLS_MD_NONE ) 02390 { 02391 mbedtls_md5_context mbedtls_md5; 02392 mbedtls_sha1_context mbedtls_sha1; 02393 02394 mbedtls_md5_init( &mbedtls_md5 ); 02395 mbedtls_sha1_init( &mbedtls_sha1 ); 02396 02397 hashlen = 36; 02398 02399 /* 02400 * digitally-signed struct { 02401 * opaque md5_hash[16]; 02402 * opaque sha_hash[20]; 02403 * }; 02404 * 02405 * md5_hash 02406 * MD5(ClientHello.random + ServerHello.random 02407 * + ServerParams); 02408 * sha_hash 02409 * SHA(ClientHello.random + ServerHello.random 02410 * + ServerParams); 02411 */ 02412 mbedtls_md5_starts( &mbedtls_md5 ); 02413 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02414 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 02415 mbedtls_md5_finish( &mbedtls_md5, hash ); 02416 02417 mbedtls_sha1_starts( &mbedtls_sha1 ); 02418 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02419 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 02420 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02421 02422 mbedtls_md5_free( &mbedtls_md5 ); 02423 mbedtls_sha1_free( &mbedtls_sha1 ); 02424 } 02425 else 02426 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02427 MBEDTLS_SSL_PROTO_TLS1_1 */ 02428 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02429 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02430 if( md_alg != MBEDTLS_MD_NONE ) 02431 { 02432 mbedtls_md_context_t ctx; 02433 02434 mbedtls_md_init( &ctx ); 02435 02436 /* Info from md_alg will be used instead */ 02437 hashlen = 0; 02438 02439 /* 02440 * digitally-signed struct { 02441 * opaque client_random[32]; 02442 * opaque server_random[32]; 02443 * ServerDHParams params; 02444 * }; 02445 */ 02446 if( ( ret = mbedtls_md_setup( &ctx, 02447 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 02448 { 02449 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02450 return( ret ); 02451 } 02452 02453 mbedtls_md_starts( &ctx ); 02454 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02455 mbedtls_md_update( &ctx, params, params_len ); 02456 mbedtls_md_finish( &ctx, hash ); 02457 mbedtls_md_free( &ctx ); 02458 } 02459 else 02460 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02461 MBEDTLS_SSL_PROTO_TLS1_2 */ 02462 { 02463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02464 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02465 } 02466 02467 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02468 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02469 02470 if( ssl->session_negotiate->peer_cert == NULL ) 02471 { 02472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02473 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02474 } 02475 02476 /* 02477 * Verify signature 02478 */ 02479 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02480 { 02481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02482 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02483 } 02484 02485 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02486 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02487 { 02488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02489 return( ret ); 02490 } 02491 } 02492 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02493 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02494 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02495 02496 exit: 02497 ssl->state++; 02498 02499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02500 02501 return( 0 ); 02502 } 02503 02504 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02505 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02506 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02507 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02508 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02509 { 02510 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02511 02512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02513 02514 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02515 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02516 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02517 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02518 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02519 { 02520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02521 ssl->state++; 02522 return( 0 ); 02523 } 02524 02525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02527 } 02528 #else 02529 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02530 { 02531 int ret; 02532 unsigned char *buf, *p; 02533 size_t n = 0, m = 0; 02534 size_t cert_type_len = 0, dn_len = 0; 02535 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02536 02537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02538 02539 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02540 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02543 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02544 { 02545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02546 ssl->state++; 02547 return( 0 ); 02548 } 02549 02550 if( ssl->record_read == 0 ) 02551 { 02552 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02553 { 02554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02555 return( ret ); 02556 } 02557 02558 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02559 { 02560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02561 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02562 } 02563 02564 ssl->record_read = 1; 02565 } 02566 02567 ssl->client_auth = 0; 02568 ssl->state++; 02569 02570 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) 02571 ssl->client_auth++; 02572 02573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02574 ssl->client_auth ? "a" : "no" ) ); 02575 02576 if( ssl->client_auth == 0 ) 02577 goto exit; 02578 02579 ssl->record_read = 0; 02580 02581 // TODO: handshake_failure alert for an anonymous server to request 02582 // client authentication 02583 02584 /* 02585 * struct { 02586 * ClientCertificateType certificate_types<1..2^8-1>; 02587 * SignatureAndHashAlgorithm 02588 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02589 * DistinguishedName certificate_authorities<0..2^16-1>; 02590 * } CertificateRequest; 02591 */ 02592 buf = ssl->in_msg; 02593 02594 // Retrieve cert types 02595 // 02596 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02597 n = cert_type_len; 02598 02599 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02600 { 02601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02602 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02603 } 02604 02605 p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1; 02606 while( cert_type_len > 0 ) 02607 { 02608 #if defined(MBEDTLS_RSA_C) 02609 if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN && 02610 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 02611 { 02612 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02613 break; 02614 } 02615 else 02616 #endif 02617 #if defined(MBEDTLS_ECDSA_C) 02618 if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN && 02619 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 02620 { 02621 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02622 break; 02623 } 02624 else 02625 #endif 02626 { 02627 ; /* Unsupported cert type, ignore */ 02628 } 02629 02630 cert_type_len--; 02631 p++; 02632 } 02633 02634 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02635 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02636 { 02637 /* Ignored, see comments about hash in write_certificate_verify */ 02638 // TODO: should check the signature part against our pk_key though 02639 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02640 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02641 02642 m += 2; 02643 n += sig_alg_len; 02644 02645 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02646 { 02647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02648 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02649 } 02650 } 02651 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02652 02653 /* Ignore certificate_authorities, we only have one cert anyway */ 02654 // TODO: should not send cert if no CA matches 02655 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 ) 02656 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) ); 02657 02658 n += dn_len; 02659 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n ) 02660 { 02661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02662 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02663 } 02664 02665 exit: 02666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02667 02668 return( 0 ); 02669 } 02670 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02671 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02672 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02673 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02674 02675 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02676 { 02677 int ret; 02678 02679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02680 02681 if( ssl->record_read == 0 ) 02682 { 02683 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02684 { 02685 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02686 return( ret ); 02687 } 02688 02689 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02690 { 02691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02692 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02693 } 02694 } 02695 ssl->record_read = 0; 02696 02697 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02698 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02699 { 02700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02701 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02702 } 02703 02704 ssl->state++; 02705 02706 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02707 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02708 mbedtls_ssl_recv_flight_completed( ssl ); 02709 #endif 02710 02711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02712 02713 return( 0 ); 02714 } 02715 02716 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02717 { 02718 int ret; 02719 size_t i, n; 02720 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02721 02722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02723 02724 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02725 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02726 { 02727 /* 02728 * DHM key exchange -- send G^X mod P 02729 */ 02730 n = ssl->handshake->dhm_ctx.len; 02731 02732 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02733 ssl->out_msg[5] = (unsigned char)( n ); 02734 i = 6; 02735 02736 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02737 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02738 &ssl->out_msg[i], n, 02739 ssl->conf->f_rng, ssl->conf->p_rng ); 02740 if( ret != 0 ) 02741 { 02742 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02743 return( ret ); 02744 } 02745 02746 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02747 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02748 02749 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02750 ssl->handshake->premaster, 02751 MBEDTLS_PREMASTER_SIZE, 02752 &ssl->handshake->pmslen, 02753 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02754 { 02755 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02756 return( ret ); 02757 } 02758 02759 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02760 } 02761 else 02762 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02763 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02764 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02765 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02766 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02767 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02768 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02769 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02771 { 02772 /* 02773 * ECDH key exchange -- send client public value 02774 */ 02775 i = 4; 02776 02777 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02778 &n, 02779 &ssl->out_msg[i], 1000, 02780 ssl->conf->f_rng, ssl->conf->p_rng ); 02781 if( ret != 0 ) 02782 { 02783 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02784 return( ret ); 02785 } 02786 02787 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02788 02789 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02790 &ssl->handshake->pmslen, 02791 ssl->handshake->premaster, 02792 MBEDTLS_MPI_MAX_SIZE, 02793 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02794 { 02795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02796 return( ret ); 02797 } 02798 02799 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02800 } 02801 else 02802 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02803 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02804 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02805 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02806 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02807 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02808 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02809 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02810 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02811 { 02812 /* 02813 * opaque psk_identity<0..2^16-1>; 02814 */ 02815 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02816 { 02817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02819 } 02820 02821 i = 4; 02822 n = ssl->conf->psk_identity_len; 02823 02824 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02825 { 02826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02827 "SSL buffer too short" ) ); 02828 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02829 } 02830 02831 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02832 ssl->out_msg[i++] = (unsigned char)( n ); 02833 02834 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02835 i += ssl->conf->psk_identity_len; 02836 02837 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02838 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02839 { 02840 n = 0; 02841 } 02842 else 02843 #endif 02844 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02845 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02846 { 02847 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02848 return( ret ); 02849 } 02850 else 02851 #endif 02852 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02853 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02854 { 02855 /* 02856 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02857 */ 02858 n = ssl->handshake->dhm_ctx.len; 02859 02860 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02861 { 02862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02863 " or SSL buffer too short" ) ); 02864 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02865 } 02866 02867 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02868 ssl->out_msg[i++] = (unsigned char)( n ); 02869 02870 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02871 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02872 &ssl->out_msg[i], n, 02873 ssl->conf->f_rng, ssl->conf->p_rng ); 02874 if( ret != 0 ) 02875 { 02876 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02877 return( ret ); 02878 } 02879 } 02880 else 02881 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02882 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02883 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02884 { 02885 /* 02886 * ClientECDiffieHellmanPublic public; 02887 */ 02888 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02889 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02890 ssl->conf->f_rng, ssl->conf->p_rng ); 02891 if( ret != 0 ) 02892 { 02893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02894 return( ret ); 02895 } 02896 02897 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02898 } 02899 else 02900 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02901 { 02902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02903 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02904 } 02905 02906 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02907 ciphersuite_info->key_exchange ) ) != 0 ) 02908 { 02909 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02910 return( ret ); 02911 } 02912 } 02913 else 02914 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02915 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02916 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02917 { 02918 i = 4; 02919 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02920 return( ret ); 02921 } 02922 else 02923 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02924 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02925 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02926 { 02927 i = 4; 02928 02929 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02930 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02931 ssl->conf->f_rng, ssl->conf->p_rng ); 02932 if( ret != 0 ) 02933 { 02934 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02935 return( ret ); 02936 } 02937 02938 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02939 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02940 ssl->conf->f_rng, ssl->conf->p_rng ); 02941 if( ret != 0 ) 02942 { 02943 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02944 return( ret ); 02945 } 02946 } 02947 else 02948 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02949 { 02950 ((void) ciphersuite_info); 02951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02952 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02953 } 02954 02955 ssl->out_msglen = i + n; 02956 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02957 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 02958 02959 ssl->state++; 02960 02961 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02962 { 02963 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02964 return( ret ); 02965 } 02966 02967 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02968 02969 return( 0 ); 02970 } 02971 02972 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02973 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02974 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02975 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02976 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 02977 { 02978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02979 int ret; 02980 02981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02982 02983 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02984 { 02985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02986 return( ret ); 02987 } 02988 02989 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02990 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02991 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02992 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02993 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02994 { 02995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02996 ssl->state++; 02997 return( 0 ); 02998 } 02999 03000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03001 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03002 } 03003 #else 03004 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03005 { 03006 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03007 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03008 size_t n = 0, offset = 0; 03009 unsigned char hash[48]; 03010 unsigned char *hash_start = hash; 03011 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03012 unsigned int hashlen; 03013 03014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03015 03016 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03017 { 03018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03019 return( ret ); 03020 } 03021 03022 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03023 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03024 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03025 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03026 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03027 { 03028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03029 ssl->state++; 03030 return( 0 ); 03031 } 03032 03033 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03034 { 03035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03036 ssl->state++; 03037 return( 0 ); 03038 } 03039 03040 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03041 { 03042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03043 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03044 } 03045 03046 /* 03047 * Make an RSA signature of the handshake digests 03048 */ 03049 ssl->handshake->calc_verify( ssl, hash ); 03050 03051 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03052 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03053 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03054 { 03055 /* 03056 * digitally-signed struct { 03057 * opaque md5_hash[16]; 03058 * opaque sha_hash[20]; 03059 * }; 03060 * 03061 * md5_hash 03062 * MD5(handshake_messages); 03063 * 03064 * sha_hash 03065 * SHA(handshake_messages); 03066 */ 03067 hashlen = 36; 03068 md_alg = MBEDTLS_MD_NONE; 03069 03070 /* 03071 * For ECDSA, default hash is SHA-1 only 03072 */ 03073 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03074 { 03075 hash_start += 16; 03076 hashlen -= 16; 03077 md_alg = MBEDTLS_MD_SHA1; 03078 } 03079 } 03080 else 03081 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03082 MBEDTLS_SSL_PROTO_TLS1_1 */ 03083 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03084 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03085 { 03086 /* 03087 * digitally-signed struct { 03088 * opaque handshake_messages[handshake_messages_length]; 03089 * }; 03090 * 03091 * Taking shortcut here. We assume that the server always allows the 03092 * PRF Hash function and has sent it in the allowed signature 03093 * algorithms list received in the Certificate Request message. 03094 * 03095 * Until we encounter a server that does not, we will take this 03096 * shortcut. 03097 * 03098 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03099 * in order to satisfy 'weird' needs from the server side. 03100 */ 03101 if( ssl->transform_negotiate->ciphersuite_info->mac == 03102 MBEDTLS_MD_SHA384 ) 03103 { 03104 md_alg = MBEDTLS_MD_SHA384; 03105 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03106 } 03107 else 03108 { 03109 md_alg = MBEDTLS_MD_SHA256; 03110 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03111 } 03112 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03113 03114 /* Info from md_alg will be used instead */ 03115 hashlen = 0; 03116 offset = 2; 03117 } 03118 else 03119 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03120 { 03121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03122 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03123 } 03124 03125 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03126 ssl->out_msg + 6 + offset, &n, 03127 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03128 { 03129 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03130 return( ret ); 03131 } 03132 03133 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03134 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03135 03136 ssl->out_msglen = 6 + n + offset; 03137 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03138 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03139 03140 ssl->state++; 03141 03142 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03143 { 03144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03145 return( ret ); 03146 } 03147 03148 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03149 03150 return( ret ); 03151 } 03152 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03153 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03154 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 03155 03156 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03157 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03158 { 03159 int ret; 03160 uint32_t lifetime; 03161 size_t ticket_len; 03162 unsigned char *ticket; 03163 const unsigned char *msg; 03164 03165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03166 03167 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03168 { 03169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03170 return( ret ); 03171 } 03172 03173 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03174 { 03175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03176 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03177 } 03178 03179 /* 03180 * struct { 03181 * uint32 ticket_lifetime_hint; 03182 * opaque ticket<0..2^16-1>; 03183 * } NewSessionTicket; 03184 * 03185 * 0 . 3 ticket_lifetime_hint 03186 * 4 . 5 ticket_len (n) 03187 * 6 . 5+n ticket content 03188 */ 03189 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03190 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03191 { 03192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03193 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03194 } 03195 03196 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03197 03198 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03199 ( msg[2] << 8 ) | ( msg[3] ); 03200 03201 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03202 03203 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03204 { 03205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03206 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03207 } 03208 03209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03210 03211 /* We're not waiting for a NewSessionTicket message any more */ 03212 ssl->handshake->new_session_ticket = 0; 03213 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03214 03215 /* 03216 * Zero-length ticket means the server changed his mind and doesn't want 03217 * to send a ticket after all, so just forget it 03218 */ 03219 if( ticket_len == 0 ) 03220 return( 0 ); 03221 03222 mbedtls_zeroize( ssl->session_negotiate->ticket, 03223 ssl->session_negotiate->ticket_len ); 03224 mbedtls_free( ssl->session_negotiate->ticket ); 03225 ssl->session_negotiate->ticket = NULL; 03226 ssl->session_negotiate->ticket_len = 0; 03227 03228 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03229 { 03230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03231 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03232 } 03233 03234 memcpy( ticket, msg + 6, ticket_len ); 03235 03236 ssl->session_negotiate->ticket = ticket; 03237 ssl->session_negotiate->ticket_len = ticket_len; 03238 ssl->session_negotiate->ticket_lifetime = lifetime; 03239 03240 /* 03241 * RFC 5077 section 3.4: 03242 * "If the client receives a session ticket from the server, then it 03243 * discards any Session ID that was sent in the ServerHello." 03244 */ 03245 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03246 ssl->session_negotiate->id_len = 0; 03247 03248 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03249 03250 return( 0 ); 03251 } 03252 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03253 03254 /* 03255 * SSL handshake -- client side -- single step 03256 */ 03257 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03258 { 03259 int ret = 0; 03260 03261 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03262 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03263 03264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03265 03266 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03267 return( ret ); 03268 03269 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03270 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03271 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03272 { 03273 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03274 return( ret ); 03275 } 03276 #endif 03277 03278 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03279 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03280 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03281 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03282 ssl->handshake->new_session_ticket != 0 ) 03283 { 03284 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03285 } 03286 #endif 03287 03288 switch( ssl->state ) 03289 { 03290 case MBEDTLS_SSL_HELLO_REQUEST: 03291 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03292 break; 03293 03294 /* 03295 * ==> ClientHello 03296 */ 03297 case MBEDTLS_SSL_CLIENT_HELLO: 03298 ret = ssl_write_client_hello( ssl ); 03299 break; 03300 03301 /* 03302 * <== ServerHello 03303 * Certificate 03304 * ( ServerKeyExchange ) 03305 * ( CertificateRequest ) 03306 * ServerHelloDone 03307 */ 03308 case MBEDTLS_SSL_SERVER_HELLO: 03309 ret = ssl_parse_server_hello( ssl ); 03310 break; 03311 03312 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03313 ret = mbedtls_ssl_parse_certificate( ssl ); 03314 break; 03315 03316 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03317 ret = ssl_parse_server_key_exchange( ssl ); 03318 break; 03319 03320 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03321 ret = ssl_parse_certificate_request( ssl ); 03322 break; 03323 03324 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03325 ret = ssl_parse_server_hello_done( ssl ); 03326 break; 03327 03328 /* 03329 * ==> ( Certificate/Alert ) 03330 * ClientKeyExchange 03331 * ( CertificateVerify ) 03332 * ChangeCipherSpec 03333 * Finished 03334 */ 03335 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03336 ret = mbedtls_ssl_write_certificate( ssl ); 03337 break; 03338 03339 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03340 ret = ssl_write_client_key_exchange( ssl ); 03341 break; 03342 03343 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03344 ret = ssl_write_certificate_verify( ssl ); 03345 break; 03346 03347 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03348 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03349 break; 03350 03351 case MBEDTLS_SSL_CLIENT_FINISHED: 03352 ret = mbedtls_ssl_write_finished( ssl ); 03353 break; 03354 03355 /* 03356 * <== ( NewSessionTicket ) 03357 * ChangeCipherSpec 03358 * Finished 03359 */ 03360 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03361 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03362 ret = ssl_parse_new_session_ticket( ssl ); 03363 break; 03364 #endif 03365 03366 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03367 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03368 break; 03369 03370 case MBEDTLS_SSL_SERVER_FINISHED: 03371 ret = mbedtls_ssl_parse_finished( ssl ); 03372 break; 03373 03374 case MBEDTLS_SSL_FLUSH_BUFFERS: 03375 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03376 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03377 break; 03378 03379 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03380 mbedtls_ssl_handshake_wrapup( ssl ); 03381 break; 03382 03383 default: 03384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03385 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03386 } 03387 03388 return( ret ); 03389 } 03390 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 12:52:47 by 1.7.2