1 | /*
|
---|
2 | * SSLv3/TLSv1 server-side functions
|
---|
3 | *
|
---|
4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
---|
5 | * SPDX-License-Identifier: Apache-2.0
|
---|
6 | *
|
---|
7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
8 | * not use this file except in compliance with the License.
|
---|
9 | * You may obtain a copy of the License at
|
---|
10 | *
|
---|
11 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
12 | *
|
---|
13 | * Unless required by applicable law or agreed to in writing, software
|
---|
14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
16 | * See the License for the specific language governing permissions and
|
---|
17 | * limitations under the License.
|
---|
18 | *
|
---|
19 | * This file is part of mbed TLS (https://tls.mbed.org)
|
---|
20 | */
|
---|
21 |
|
---|
22 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
23 | #include "mbedtls/config.h"
|
---|
24 | #else
|
---|
25 | #include MBEDTLS_CONFIG_FILE
|
---|
26 | #endif
|
---|
27 |
|
---|
28 | #if defined(MBEDTLS_SSL_SRV_C)
|
---|
29 |
|
---|
30 | #if defined(MBEDTLS_PLATFORM_C)
|
---|
31 | #include "mbedtls/platform.h"
|
---|
32 | #else
|
---|
33 | #include <stdlib.h>
|
---|
34 | #define mbedtls_calloc calloc
|
---|
35 | #define mbedtls_free free
|
---|
36 | #endif
|
---|
37 |
|
---|
38 | #include "mbedtls/debug.h"
|
---|
39 | #include "mbedtls/ssl.h"
|
---|
40 | #include "mbedtls/ssl_internal.h"
|
---|
41 | #include "mbedtls/platform_util.h"
|
---|
42 |
|
---|
43 | #include <string.h>
|
---|
44 |
|
---|
45 | #if defined(MBEDTLS_ECP_C)
|
---|
46 | #include "mbedtls/ecp.h"
|
---|
47 | #endif
|
---|
48 |
|
---|
49 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
50 | #include "mbedtls/platform_time.h"
|
---|
51 | #endif
|
---|
52 |
|
---|
53 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
54 | int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
|
---|
55 | const unsigned char *info,
|
---|
56 | size_t ilen )
|
---|
57 | {
|
---|
58 | if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
|
---|
59 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
60 |
|
---|
61 | mbedtls_free( ssl->cli_id );
|
---|
62 |
|
---|
63 | if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
|
---|
64 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
---|
65 |
|
---|
66 | memcpy( ssl->cli_id, info, ilen );
|
---|
67 | ssl->cli_id_len = ilen;
|
---|
68 |
|
---|
69 | return( 0 );
|
---|
70 | }
|
---|
71 |
|
---|
72 | void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
|
---|
73 | mbedtls_ssl_cookie_write_t *f_cookie_write,
|
---|
74 | mbedtls_ssl_cookie_check_t *f_cookie_check,
|
---|
75 | void *p_cookie )
|
---|
76 | {
|
---|
77 | conf->f_cookie_write = f_cookie_write;
|
---|
78 | conf->f_cookie_check = f_cookie_check;
|
---|
79 | conf->p_cookie = p_cookie;
|
---|
80 | }
|
---|
81 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
82 |
|
---|
83 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
84 | static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
|
---|
85 | const unsigned char *buf,
|
---|
86 | size_t len )
|
---|
87 | {
|
---|
88 | int ret;
|
---|
89 | size_t servername_list_size, hostname_len;
|
---|
90 | const unsigned char *p;
|
---|
91 |
|
---|
92 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
|
---|
93 |
|
---|
94 | if( len < 2 )
|
---|
95 | {
|
---|
96 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
97 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
98 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
99 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
100 | }
|
---|
101 | servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
---|
102 | if( servername_list_size + 2 != len )
|
---|
103 | {
|
---|
104 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
105 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
106 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
107 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
108 | }
|
---|
109 |
|
---|
110 | p = buf + 2;
|
---|
111 | while( servername_list_size > 2 )
|
---|
112 | {
|
---|
113 | hostname_len = ( ( p[1] << 8 ) | p[2] );
|
---|
114 | if( hostname_len + 3 > servername_list_size )
|
---|
115 | {
|
---|
116 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
117 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
118 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
119 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
120 | }
|
---|
121 |
|
---|
122 | if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
|
---|
123 | {
|
---|
124 | ret = ssl->conf->f_sni( ssl->conf->p_sni,
|
---|
125 | ssl, p + 3, hostname_len );
|
---|
126 | if( ret != 0 )
|
---|
127 | {
|
---|
128 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
|
---|
129 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
130 | MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
|
---|
131 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
132 | }
|
---|
133 | return( 0 );
|
---|
134 | }
|
---|
135 |
|
---|
136 | servername_list_size -= hostname_len + 3;
|
---|
137 | p += hostname_len + 3;
|
---|
138 | }
|
---|
139 |
|
---|
140 | if( servername_list_size != 0 )
|
---|
141 | {
|
---|
142 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
143 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
144 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
145 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
146 | }
|
---|
147 |
|
---|
148 | return( 0 );
|
---|
149 | }
|
---|
150 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
---|
151 |
|
---|
152 | static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
---|
153 | const unsigned char *buf,
|
---|
154 | size_t len )
|
---|
155 | {
|
---|
156 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
157 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
158 | {
|
---|
159 | /* Check verify-data in constant-time. The length OTOH is no secret */
|
---|
160 | if( len != 1 + ssl->verify_data_len ||
|
---|
161 | buf[0] != ssl->verify_data_len ||
|
---|
162 | mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
|
---|
163 | ssl->verify_data_len ) != 0 )
|
---|
164 | {
|
---|
165 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
---|
166 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
167 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
168 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
169 | }
|
---|
170 | }
|
---|
171 | else
|
---|
172 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
173 | {
|
---|
174 | if( len != 1 || buf[0] != 0x0 )
|
---|
175 | {
|
---|
176 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
|
---|
177 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
178 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
179 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
180 | }
|
---|
181 |
|
---|
182 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
---|
183 | }
|
---|
184 |
|
---|
185 | return( 0 );
|
---|
186 | }
|
---|
187 |
|
---|
188 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
189 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
190 |
|
---|
191 | /*
|
---|
192 | * Status of the implementation of signature-algorithms extension:
|
---|
193 | *
|
---|
194 | * Currently, we are only considering the signature-algorithm extension
|
---|
195 | * to pick a ciphersuite which allows us to send the ServerKeyExchange
|
---|
196 | * message with a signature-hash combination that the user allows.
|
---|
197 | *
|
---|
198 | * We do *not* check whether all certificates in our certificate
|
---|
199 | * chain are signed with an allowed signature-hash pair.
|
---|
200 | * This needs to be done at a later stage.
|
---|
201 | *
|
---|
202 | */
|
---|
203 | static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
|
---|
204 | const unsigned char *buf,
|
---|
205 | size_t len )
|
---|
206 | {
|
---|
207 | size_t sig_alg_list_size;
|
---|
208 |
|
---|
209 | const unsigned char *p;
|
---|
210 | const unsigned char *end = buf + len;
|
---|
211 |
|
---|
212 | mbedtls_md_type_t md_cur;
|
---|
213 | mbedtls_pk_type_t sig_cur;
|
---|
214 |
|
---|
215 | if ( len < 2 ) {
|
---|
216 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
217 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
218 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
219 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
220 | }
|
---|
221 | sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
---|
222 | if( sig_alg_list_size + 2 != len ||
|
---|
223 | sig_alg_list_size % 2 != 0 )
|
---|
224 | {
|
---|
225 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
226 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
227 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
228 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
229 | }
|
---|
230 |
|
---|
231 | /* Currently we only guarantee signing the ServerKeyExchange message according
|
---|
232 | * to the constraints specified in this extension (see above), so it suffices
|
---|
233 | * to remember only one suitable hash for each possible signature algorithm.
|
---|
234 | *
|
---|
235 | * This will change when we also consider certificate signatures,
|
---|
236 | * in which case we will need to remember the whole signature-hash
|
---|
237 | * pair list from the extension.
|
---|
238 | */
|
---|
239 |
|
---|
240 | for( p = buf + 2; p < end; p += 2 )
|
---|
241 | {
|
---|
242 | /* Silently ignore unknown signature or hash algorithms. */
|
---|
243 |
|
---|
244 | if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
|
---|
245 | {
|
---|
246 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
|
---|
247 | " unknown sig alg encoding %d", p[1] ) );
|
---|
248 | continue;
|
---|
249 | }
|
---|
250 |
|
---|
251 | /* Check if we support the hash the user proposes */
|
---|
252 | md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
|
---|
253 | if( md_cur == MBEDTLS_MD_NONE )
|
---|
254 | {
|
---|
255 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
|
---|
256 | " unknown hash alg encoding %d", p[0] ) );
|
---|
257 | continue;
|
---|
258 | }
|
---|
259 |
|
---|
260 | if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
|
---|
261 | {
|
---|
262 | mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
|
---|
263 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
|
---|
264 | " match sig %d and hash %d",
|
---|
265 | sig_cur, md_cur ) );
|
---|
266 | }
|
---|
267 | else
|
---|
268 | {
|
---|
269 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
|
---|
270 | "hash alg %d not supported", md_cur ) );
|
---|
271 | }
|
---|
272 | }
|
---|
273 |
|
---|
274 | return( 0 );
|
---|
275 | }
|
---|
276 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
277 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
278 |
|
---|
279 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
280 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
281 | static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
|
---|
282 | const unsigned char *buf,
|
---|
283 | size_t len )
|
---|
284 | {
|
---|
285 | size_t list_size, our_size;
|
---|
286 | const unsigned char *p;
|
---|
287 | const mbedtls_ecp_curve_info *curve_info, **curves;
|
---|
288 |
|
---|
289 | if ( len < 2 ) {
|
---|
290 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
291 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
292 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
293 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
294 | }
|
---|
295 | list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
---|
296 | if( list_size + 2 != len ||
|
---|
297 | list_size % 2 != 0 )
|
---|
298 | {
|
---|
299 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
300 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
301 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
302 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
303 | }
|
---|
304 |
|
---|
305 | /* Should never happen unless client duplicates the extension */
|
---|
306 | if( ssl->handshake->curves != NULL )
|
---|
307 | {
|
---|
308 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
309 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
310 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
311 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
312 | }
|
---|
313 |
|
---|
314 | /* Don't allow our peer to make us allocate too much memory,
|
---|
315 | * and leave room for a final 0 */
|
---|
316 | our_size = list_size / 2 + 1;
|
---|
317 | if( our_size > MBEDTLS_ECP_DP_MAX )
|
---|
318 | our_size = MBEDTLS_ECP_DP_MAX;
|
---|
319 |
|
---|
320 | if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
|
---|
321 | {
|
---|
322 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
323 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
---|
324 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
---|
325 | }
|
---|
326 |
|
---|
327 | ssl->handshake->curves = curves;
|
---|
328 |
|
---|
329 | p = buf + 2;
|
---|
330 | while( list_size > 0 && our_size > 1 )
|
---|
331 | {
|
---|
332 | curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
|
---|
333 |
|
---|
334 | if( curve_info != NULL )
|
---|
335 | {
|
---|
336 | *curves++ = curve_info;
|
---|
337 | our_size--;
|
---|
338 | }
|
---|
339 |
|
---|
340 | list_size -= 2;
|
---|
341 | p += 2;
|
---|
342 | }
|
---|
343 |
|
---|
344 | return( 0 );
|
---|
345 | }
|
---|
346 |
|
---|
347 | static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
|
---|
348 | const unsigned char *buf,
|
---|
349 | size_t len )
|
---|
350 | {
|
---|
351 | size_t list_size;
|
---|
352 | const unsigned char *p;
|
---|
353 |
|
---|
354 | if( len == 0 || (size_t)( buf[0] + 1 ) != len )
|
---|
355 | {
|
---|
356 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
357 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
358 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
359 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
360 | }
|
---|
361 | list_size = buf[0];
|
---|
362 |
|
---|
363 | p = buf + 1;
|
---|
364 | while( list_size > 0 )
|
---|
365 | {
|
---|
366 | if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
|
---|
367 | p[0] == MBEDTLS_ECP_PF_COMPRESSED )
|
---|
368 | {
|
---|
369 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
|
---|
370 | ssl->handshake->ecdh_ctx.point_format = p[0];
|
---|
371 | #endif
|
---|
372 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
373 | ssl->handshake->ecjpake_ctx.point_format = p[0];
|
---|
374 | #endif
|
---|
375 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
|
---|
376 | return( 0 );
|
---|
377 | }
|
---|
378 |
|
---|
379 | list_size--;
|
---|
380 | p++;
|
---|
381 | }
|
---|
382 |
|
---|
383 | return( 0 );
|
---|
384 | }
|
---|
385 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
---|
386 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
387 |
|
---|
388 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
389 | static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
|
---|
390 | const unsigned char *buf,
|
---|
391 | size_t len )
|
---|
392 | {
|
---|
393 | int ret;
|
---|
394 |
|
---|
395 | if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
---|
396 | {
|
---|
397 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
|
---|
398 | return( 0 );
|
---|
399 | }
|
---|
400 |
|
---|
401 | if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
|
---|
402 | buf, len ) ) != 0 )
|
---|
403 | {
|
---|
404 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
|
---|
405 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
406 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
407 | return( ret );
|
---|
408 | }
|
---|
409 |
|
---|
410 | /* Only mark the extension as OK when we're sure it is */
|
---|
411 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
|
---|
412 |
|
---|
413 | return( 0 );
|
---|
414 | }
|
---|
415 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
416 |
|
---|
417 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
418 | static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
---|
419 | const unsigned char *buf,
|
---|
420 | size_t len )
|
---|
421 | {
|
---|
422 | if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
|
---|
423 | {
|
---|
424 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
425 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
426 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
427 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
428 | }
|
---|
429 |
|
---|
430 | ssl->session_negotiate->mfl_code = buf[0];
|
---|
431 |
|
---|
432 | return( 0 );
|
---|
433 | }
|
---|
434 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
---|
435 |
|
---|
436 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
437 | static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
---|
438 | const unsigned char *buf,
|
---|
439 | size_t len )
|
---|
440 | {
|
---|
441 | if( len != 0 )
|
---|
442 | {
|
---|
443 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
444 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
445 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
446 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
447 | }
|
---|
448 |
|
---|
449 | ((void) buf);
|
---|
450 |
|
---|
451 | if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
|
---|
452 | ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
|
---|
453 |
|
---|
454 | return( 0 );
|
---|
455 | }
|
---|
456 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
---|
457 |
|
---|
458 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
459 | static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
---|
460 | const unsigned char *buf,
|
---|
461 | size_t len )
|
---|
462 | {
|
---|
463 | if( len != 0 )
|
---|
464 | {
|
---|
465 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
466 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
467 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
468 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
469 | }
|
---|
470 |
|
---|
471 | ((void) buf);
|
---|
472 |
|
---|
473 | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
|
---|
474 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
475 | {
|
---|
476 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
|
---|
477 | }
|
---|
478 |
|
---|
479 | return( 0 );
|
---|
480 | }
|
---|
481 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
---|
482 |
|
---|
483 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
484 | static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
---|
485 | const unsigned char *buf,
|
---|
486 | size_t len )
|
---|
487 | {
|
---|
488 | if( len != 0 )
|
---|
489 | {
|
---|
490 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
491 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
492 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
493 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
494 | }
|
---|
495 |
|
---|
496 | ((void) buf);
|
---|
497 |
|
---|
498 | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
---|
499 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
500 | {
|
---|
501 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
---|
502 | }
|
---|
503 |
|
---|
504 | return( 0 );
|
---|
505 | }
|
---|
506 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
---|
507 |
|
---|
508 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
509 | static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
|
---|
510 | unsigned char *buf,
|
---|
511 | size_t len )
|
---|
512 | {
|
---|
513 | int ret;
|
---|
514 | mbedtls_ssl_session session;
|
---|
515 |
|
---|
516 | mbedtls_ssl_session_init( &session );
|
---|
517 |
|
---|
518 | if( ssl->conf->f_ticket_parse == NULL ||
|
---|
519 | ssl->conf->f_ticket_write == NULL )
|
---|
520 | {
|
---|
521 | return( 0 );
|
---|
522 | }
|
---|
523 |
|
---|
524 | /* Remember the client asked us to send a new ticket */
|
---|
525 | ssl->handshake->new_session_ticket = 1;
|
---|
526 |
|
---|
527 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
|
---|
528 |
|
---|
529 | if( len == 0 )
|
---|
530 | return( 0 );
|
---|
531 |
|
---|
532 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
533 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
534 | {
|
---|
535 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
|
---|
536 | return( 0 );
|
---|
537 | }
|
---|
538 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
539 |
|
---|
540 | /*
|
---|
541 | * Failures are ok: just ignore the ticket and proceed.
|
---|
542 | */
|
---|
543 | if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
|
---|
544 | buf, len ) ) != 0 )
|
---|
545 | {
|
---|
546 | mbedtls_ssl_session_free( &session );
|
---|
547 |
|
---|
548 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
|
---|
549 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
|
---|
550 | else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
|
---|
551 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
|
---|
552 | else
|
---|
553 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
|
---|
554 |
|
---|
555 | return( 0 );
|
---|
556 | }
|
---|
557 |
|
---|
558 | /*
|
---|
559 | * Keep the session ID sent by the client, since we MUST send it back to
|
---|
560 | * inform them we're accepting the ticket (RFC 5077 section 3.4)
|
---|
561 | */
|
---|
562 | session.id_len = ssl->session_negotiate->id_len;
|
---|
563 | memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
|
---|
564 |
|
---|
565 | mbedtls_ssl_session_free( ssl->session_negotiate );
|
---|
566 | memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
|
---|
567 |
|
---|
568 | /* Zeroize instead of free as we copied the content */
|
---|
569 | mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
|
---|
570 |
|
---|
571 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
|
---|
572 |
|
---|
573 | ssl->handshake->resume = 1;
|
---|
574 |
|
---|
575 | /* Don't send a new ticket after all, this one is OK */
|
---|
576 | ssl->handshake->new_session_ticket = 0;
|
---|
577 |
|
---|
578 | return( 0 );
|
---|
579 | }
|
---|
580 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
581 |
|
---|
582 | #if defined(MBEDTLS_SSL_ALPN)
|
---|
583 | static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
|
---|
584 | const unsigned char *buf, size_t len )
|
---|
585 | {
|
---|
586 | size_t list_len, cur_len, ours_len;
|
---|
587 | const unsigned char *theirs, *start, *end;
|
---|
588 | const char **ours;
|
---|
589 |
|
---|
590 | /* If ALPN not configured, just ignore the extension */
|
---|
591 | if( ssl->conf->alpn_list == NULL )
|
---|
592 | return( 0 );
|
---|
593 |
|
---|
594 | /*
|
---|
595 | * opaque ProtocolName<1..2^8-1>;
|
---|
596 | *
|
---|
597 | * struct {
|
---|
598 | * ProtocolName protocol_name_list<2..2^16-1>
|
---|
599 | * } ProtocolNameList;
|
---|
600 | */
|
---|
601 |
|
---|
602 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
|
---|
603 | if( len < 4 )
|
---|
604 | {
|
---|
605 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
606 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
607 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
608 | }
|
---|
609 |
|
---|
610 | list_len = ( buf[0] << 8 ) | buf[1];
|
---|
611 | if( list_len != len - 2 )
|
---|
612 | {
|
---|
613 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
614 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
615 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
616 | }
|
---|
617 |
|
---|
618 | /*
|
---|
619 | * Validate peer's list (lengths)
|
---|
620 | */
|
---|
621 | start = buf + 2;
|
---|
622 | end = buf + len;
|
---|
623 | for( theirs = start; theirs != end; theirs += cur_len )
|
---|
624 | {
|
---|
625 | cur_len = *theirs++;
|
---|
626 |
|
---|
627 | /* Current identifier must fit in list */
|
---|
628 | if( cur_len > (size_t)( end - theirs ) )
|
---|
629 | {
|
---|
630 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
631 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
632 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
633 | }
|
---|
634 |
|
---|
635 | /* Empty strings MUST NOT be included */
|
---|
636 | if( cur_len == 0 )
|
---|
637 | {
|
---|
638 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
639 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
640 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
641 | }
|
---|
642 | }
|
---|
643 |
|
---|
644 | /*
|
---|
645 | * Use our order of preference
|
---|
646 | */
|
---|
647 | for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
|
---|
648 | {
|
---|
649 | ours_len = strlen( *ours );
|
---|
650 | for( theirs = start; theirs != end; theirs += cur_len )
|
---|
651 | {
|
---|
652 | cur_len = *theirs++;
|
---|
653 |
|
---|
654 | if( cur_len == ours_len &&
|
---|
655 | memcmp( theirs, *ours, cur_len ) == 0 )
|
---|
656 | {
|
---|
657 | ssl->alpn_chosen = *ours;
|
---|
658 | return( 0 );
|
---|
659 | }
|
---|
660 | }
|
---|
661 | }
|
---|
662 |
|
---|
663 | /* If we get there, no match was found */
|
---|
664 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
665 | MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
|
---|
666 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
667 | }
|
---|
668 | #endif /* MBEDTLS_SSL_ALPN */
|
---|
669 |
|
---|
670 | /*
|
---|
671 | * Auxiliary functions for ServerHello parsing and related actions
|
---|
672 | */
|
---|
673 |
|
---|
674 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
675 | /*
|
---|
676 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
|
---|
677 | */
|
---|
678 | #if defined(MBEDTLS_ECDSA_C)
|
---|
679 | static int ssl_check_key_curve( mbedtls_pk_context *pk,
|
---|
680 | const mbedtls_ecp_curve_info **curves )
|
---|
681 | {
|
---|
682 | const mbedtls_ecp_curve_info **crv = curves;
|
---|
683 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
|
---|
684 |
|
---|
685 | while( *crv != NULL )
|
---|
686 | {
|
---|
687 | if( (*crv)->grp_id == grp_id )
|
---|
688 | return( 0 );
|
---|
689 | crv++;
|
---|
690 | }
|
---|
691 |
|
---|
692 | return( -1 );
|
---|
693 | }
|
---|
694 | #endif /* MBEDTLS_ECDSA_C */
|
---|
695 |
|
---|
696 | /*
|
---|
697 | * Try picking a certificate for this ciphersuite,
|
---|
698 | * return 0 on success and -1 on failure.
|
---|
699 | */
|
---|
700 | static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
---|
701 | const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
|
---|
702 | {
|
---|
703 | mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
|
---|
704 | mbedtls_pk_type_t pk_alg =
|
---|
705 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
---|
706 | uint32_t flags;
|
---|
707 |
|
---|
708 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
709 | if( ssl->handshake->sni_key_cert != NULL )
|
---|
710 | list = ssl->handshake->sni_key_cert;
|
---|
711 | else
|
---|
712 | #endif
|
---|
713 | list = ssl->conf->key_cert;
|
---|
714 |
|
---|
715 | if( pk_alg == MBEDTLS_PK_NONE )
|
---|
716 | return( 0 );
|
---|
717 |
|
---|
718 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
|
---|
719 |
|
---|
720 | if( list == NULL )
|
---|
721 | {
|
---|
722 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
|
---|
723 | return( -1 );
|
---|
724 | }
|
---|
725 |
|
---|
726 | for( cur = list; cur != NULL; cur = cur->next )
|
---|
727 | {
|
---|
728 | MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
|
---|
729 | cur->cert );
|
---|
730 |
|
---|
731 | if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
|
---|
732 | {
|
---|
733 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
|
---|
734 | continue;
|
---|
735 | }
|
---|
736 |
|
---|
737 | /*
|
---|
738 | * This avoids sending the client a cert it'll reject based on
|
---|
739 | * keyUsage or other extensions.
|
---|
740 | *
|
---|
741 | * It also allows the user to provision different certificates for
|
---|
742 | * different uses based on keyUsage, eg if they want to avoid signing
|
---|
743 | * and decrypting with the same RSA key.
|
---|
744 | */
|
---|
745 | if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
---|
746 | MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
|
---|
747 | {
|
---|
748 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
|
---|
749 | "(extended) key usage extension" ) );
|
---|
750 | continue;
|
---|
751 | }
|
---|
752 |
|
---|
753 | #if defined(MBEDTLS_ECDSA_C)
|
---|
754 | if( pk_alg == MBEDTLS_PK_ECDSA &&
|
---|
755 | ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
|
---|
756 | {
|
---|
757 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
|
---|
758 | continue;
|
---|
759 | }
|
---|
760 | #endif
|
---|
761 |
|
---|
762 | /*
|
---|
763 | * Try to select a SHA-1 certificate for pre-1.2 clients, but still
|
---|
764 | * present them a SHA-higher cert rather than failing if it's the only
|
---|
765 | * one we got that satisfies the other conditions.
|
---|
766 | */
|
---|
767 | if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
|
---|
768 | cur->cert->sig_md != MBEDTLS_MD_SHA1 )
|
---|
769 | {
|
---|
770 | if( fallback == NULL )
|
---|
771 | fallback = cur;
|
---|
772 | {
|
---|
773 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
|
---|
774 | "sha-2 with pre-TLS 1.2 client" ) );
|
---|
775 | continue;
|
---|
776 | }
|
---|
777 | }
|
---|
778 |
|
---|
779 | /* If we get there, we got a winner */
|
---|
780 | break;
|
---|
781 | }
|
---|
782 |
|
---|
783 | if( cur == NULL )
|
---|
784 | cur = fallback;
|
---|
785 |
|
---|
786 | /* Do not update ssl->handshake->key_cert unless there is a match */
|
---|
787 | if( cur != NULL )
|
---|
788 | {
|
---|
789 | ssl->handshake->key_cert = cur;
|
---|
790 | MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
|
---|
791 | ssl->handshake->key_cert->cert );
|
---|
792 | return( 0 );
|
---|
793 | }
|
---|
794 |
|
---|
795 | return( -1 );
|
---|
796 | }
|
---|
797 | #endif /* MBEDTLS_X509_CRT_PARSE_C */
|
---|
798 |
|
---|
799 | /*
|
---|
800 | * Check if a given ciphersuite is suitable for use with our config/keys/etc
|
---|
801 | * Sets ciphersuite_info only if the suite matches.
|
---|
802 | */
|
---|
803 | static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
---|
804 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
|
---|
805 | {
|
---|
806 | const mbedtls_ssl_ciphersuite_t *suite_info;
|
---|
807 |
|
---|
808 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
809 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
810 | mbedtls_pk_type_t sig_type;
|
---|
811 | #endif
|
---|
812 |
|
---|
813 | suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
|
---|
814 | if( suite_info == NULL )
|
---|
815 | {
|
---|
816 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
817 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
818 | }
|
---|
819 |
|
---|
820 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
|
---|
821 |
|
---|
822 | if( suite_info->min_minor_ver > ssl->minor_ver ||
|
---|
823 | suite_info->max_minor_ver < ssl->minor_ver )
|
---|
824 | {
|
---|
825 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
---|
826 | return( 0 );
|
---|
827 | }
|
---|
828 |
|
---|
829 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
830 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
831 | ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
|
---|
832 | return( 0 );
|
---|
833 | #endif
|
---|
834 |
|
---|
835 | #if defined(MBEDTLS_ARC4_C)
|
---|
836 | if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
|
---|
837 | suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
---|
838 | {
|
---|
839 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
|
---|
840 | return( 0 );
|
---|
841 | }
|
---|
842 | #endif
|
---|
843 |
|
---|
844 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
845 | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
---|
846 | ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
|
---|
847 | {
|
---|
848 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
|
---|
849 | "not configured or ext missing" ) );
|
---|
850 | return( 0 );
|
---|
851 | }
|
---|
852 | #endif
|
---|
853 |
|
---|
854 |
|
---|
855 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
|
---|
856 | if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
|
---|
857 | ( ssl->handshake->curves == NULL ||
|
---|
858 | ssl->handshake->curves[0] == NULL ) )
|
---|
859 | {
|
---|
860 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
|
---|
861 | "no common elliptic curve" ) );
|
---|
862 | return( 0 );
|
---|
863 | }
|
---|
864 | #endif
|
---|
865 |
|
---|
866 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
---|
867 | /* If the ciphersuite requires a pre-shared key and we don't
|
---|
868 | * have one, skip it now rather than failing later */
|
---|
869 | if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
|
---|
870 | ssl->conf->f_psk == NULL &&
|
---|
871 | ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
|
---|
872 | ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
|
---|
873 | {
|
---|
874 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
|
---|
875 | return( 0 );
|
---|
876 | }
|
---|
877 | #endif
|
---|
878 |
|
---|
879 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
880 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
881 | /* If the ciphersuite requires signing, check whether
|
---|
882 | * a suitable hash algorithm is present. */
|
---|
883 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
884 | {
|
---|
885 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
|
---|
886 | if( sig_type != MBEDTLS_PK_NONE &&
|
---|
887 | mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
|
---|
888 | {
|
---|
889 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
|
---|
890 | "for signature algorithm %d", sig_type ) );
|
---|
891 | return( 0 );
|
---|
892 | }
|
---|
893 | }
|
---|
894 |
|
---|
895 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
896 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
897 |
|
---|
898 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
899 | /*
|
---|
900 | * Final check: if ciphersuite requires us to have a
|
---|
901 | * certificate/key of a particular type:
|
---|
902 | * - select the appropriate certificate if we have one, or
|
---|
903 | * - try the next ciphersuite if we don't
|
---|
904 | * This must be done last since we modify the key_cert list.
|
---|
905 | */
|
---|
906 | if( ssl_pick_cert( ssl, suite_info ) != 0 )
|
---|
907 | {
|
---|
908 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
|
---|
909 | "no suitable certificate" ) );
|
---|
910 | return( 0 );
|
---|
911 | }
|
---|
912 | #endif
|
---|
913 |
|
---|
914 | *ciphersuite_info = suite_info;
|
---|
915 | return( 0 );
|
---|
916 | }
|
---|
917 |
|
---|
918 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
|
---|
919 | static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
---|
920 | {
|
---|
921 | int ret, got_common_suite;
|
---|
922 | unsigned int i, j;
|
---|
923 | size_t n;
|
---|
924 | unsigned int ciph_len, sess_len, chal_len;
|
---|
925 | unsigned char *buf, *p;
|
---|
926 | const int *ciphersuites;
|
---|
927 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
---|
928 |
|
---|
929 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
---|
930 |
|
---|
931 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
932 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
933 | {
|
---|
934 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
|
---|
935 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
936 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
937 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
938 | }
|
---|
939 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
940 |
|
---|
941 | buf = ssl->in_hdr;
|
---|
942 |
|
---|
943 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
|
---|
944 |
|
---|
945 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
|
---|
946 | buf[2] ) );
|
---|
947 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
|
---|
948 | ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
|
---|
949 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
|
---|
950 | buf[3], buf[4] ) );
|
---|
951 |
|
---|
952 | /*
|
---|
953 | * SSLv2 Client Hello
|
---|
954 | *
|
---|
955 | * Record layer:
|
---|
956 | * 0 . 1 message length
|
---|
957 | *
|
---|
958 | * SSL layer:
|
---|
959 | * 2 . 2 message type
|
---|
960 | * 3 . 4 protocol version
|
---|
961 | */
|
---|
962 | if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
|
---|
963 | buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
|
---|
964 | {
|
---|
965 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
966 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
967 | }
|
---|
968 |
|
---|
969 | n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
|
---|
970 |
|
---|
971 | if( n < 17 || n > 512 )
|
---|
972 | {
|
---|
973 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
974 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
975 | }
|
---|
976 |
|
---|
977 | ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
---|
978 | ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
|
---|
979 | ? buf[4] : ssl->conf->max_minor_ver;
|
---|
980 |
|
---|
981 | if( ssl->minor_ver < ssl->conf->min_minor_ver )
|
---|
982 | {
|
---|
983 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
---|
984 | " [%d:%d] < [%d:%d]",
|
---|
985 | ssl->major_ver, ssl->minor_ver,
|
---|
986 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
|
---|
987 |
|
---|
988 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
989 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
---|
990 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
---|
991 | }
|
---|
992 |
|
---|
993 | ssl->handshake->max_major_ver = buf[3];
|
---|
994 | ssl->handshake->max_minor_ver = buf[4];
|
---|
995 |
|
---|
996 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
|
---|
997 | {
|
---|
998 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
|
---|
999 | return( ret );
|
---|
1000 | }
|
---|
1001 |
|
---|
1002 | ssl->handshake->update_checksum( ssl, buf + 2, n );
|
---|
1003 |
|
---|
1004 | buf = ssl->in_msg;
|
---|
1005 | n = ssl->in_left - 5;
|
---|
1006 |
|
---|
1007 | /*
|
---|
1008 | * 0 . 1 ciphersuitelist length
|
---|
1009 | * 2 . 3 session id length
|
---|
1010 | * 4 . 5 challenge length
|
---|
1011 | * 6 . .. ciphersuitelist
|
---|
1012 | * .. . .. session id
|
---|
1013 | * .. . .. challenge
|
---|
1014 | */
|
---|
1015 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
|
---|
1016 |
|
---|
1017 | ciph_len = ( buf[0] << 8 ) | buf[1];
|
---|
1018 | sess_len = ( buf[2] << 8 ) | buf[3];
|
---|
1019 | chal_len = ( buf[4] << 8 ) | buf[5];
|
---|
1020 |
|
---|
1021 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
|
---|
1022 | ciph_len, sess_len, chal_len ) );
|
---|
1023 |
|
---|
1024 | /*
|
---|
1025 | * Make sure each parameter length is valid
|
---|
1026 | */
|
---|
1027 | if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
|
---|
1028 | {
|
---|
1029 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1030 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1031 | }
|
---|
1032 |
|
---|
1033 | if( sess_len > 32 )
|
---|
1034 | {
|
---|
1035 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1036 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1037 | }
|
---|
1038 |
|
---|
1039 | if( chal_len < 8 || chal_len > 32 )
|
---|
1040 | {
|
---|
1041 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1042 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1043 | }
|
---|
1044 |
|
---|
1045 | if( n != 6 + ciph_len + sess_len + chal_len )
|
---|
1046 | {
|
---|
1047 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1048 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1049 | }
|
---|
1050 |
|
---|
1051 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
|
---|
1052 | buf + 6, ciph_len );
|
---|
1053 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
|
---|
1054 | buf + 6 + ciph_len, sess_len );
|
---|
1055 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
|
---|
1056 | buf + 6 + ciph_len + sess_len, chal_len );
|
---|
1057 |
|
---|
1058 | p = buf + 6 + ciph_len;
|
---|
1059 | ssl->session_negotiate->id_len = sess_len;
|
---|
1060 | memset( ssl->session_negotiate->id, 0,
|
---|
1061 | sizeof( ssl->session_negotiate->id ) );
|
---|
1062 | memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
|
---|
1063 |
|
---|
1064 | p += sess_len;
|
---|
1065 | memset( ssl->handshake->randbytes, 0, 64 );
|
---|
1066 | memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
|
---|
1067 |
|
---|
1068 | /*
|
---|
1069 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
|
---|
1070 | */
|
---|
1071 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
|
---|
1072 | {
|
---|
1073 | if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
|
---|
1074 | {
|
---|
1075 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
|
---|
1076 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1077 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
|
---|
1078 | {
|
---|
1079 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
|
---|
1080 | "during renegotiation" ) );
|
---|
1081 |
|
---|
1082 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1083 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
1084 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1085 | }
|
---|
1086 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
1087 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
---|
1088 | break;
|
---|
1089 | }
|
---|
1090 | }
|
---|
1091 |
|
---|
1092 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
---|
1093 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
|
---|
1094 | {
|
---|
1095 | if( p[0] == 0 &&
|
---|
1096 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
|
---|
1097 | p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
|
---|
1098 | {
|
---|
1099 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
---|
1100 |
|
---|
1101 | if( ssl->minor_ver < ssl->conf->max_minor_ver )
|
---|
1102 | {
|
---|
1103 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
---|
1104 |
|
---|
1105 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1106 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
|
---|
1107 |
|
---|
1108 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1109 | }
|
---|
1110 |
|
---|
1111 | break;
|
---|
1112 | }
|
---|
1113 | }
|
---|
1114 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
|
---|
1115 |
|
---|
1116 | got_common_suite = 0;
|
---|
1117 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
---|
1118 | ciphersuite_info = NULL;
|
---|
1119 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
---|
1120 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
---|
1121 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
1122 | #else
|
---|
1123 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
1124 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
---|
1125 | #endif
|
---|
1126 | {
|
---|
1127 | if( p[0] != 0 ||
|
---|
1128 | p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
|
---|
1129 | p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
|
---|
1130 | continue;
|
---|
1131 |
|
---|
1132 | got_common_suite = 1;
|
---|
1133 |
|
---|
1134 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
|
---|
1135 | &ciphersuite_info ) ) != 0 )
|
---|
1136 | return( ret );
|
---|
1137 |
|
---|
1138 | if( ciphersuite_info != NULL )
|
---|
1139 | goto have_ciphersuite_v2;
|
---|
1140 | }
|
---|
1141 |
|
---|
1142 | if( got_common_suite )
|
---|
1143 | {
|
---|
1144 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
|
---|
1145 | "but none of them usable" ) );
|
---|
1146 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
|
---|
1147 | }
|
---|
1148 | else
|
---|
1149 | {
|
---|
1150 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
|
---|
1151 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
|
---|
1152 | }
|
---|
1153 |
|
---|
1154 | have_ciphersuite_v2:
|
---|
1155 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
---|
1156 |
|
---|
1157 | ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
---|
1158 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
|
---|
1159 |
|
---|
1160 | /*
|
---|
1161 | * SSLv2 Client Hello relevant renegotiation security checks
|
---|
1162 | */
|
---|
1163 | if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
---|
1164 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
---|
1165 | {
|
---|
1166 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
---|
1167 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1168 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
1169 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1170 | }
|
---|
1171 |
|
---|
1172 | ssl->in_left = 0;
|
---|
1173 | ssl->state++;
|
---|
1174 |
|
---|
1175 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
|
---|
1176 |
|
---|
1177 | return( 0 );
|
---|
1178 | }
|
---|
1179 | #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
|
---|
1180 |
|
---|
1181 | /* This function doesn't alert on errors that happen early during
|
---|
1182 | ClientHello parsing because they might indicate that the client is
|
---|
1183 | not talking SSL/TLS at all and would not understand our alert. */
|
---|
1184 | static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
---|
1185 | {
|
---|
1186 | int ret, got_common_suite;
|
---|
1187 | size_t i, j;
|
---|
1188 | size_t ciph_offset, comp_offset, ext_offset;
|
---|
1189 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
|
---|
1190 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1191 | size_t cookie_offset, cookie_len;
|
---|
1192 | #endif
|
---|
1193 | unsigned char *buf, *p, *ext;
|
---|
1194 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1195 | int renegotiation_info_seen = 0;
|
---|
1196 | #endif
|
---|
1197 | int handshake_failure = 0;
|
---|
1198 | const int *ciphersuites;
|
---|
1199 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
---|
1200 | int major, minor;
|
---|
1201 |
|
---|
1202 | /* If there is no signature-algorithm extension present,
|
---|
1203 | * we need to fall back to the default values for allowed
|
---|
1204 | * signature-hash pairs. */
|
---|
1205 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
1206 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
1207 | int sig_hash_alg_ext_present = 0;
|
---|
1208 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
1209 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
1210 |
|
---|
1211 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
|
---|
1212 |
|
---|
1213 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
---|
1214 | read_record_header:
|
---|
1215 | #endif
|
---|
1216 | /*
|
---|
1217 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
|
---|
1218 | * otherwise read it ourselves manually in order to support SSLv2
|
---|
1219 | * ClientHello, which doesn't use the same record layer format.
|
---|
1220 | */
|
---|
1221 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1222 | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
1223 | #endif
|
---|
1224 | {
|
---|
1225 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
|
---|
1226 | {
|
---|
1227 | /* No alert on a read error. */
|
---|
1228 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
|
---|
1229 | return( ret );
|
---|
1230 | }
|
---|
1231 | }
|
---|
1232 |
|
---|
1233 | buf = ssl->in_hdr;
|
---|
1234 |
|
---|
1235 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
|
---|
1236 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1237 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
|
---|
1238 | #endif
|
---|
1239 | if( ( buf[0] & 0x80 ) != 0 )
|
---|
1240 | return( ssl_parse_client_hello_v2( ssl ) );
|
---|
1241 | #endif
|
---|
1242 |
|
---|
1243 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
|
---|
1244 |
|
---|
1245 | /*
|
---|
1246 | * SSLv3/TLS Client Hello
|
---|
1247 | *
|
---|
1248 | * Record layer:
|
---|
1249 | * 0 . 0 message type
|
---|
1250 | * 1 . 2 protocol version
|
---|
1251 | * 3 . 11 DTLS: epoch + record sequence number
|
---|
1252 | * 3 . 4 message length
|
---|
1253 | */
|
---|
1254 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
|
---|
1255 | buf[0] ) );
|
---|
1256 |
|
---|
1257 | if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
|
---|
1258 | {
|
---|
1259 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1260 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1261 | }
|
---|
1262 |
|
---|
1263 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
|
---|
1264 | ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
|
---|
1265 |
|
---|
1266 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
|
---|
1267 | buf[1], buf[2] ) );
|
---|
1268 |
|
---|
1269 | mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
|
---|
1270 |
|
---|
1271 | /* According to RFC 5246 Appendix E.1, the version here is typically
|
---|
1272 | * "{03,00}, the lowest version number supported by the client, [or] the
|
---|
1273 | * value of ClientHello.client_version", so the only meaningful check here
|
---|
1274 | * is the major version shouldn't be less than 3 */
|
---|
1275 | if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
|
---|
1276 | {
|
---|
1277 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1278 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1279 | }
|
---|
1280 |
|
---|
1281 | /* For DTLS if this is the initial handshake, remember the client sequence
|
---|
1282 | * number to use it in our next message (RFC 6347 4.2.1) */
|
---|
1283 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1284 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
|
---|
1285 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1286 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
|
---|
1287 | #endif
|
---|
1288 | )
|
---|
1289 | {
|
---|
1290 | /* Epoch should be 0 for initial handshakes */
|
---|
1291 | if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
|
---|
1292 | {
|
---|
1293 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1294 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1295 | }
|
---|
1296 |
|
---|
1297 | memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
|
---|
1298 |
|
---|
1299 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
---|
1300 | if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
|
---|
1301 | {
|
---|
1302 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
|
---|
1303 | ssl->next_record_offset = 0;
|
---|
1304 | ssl->in_left = 0;
|
---|
1305 | goto read_record_header;
|
---|
1306 | }
|
---|
1307 |
|
---|
1308 | /* No MAC to check yet, so we can update right now */
|
---|
1309 | mbedtls_ssl_dtls_replay_update( ssl );
|
---|
1310 | #endif
|
---|
1311 | }
|
---|
1312 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
1313 |
|
---|
1314 | msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
|
---|
1315 |
|
---|
1316 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1317 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
1318 | {
|
---|
1319 | /* Set by mbedtls_ssl_read_record() */
|
---|
1320 | msg_len = ssl->in_hslen;
|
---|
1321 | }
|
---|
1322 | else
|
---|
1323 | #endif
|
---|
1324 | {
|
---|
1325 | if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
|
---|
1326 | {
|
---|
1327 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1328 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1329 | }
|
---|
1330 |
|
---|
1331 | if( ( ret = mbedtls_ssl_fetch_input( ssl,
|
---|
1332 | mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
|
---|
1333 | {
|
---|
1334 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
|
---|
1335 | return( ret );
|
---|
1336 | }
|
---|
1337 |
|
---|
1338 | /* Done reading this record, get ready for the next one */
|
---|
1339 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1340 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
1341 | ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
|
---|
1342 | else
|
---|
1343 | #endif
|
---|
1344 | ssl->in_left = 0;
|
---|
1345 | }
|
---|
1346 |
|
---|
1347 | buf = ssl->in_msg;
|
---|
1348 |
|
---|
1349 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
|
---|
1350 |
|
---|
1351 | ssl->handshake->update_checksum( ssl, buf, msg_len );
|
---|
1352 |
|
---|
1353 | /*
|
---|
1354 | * Handshake layer:
|
---|
1355 | * 0 . 0 handshake type
|
---|
1356 | * 1 . 3 handshake length
|
---|
1357 | * 4 . 5 DTLS only: message seqence number
|
---|
1358 | * 6 . 8 DTLS only: fragment offset
|
---|
1359 | * 9 . 11 DTLS only: fragment length
|
---|
1360 | */
|
---|
1361 | if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
|
---|
1362 | {
|
---|
1363 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1364 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1365 | }
|
---|
1366 |
|
---|
1367 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
|
---|
1368 |
|
---|
1369 | if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
|
---|
1370 | {
|
---|
1371 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1372 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1373 | }
|
---|
1374 |
|
---|
1375 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
|
---|
1376 | ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
|
---|
1377 |
|
---|
1378 | /* We don't support fragmentation of ClientHello (yet?) */
|
---|
1379 | if( buf[1] != 0 ||
|
---|
1380 | msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
|
---|
1381 | {
|
---|
1382 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1383 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1384 | }
|
---|
1385 |
|
---|
1386 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1387 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
1388 | {
|
---|
1389 | /*
|
---|
1390 | * Copy the client's handshake message_seq on initial handshakes,
|
---|
1391 | * check sequence number on renego.
|
---|
1392 | */
|
---|
1393 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1394 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
|
---|
1395 | {
|
---|
1396 | /* This couldn't be done in ssl_prepare_handshake_record() */
|
---|
1397 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
---|
1398 | ssl->in_msg[5];
|
---|
1399 |
|
---|
1400 | if( cli_msg_seq != ssl->handshake->in_msg_seq )
|
---|
1401 | {
|
---|
1402 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
|
---|
1403 | "%d (expected %d)", cli_msg_seq,
|
---|
1404 | ssl->handshake->in_msg_seq ) );
|
---|
1405 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1406 | }
|
---|
1407 |
|
---|
1408 | ssl->handshake->in_msg_seq++;
|
---|
1409 | }
|
---|
1410 | else
|
---|
1411 | #endif
|
---|
1412 | {
|
---|
1413 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
---|
1414 | ssl->in_msg[5];
|
---|
1415 | ssl->handshake->out_msg_seq = cli_msg_seq;
|
---|
1416 | ssl->handshake->in_msg_seq = cli_msg_seq + 1;
|
---|
1417 | }
|
---|
1418 |
|
---|
1419 | /*
|
---|
1420 | * For now we don't support fragmentation, so make sure
|
---|
1421 | * fragment_offset == 0 and fragment_length == length
|
---|
1422 | */
|
---|
1423 | if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
|
---|
1424 | memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
|
---|
1425 | {
|
---|
1426 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
|
---|
1427 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
---|
1428 | }
|
---|
1429 | }
|
---|
1430 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
1431 |
|
---|
1432 | buf += mbedtls_ssl_hs_hdr_len( ssl );
|
---|
1433 | msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
|
---|
1434 |
|
---|
1435 | /*
|
---|
1436 | * ClientHello layer:
|
---|
1437 | * 0 . 1 protocol version
|
---|
1438 | * 2 . 33 random bytes (starting with 4 bytes of Unix time)
|
---|
1439 | * 34 . 35 session id length (1 byte)
|
---|
1440 | * 35 . 34+x session id
|
---|
1441 | * 35+x . 35+x DTLS only: cookie length (1 byte)
|
---|
1442 | * 36+x . .. DTLS only: cookie
|
---|
1443 | * .. . .. ciphersuite list length (2 bytes)
|
---|
1444 | * .. . .. ciphersuite list
|
---|
1445 | * .. . .. compression alg. list length (1 byte)
|
---|
1446 | * .. . .. compression alg. list
|
---|
1447 | * .. . .. extensions length (2 bytes, optional)
|
---|
1448 | * .. . .. extensions (optional)
|
---|
1449 | */
|
---|
1450 |
|
---|
1451 | /*
|
---|
1452 | * Minimal length (with everything empty and extensions ommitted) is
|
---|
1453 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
|
---|
1454 | * read at least up to session id length without worrying.
|
---|
1455 | */
|
---|
1456 | if( msg_len < 38 )
|
---|
1457 | {
|
---|
1458 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1459 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1460 | }
|
---|
1461 |
|
---|
1462 | /*
|
---|
1463 | * Check and save the protocol version
|
---|
1464 | */
|
---|
1465 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
|
---|
1466 |
|
---|
1467 | mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
|
---|
1468 | ssl->conf->transport, buf );
|
---|
1469 |
|
---|
1470 | ssl->handshake->max_major_ver = ssl->major_ver;
|
---|
1471 | ssl->handshake->max_minor_ver = ssl->minor_ver;
|
---|
1472 |
|
---|
1473 | if( ssl->major_ver < ssl->conf->min_major_ver ||
|
---|
1474 | ssl->minor_ver < ssl->conf->min_minor_ver )
|
---|
1475 | {
|
---|
1476 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
---|
1477 | " [%d:%d] < [%d:%d]",
|
---|
1478 | ssl->major_ver, ssl->minor_ver,
|
---|
1479 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
|
---|
1480 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1481 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
---|
1482 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
---|
1483 | }
|
---|
1484 |
|
---|
1485 | if( ssl->major_ver > ssl->conf->max_major_ver )
|
---|
1486 | {
|
---|
1487 | ssl->major_ver = ssl->conf->max_major_ver;
|
---|
1488 | ssl->minor_ver = ssl->conf->max_minor_ver;
|
---|
1489 | }
|
---|
1490 | else if( ssl->minor_ver > ssl->conf->max_minor_ver )
|
---|
1491 | ssl->minor_ver = ssl->conf->max_minor_ver;
|
---|
1492 |
|
---|
1493 | /*
|
---|
1494 | * Save client random (inc. Unix time)
|
---|
1495 | */
|
---|
1496 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
|
---|
1497 |
|
---|
1498 | memcpy( ssl->handshake->randbytes, buf + 2, 32 );
|
---|
1499 |
|
---|
1500 | /*
|
---|
1501 | * Check the session ID length and save session ID
|
---|
1502 | */
|
---|
1503 | sess_len = buf[34];
|
---|
1504 |
|
---|
1505 | if( sess_len > sizeof( ssl->session_negotiate->id ) ||
|
---|
1506 | sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
|
---|
1507 | {
|
---|
1508 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1509 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1510 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1511 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1512 | }
|
---|
1513 |
|
---|
1514 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
|
---|
1515 |
|
---|
1516 | ssl->session_negotiate->id_len = sess_len;
|
---|
1517 | memset( ssl->session_negotiate->id, 0,
|
---|
1518 | sizeof( ssl->session_negotiate->id ) );
|
---|
1519 | memcpy( ssl->session_negotiate->id, buf + 35,
|
---|
1520 | ssl->session_negotiate->id_len );
|
---|
1521 |
|
---|
1522 | /*
|
---|
1523 | * Check the cookie length and content
|
---|
1524 | */
|
---|
1525 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1526 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
1527 | {
|
---|
1528 | cookie_offset = 35 + sess_len;
|
---|
1529 | cookie_len = buf[cookie_offset];
|
---|
1530 |
|
---|
1531 | if( cookie_offset + 1 + cookie_len + 2 > msg_len )
|
---|
1532 | {
|
---|
1533 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1534 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1535 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
---|
1536 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1537 | }
|
---|
1538 |
|
---|
1539 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
|
---|
1540 | buf + cookie_offset + 1, cookie_len );
|
---|
1541 |
|
---|
1542 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
1543 | if( ssl->conf->f_cookie_check != NULL
|
---|
1544 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1545 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
|
---|
1546 | #endif
|
---|
1547 | )
|
---|
1548 | {
|
---|
1549 | if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
|
---|
1550 | buf + cookie_offset + 1, cookie_len,
|
---|
1551 | ssl->cli_id, ssl->cli_id_len ) != 0 )
|
---|
1552 | {
|
---|
1553 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
|
---|
1554 | ssl->handshake->verify_cookie_len = 1;
|
---|
1555 | }
|
---|
1556 | else
|
---|
1557 | {
|
---|
1558 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
|
---|
1559 | ssl->handshake->verify_cookie_len = 0;
|
---|
1560 | }
|
---|
1561 | }
|
---|
1562 | else
|
---|
1563 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
1564 | {
|
---|
1565 | /* We know we didn't send a cookie, so it should be empty */
|
---|
1566 | if( cookie_len != 0 )
|
---|
1567 | {
|
---|
1568 | /* This may be an attacker's probe, so don't send an alert */
|
---|
1569 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1570 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1571 | }
|
---|
1572 |
|
---|
1573 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
|
---|
1574 | }
|
---|
1575 |
|
---|
1576 | /*
|
---|
1577 | * Check the ciphersuitelist length (will be parsed later)
|
---|
1578 | */
|
---|
1579 | ciph_offset = cookie_offset + 1 + cookie_len;
|
---|
1580 | }
|
---|
1581 | else
|
---|
1582 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
1583 | ciph_offset = 35 + sess_len;
|
---|
1584 |
|
---|
1585 | ciph_len = ( buf[ciph_offset + 0] << 8 )
|
---|
1586 | | ( buf[ciph_offset + 1] );
|
---|
1587 |
|
---|
1588 | if( ciph_len < 2 ||
|
---|
1589 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
|
---|
1590 | ( ciph_len % 2 ) != 0 )
|
---|
1591 | {
|
---|
1592 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1593 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1594 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1595 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1596 | }
|
---|
1597 |
|
---|
1598 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
|
---|
1599 | buf + ciph_offset + 2, ciph_len );
|
---|
1600 |
|
---|
1601 | /*
|
---|
1602 | * Check the compression algorithms length and pick one
|
---|
1603 | */
|
---|
1604 | comp_offset = ciph_offset + 2 + ciph_len;
|
---|
1605 |
|
---|
1606 | comp_len = buf[comp_offset];
|
---|
1607 |
|
---|
1608 | if( comp_len < 1 ||
|
---|
1609 | comp_len > 16 ||
|
---|
1610 | comp_len + comp_offset + 1 > msg_len )
|
---|
1611 | {
|
---|
1612 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1613 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1614 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1615 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1616 | }
|
---|
1617 |
|
---|
1618 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
|
---|
1619 | buf + comp_offset + 1, comp_len );
|
---|
1620 |
|
---|
1621 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
|
---|
1622 | #if defined(MBEDTLS_ZLIB_SUPPORT)
|
---|
1623 | for( i = 0; i < comp_len; ++i )
|
---|
1624 | {
|
---|
1625 | if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
|
---|
1626 | {
|
---|
1627 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
|
---|
1628 | break;
|
---|
1629 | }
|
---|
1630 | }
|
---|
1631 | #endif
|
---|
1632 |
|
---|
1633 | /* See comments in ssl_write_client_hello() */
|
---|
1634 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
1635 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
1636 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
|
---|
1637 | #endif
|
---|
1638 |
|
---|
1639 | /* Do not parse the extensions if the protocol is SSLv3 */
|
---|
1640 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
1641 | if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
---|
1642 | {
|
---|
1643 | #endif
|
---|
1644 | /*
|
---|
1645 | * Check the extension length
|
---|
1646 | */
|
---|
1647 | ext_offset = comp_offset + 1 + comp_len;
|
---|
1648 | if( msg_len > ext_offset )
|
---|
1649 | {
|
---|
1650 | if( msg_len < ext_offset + 2 )
|
---|
1651 | {
|
---|
1652 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1653 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1654 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1655 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1656 | }
|
---|
1657 |
|
---|
1658 | ext_len = ( buf[ext_offset + 0] << 8 )
|
---|
1659 | | ( buf[ext_offset + 1] );
|
---|
1660 |
|
---|
1661 | if( ( ext_len > 0 && ext_len < 4 ) ||
|
---|
1662 | msg_len != ext_offset + 2 + ext_len )
|
---|
1663 | {
|
---|
1664 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1665 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1666 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1667 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1668 | }
|
---|
1669 | }
|
---|
1670 | else
|
---|
1671 | ext_len = 0;
|
---|
1672 |
|
---|
1673 | ext = buf + ext_offset + 2;
|
---|
1674 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
|
---|
1675 |
|
---|
1676 | while( ext_len != 0 )
|
---|
1677 | {
|
---|
1678 | unsigned int ext_id;
|
---|
1679 | unsigned int ext_size;
|
---|
1680 | if ( ext_len < 4 ) {
|
---|
1681 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1682 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1683 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1684 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1685 | }
|
---|
1686 | ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
|
---|
1687 | ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
|
---|
1688 |
|
---|
1689 | if( ext_size + 4 > ext_len )
|
---|
1690 | {
|
---|
1691 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1692 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1693 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1694 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1695 | }
|
---|
1696 | switch( ext_id )
|
---|
1697 | {
|
---|
1698 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
1699 | case MBEDTLS_TLS_EXT_SERVERNAME:
|
---|
1700 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
|
---|
1701 | if( ssl->conf->f_sni == NULL )
|
---|
1702 | break;
|
---|
1703 |
|
---|
1704 | ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
|
---|
1705 | if( ret != 0 )
|
---|
1706 | return( ret );
|
---|
1707 | break;
|
---|
1708 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
---|
1709 |
|
---|
1710 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
|
---|
1711 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
|
---|
1712 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1713 | renegotiation_info_seen = 1;
|
---|
1714 | #endif
|
---|
1715 |
|
---|
1716 | ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
|
---|
1717 | if( ret != 0 )
|
---|
1718 | return( ret );
|
---|
1719 | break;
|
---|
1720 |
|
---|
1721 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
1722 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
1723 | case MBEDTLS_TLS_EXT_SIG_ALG:
|
---|
1724 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
|
---|
1725 |
|
---|
1726 | ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
|
---|
1727 | if( ret != 0 )
|
---|
1728 | return( ret );
|
---|
1729 |
|
---|
1730 | sig_hash_alg_ext_present = 1;
|
---|
1731 | break;
|
---|
1732 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
1733 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
1734 |
|
---|
1735 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
1736 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
1737 | case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
|
---|
1738 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
|
---|
1739 |
|
---|
1740 | ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
|
---|
1741 | if( ret != 0 )
|
---|
1742 | return( ret );
|
---|
1743 | break;
|
---|
1744 |
|
---|
1745 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
|
---|
1746 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
|
---|
1747 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
|
---|
1748 |
|
---|
1749 | ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
|
---|
1750 | if( ret != 0 )
|
---|
1751 | return( ret );
|
---|
1752 | break;
|
---|
1753 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
---|
1754 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
1755 |
|
---|
1756 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
1757 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
|
---|
1758 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
|
---|
1759 |
|
---|
1760 | ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
|
---|
1761 | if( ret != 0 )
|
---|
1762 | return( ret );
|
---|
1763 | break;
|
---|
1764 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
1765 |
|
---|
1766 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
1767 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
|
---|
1768 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
|
---|
1769 |
|
---|
1770 | ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
|
---|
1771 | if( ret != 0 )
|
---|
1772 | return( ret );
|
---|
1773 | break;
|
---|
1774 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
---|
1775 |
|
---|
1776 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
1777 | case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
|
---|
1778 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
|
---|
1779 |
|
---|
1780 | ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
|
---|
1781 | if( ret != 0 )
|
---|
1782 | return( ret );
|
---|
1783 | break;
|
---|
1784 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
---|
1785 |
|
---|
1786 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
1787 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
|
---|
1788 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
|
---|
1789 |
|
---|
1790 | ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
|
---|
1791 | if( ret != 0 )
|
---|
1792 | return( ret );
|
---|
1793 | break;
|
---|
1794 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
---|
1795 |
|
---|
1796 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
1797 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
|
---|
1798 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
|
---|
1799 |
|
---|
1800 | ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
|
---|
1801 | if( ret != 0 )
|
---|
1802 | return( ret );
|
---|
1803 | break;
|
---|
1804 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
---|
1805 |
|
---|
1806 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
1807 | case MBEDTLS_TLS_EXT_SESSION_TICKET:
|
---|
1808 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
|
---|
1809 |
|
---|
1810 | ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
|
---|
1811 | if( ret != 0 )
|
---|
1812 | return( ret );
|
---|
1813 | break;
|
---|
1814 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
1815 |
|
---|
1816 | #if defined(MBEDTLS_SSL_ALPN)
|
---|
1817 | case MBEDTLS_TLS_EXT_ALPN:
|
---|
1818 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
|
---|
1819 |
|
---|
1820 | ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
|
---|
1821 | if( ret != 0 )
|
---|
1822 | return( ret );
|
---|
1823 | break;
|
---|
1824 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
1825 |
|
---|
1826 | default:
|
---|
1827 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
|
---|
1828 | ext_id ) );
|
---|
1829 | }
|
---|
1830 |
|
---|
1831 | ext_len -= 4 + ext_size;
|
---|
1832 | ext += 4 + ext_size;
|
---|
1833 |
|
---|
1834 | if( ext_len > 0 && ext_len < 4 )
|
---|
1835 | {
|
---|
1836 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
1837 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1838 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
1839 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1840 | }
|
---|
1841 | }
|
---|
1842 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
1843 | }
|
---|
1844 | #endif
|
---|
1845 |
|
---|
1846 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
---|
1847 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
|
---|
1848 | {
|
---|
1849 | if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
|
---|
1850 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
|
---|
1851 | {
|
---|
1852 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
|
---|
1853 |
|
---|
1854 | if( ssl->minor_ver < ssl->conf->max_minor_ver )
|
---|
1855 | {
|
---|
1856 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
---|
1857 |
|
---|
1858 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1859 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
|
---|
1860 |
|
---|
1861 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1862 | }
|
---|
1863 |
|
---|
1864 | break;
|
---|
1865 | }
|
---|
1866 | }
|
---|
1867 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
|
---|
1868 |
|
---|
1869 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
1870 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
1871 |
|
---|
1872 | /*
|
---|
1873 | * Try to fall back to default hash SHA1 if the client
|
---|
1874 | * hasn't provided any preferred signature-hash combinations.
|
---|
1875 | */
|
---|
1876 | if( sig_hash_alg_ext_present == 0 )
|
---|
1877 | {
|
---|
1878 | mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
|
---|
1879 |
|
---|
1880 | if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
|
---|
1881 | md_default = MBEDTLS_MD_NONE;
|
---|
1882 |
|
---|
1883 | mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
|
---|
1884 | }
|
---|
1885 |
|
---|
1886 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
1887 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
1888 |
|
---|
1889 | /*
|
---|
1890 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
|
---|
1891 | */
|
---|
1892 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
|
---|
1893 | {
|
---|
1894 | if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
|
---|
1895 | {
|
---|
1896 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
|
---|
1897 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1898 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
|
---|
1899 | {
|
---|
1900 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
|
---|
1901 | "during renegotiation" ) );
|
---|
1902 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1903 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
1904 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1905 | }
|
---|
1906 | #endif
|
---|
1907 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
---|
1908 | break;
|
---|
1909 | }
|
---|
1910 | }
|
---|
1911 |
|
---|
1912 | /*
|
---|
1913 | * Renegotiation security checks
|
---|
1914 | */
|
---|
1915 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
|
---|
1916 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
---|
1917 | {
|
---|
1918 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
---|
1919 | handshake_failure = 1;
|
---|
1920 | }
|
---|
1921 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
1922 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
---|
1923 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
|
---|
1924 | renegotiation_info_seen == 0 )
|
---|
1925 | {
|
---|
1926 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
|
---|
1927 | handshake_failure = 1;
|
---|
1928 | }
|
---|
1929 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
---|
1930 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
---|
1931 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
|
---|
1932 | {
|
---|
1933 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
|
---|
1934 | handshake_failure = 1;
|
---|
1935 | }
|
---|
1936 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
---|
1937 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
---|
1938 | renegotiation_info_seen == 1 )
|
---|
1939 | {
|
---|
1940 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
|
---|
1941 | handshake_failure = 1;
|
---|
1942 | }
|
---|
1943 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
1944 |
|
---|
1945 | if( handshake_failure == 1 )
|
---|
1946 | {
|
---|
1947 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1948 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
1949 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
1950 | }
|
---|
1951 |
|
---|
1952 | /*
|
---|
1953 | * Search for a matching ciphersuite
|
---|
1954 | * (At the end because we need information from the EC-based extensions
|
---|
1955 | * and certificate from the SNI callback triggered by the SNI extension.)
|
---|
1956 | */
|
---|
1957 | got_common_suite = 0;
|
---|
1958 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
---|
1959 | ciphersuite_info = NULL;
|
---|
1960 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
---|
1961 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
---|
1962 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
1963 | #else
|
---|
1964 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
1965 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
---|
1966 | #endif
|
---|
1967 | {
|
---|
1968 | if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
|
---|
1969 | p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
|
---|
1970 | continue;
|
---|
1971 |
|
---|
1972 | got_common_suite = 1;
|
---|
1973 |
|
---|
1974 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
|
---|
1975 | &ciphersuite_info ) ) != 0 )
|
---|
1976 | return( ret );
|
---|
1977 |
|
---|
1978 | if( ciphersuite_info != NULL )
|
---|
1979 | goto have_ciphersuite;
|
---|
1980 | }
|
---|
1981 |
|
---|
1982 | if( got_common_suite )
|
---|
1983 | {
|
---|
1984 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
|
---|
1985 | "but none of them usable" ) );
|
---|
1986 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1987 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
1988 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
|
---|
1989 | }
|
---|
1990 | else
|
---|
1991 | {
|
---|
1992 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
|
---|
1993 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
1994 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
1995 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
|
---|
1996 | }
|
---|
1997 |
|
---|
1998 | have_ciphersuite:
|
---|
1999 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
---|
2000 |
|
---|
2001 | ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
---|
2002 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
|
---|
2003 |
|
---|
2004 | ssl->state++;
|
---|
2005 |
|
---|
2006 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
2007 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
2008 | mbedtls_ssl_recv_flight_completed( ssl );
|
---|
2009 | #endif
|
---|
2010 |
|
---|
2011 | /* Debugging-only output for testsuite */
|
---|
2012 | #if defined(MBEDTLS_DEBUG_C) && \
|
---|
2013 | defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
2014 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
2015 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
2016 | {
|
---|
2017 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
|
---|
2018 | if( sig_alg != MBEDTLS_PK_NONE )
|
---|
2019 | {
|
---|
2020 | mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
---|
2021 | sig_alg );
|
---|
2022 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
|
---|
2023 | mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
|
---|
2024 | }
|
---|
2025 | else
|
---|
2026 | {
|
---|
2027 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
|
---|
2028 | "%d - should not happen", sig_alg ) );
|
---|
2029 | }
|
---|
2030 | }
|
---|
2031 | #endif
|
---|
2032 |
|
---|
2033 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
|
---|
2034 |
|
---|
2035 | return( 0 );
|
---|
2036 | }
|
---|
2037 |
|
---|
2038 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
2039 | static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
---|
2040 | unsigned char *buf,
|
---|
2041 | size_t *olen )
|
---|
2042 | {
|
---|
2043 | unsigned char *p = buf;
|
---|
2044 |
|
---|
2045 | if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
|
---|
2046 | {
|
---|
2047 | *olen = 0;
|
---|
2048 | return;
|
---|
2049 | }
|
---|
2050 |
|
---|
2051 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
|
---|
2052 |
|
---|
2053 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
|
---|
2054 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
|
---|
2055 |
|
---|
2056 | *p++ = 0x00;
|
---|
2057 | *p++ = 0x00;
|
---|
2058 |
|
---|
2059 | *olen = 4;
|
---|
2060 | }
|
---|
2061 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
---|
2062 |
|
---|
2063 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
2064 | static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
---|
2065 | unsigned char *buf,
|
---|
2066 | size_t *olen )
|
---|
2067 | {
|
---|
2068 | unsigned char *p = buf;
|
---|
2069 | const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
---|
2070 | const mbedtls_cipher_info_t *cipher = NULL;
|
---|
2071 |
|
---|
2072 | if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
---|
2073 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
2074 | {
|
---|
2075 | *olen = 0;
|
---|
2076 | return;
|
---|
2077 | }
|
---|
2078 |
|
---|
2079 | /*
|
---|
2080 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension
|
---|
2081 | * from a client and then selects a stream or Authenticated Encryption
|
---|
2082 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
|
---|
2083 | * encrypt-then-MAC response extension back to the client."
|
---|
2084 | */
|
---|
2085 | if( ( suite = mbedtls_ssl_ciphersuite_from_id(
|
---|
2086 | ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
---|
2087 | ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
---|
2088 | cipher->mode != MBEDTLS_MODE_CBC )
|
---|
2089 | {
|
---|
2090 | *olen = 0;
|
---|
2091 | return;
|
---|
2092 | }
|
---|
2093 |
|
---|
2094 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
|
---|
2095 |
|
---|
2096 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
|
---|
2097 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
|
---|
2098 |
|
---|
2099 | *p++ = 0x00;
|
---|
2100 | *p++ = 0x00;
|
---|
2101 |
|
---|
2102 | *olen = 4;
|
---|
2103 | }
|
---|
2104 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
---|
2105 |
|
---|
2106 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
2107 | static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
---|
2108 | unsigned char *buf,
|
---|
2109 | size_t *olen )
|
---|
2110 | {
|
---|
2111 | unsigned char *p = buf;
|
---|
2112 |
|
---|
2113 | if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
---|
2114 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
2115 | {
|
---|
2116 | *olen = 0;
|
---|
2117 | return;
|
---|
2118 | }
|
---|
2119 |
|
---|
2120 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
|
---|
2121 | "extension" ) );
|
---|
2122 |
|
---|
2123 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
|
---|
2124 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
|
---|
2125 |
|
---|
2126 | *p++ = 0x00;
|
---|
2127 | *p++ = 0x00;
|
---|
2128 |
|
---|
2129 | *olen = 4;
|
---|
2130 | }
|
---|
2131 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
---|
2132 |
|
---|
2133 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
2134 | static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
|
---|
2135 | unsigned char *buf,
|
---|
2136 | size_t *olen )
|
---|
2137 | {
|
---|
2138 | unsigned char *p = buf;
|
---|
2139 |
|
---|
2140 | if( ssl->handshake->new_session_ticket == 0 )
|
---|
2141 | {
|
---|
2142 | *olen = 0;
|
---|
2143 | return;
|
---|
2144 | }
|
---|
2145 |
|
---|
2146 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
|
---|
2147 |
|
---|
2148 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
|
---|
2149 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
|
---|
2150 |
|
---|
2151 | *p++ = 0x00;
|
---|
2152 | *p++ = 0x00;
|
---|
2153 |
|
---|
2154 | *olen = 4;
|
---|
2155 | }
|
---|
2156 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
2157 |
|
---|
2158 | static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
|
---|
2159 | unsigned char *buf,
|
---|
2160 | size_t *olen )
|
---|
2161 | {
|
---|
2162 | unsigned char *p = buf;
|
---|
2163 |
|
---|
2164 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
|
---|
2165 | {
|
---|
2166 | *olen = 0;
|
---|
2167 | return;
|
---|
2168 | }
|
---|
2169 |
|
---|
2170 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
|
---|
2171 |
|
---|
2172 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
|
---|
2173 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
|
---|
2174 |
|
---|
2175 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
2176 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
2177 | {
|
---|
2178 | *p++ = 0x00;
|
---|
2179 | *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
|
---|
2180 | *p++ = ssl->verify_data_len * 2 & 0xFF;
|
---|
2181 |
|
---|
2182 | memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
|
---|
2183 | p += ssl->verify_data_len;
|
---|
2184 | memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
|
---|
2185 | p += ssl->verify_data_len;
|
---|
2186 | }
|
---|
2187 | else
|
---|
2188 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
2189 | {
|
---|
2190 | *p++ = 0x00;
|
---|
2191 | *p++ = 0x01;
|
---|
2192 | *p++ = 0x00;
|
---|
2193 | }
|
---|
2194 |
|
---|
2195 | *olen = p - buf;
|
---|
2196 | }
|
---|
2197 |
|
---|
2198 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
2199 | static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
---|
2200 | unsigned char *buf,
|
---|
2201 | size_t *olen )
|
---|
2202 | {
|
---|
2203 | unsigned char *p = buf;
|
---|
2204 |
|
---|
2205 | if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
|
---|
2206 | {
|
---|
2207 | *olen = 0;
|
---|
2208 | return;
|
---|
2209 | }
|
---|
2210 |
|
---|
2211 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
|
---|
2212 |
|
---|
2213 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
|
---|
2214 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
|
---|
2215 |
|
---|
2216 | *p++ = 0x00;
|
---|
2217 | *p++ = 1;
|
---|
2218 |
|
---|
2219 | *p++ = ssl->session_negotiate->mfl_code;
|
---|
2220 |
|
---|
2221 | *olen = 5;
|
---|
2222 | }
|
---|
2223 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
---|
2224 |
|
---|
2225 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
2226 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
2227 | static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
|
---|
2228 | unsigned char *buf,
|
---|
2229 | size_t *olen )
|
---|
2230 | {
|
---|
2231 | unsigned char *p = buf;
|
---|
2232 | ((void) ssl);
|
---|
2233 |
|
---|
2234 | if( ( ssl->handshake->cli_exts &
|
---|
2235 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
|
---|
2236 | {
|
---|
2237 | *olen = 0;
|
---|
2238 | return;
|
---|
2239 | }
|
---|
2240 |
|
---|
2241 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
|
---|
2242 |
|
---|
2243 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
|
---|
2244 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
|
---|
2245 |
|
---|
2246 | *p++ = 0x00;
|
---|
2247 | *p++ = 2;
|
---|
2248 |
|
---|
2249 | *p++ = 1;
|
---|
2250 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
|
---|
2251 |
|
---|
2252 | *olen = 6;
|
---|
2253 | }
|
---|
2254 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
2255 |
|
---|
2256 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
2257 | static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
---|
2258 | unsigned char *buf,
|
---|
2259 | size_t *olen )
|
---|
2260 | {
|
---|
2261 | int ret;
|
---|
2262 | unsigned char *p = buf;
|
---|
2263 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
---|
2264 | size_t kkpp_len;
|
---|
2265 |
|
---|
2266 | *olen = 0;
|
---|
2267 |
|
---|
2268 | /* Skip costly computation if not needed */
|
---|
2269 | if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
|
---|
2270 | MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
2271 | return;
|
---|
2272 |
|
---|
2273 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
|
---|
2274 |
|
---|
2275 | if( end - p < 4 )
|
---|
2276 | {
|
---|
2277 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
|
---|
2278 | return;
|
---|
2279 | }
|
---|
2280 |
|
---|
2281 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
|
---|
2282 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
|
---|
2283 |
|
---|
2284 | ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
|
---|
2285 | p + 2, end - p - 2, &kkpp_len,
|
---|
2286 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
2287 | if( ret != 0 )
|
---|
2288 | {
|
---|
2289 | MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
|
---|
2290 | return;
|
---|
2291 | }
|
---|
2292 |
|
---|
2293 | *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
|
---|
2294 | *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
|
---|
2295 |
|
---|
2296 | *olen = kkpp_len + 4;
|
---|
2297 | }
|
---|
2298 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
2299 |
|
---|
2300 | #if defined(MBEDTLS_SSL_ALPN )
|
---|
2301 | static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
|
---|
2302 | unsigned char *buf, size_t *olen )
|
---|
2303 | {
|
---|
2304 | if( ssl->alpn_chosen == NULL )
|
---|
2305 | {
|
---|
2306 | *olen = 0;
|
---|
2307 | return;
|
---|
2308 | }
|
---|
2309 |
|
---|
2310 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
|
---|
2311 |
|
---|
2312 | /*
|
---|
2313 | * 0 . 1 ext identifier
|
---|
2314 | * 2 . 3 ext length
|
---|
2315 | * 4 . 5 protocol list length
|
---|
2316 | * 6 . 6 protocol name length
|
---|
2317 | * 7 . 7+n protocol name
|
---|
2318 | */
|
---|
2319 | buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
|
---|
2320 | buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
|
---|
2321 |
|
---|
2322 | *olen = 7 + strlen( ssl->alpn_chosen );
|
---|
2323 |
|
---|
2324 | buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
|
---|
2325 | buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
|
---|
2326 |
|
---|
2327 | buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
|
---|
2328 | buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
|
---|
2329 |
|
---|
2330 | buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
|
---|
2331 |
|
---|
2332 | memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
|
---|
2333 | }
|
---|
2334 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
|
---|
2335 |
|
---|
2336 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
2337 | static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
|
---|
2338 | {
|
---|
2339 | int ret;
|
---|
2340 | unsigned char *p = ssl->out_msg + 4;
|
---|
2341 | unsigned char *cookie_len_byte;
|
---|
2342 |
|
---|
2343 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
|
---|
2344 |
|
---|
2345 | /*
|
---|
2346 | * struct {
|
---|
2347 | * ProtocolVersion server_version;
|
---|
2348 | * opaque cookie<0..2^8-1>;
|
---|
2349 | * } HelloVerifyRequest;
|
---|
2350 | */
|
---|
2351 |
|
---|
2352 | /* The RFC is not clear on this point, but sending the actual negotiated
|
---|
2353 | * version looks like the most interoperable thing to do. */
|
---|
2354 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
---|
2355 | ssl->conf->transport, p );
|
---|
2356 | MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
|
---|
2357 | p += 2;
|
---|
2358 |
|
---|
2359 | /* If we get here, f_cookie_check is not null */
|
---|
2360 | if( ssl->conf->f_cookie_write == NULL )
|
---|
2361 | {
|
---|
2362 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
|
---|
2363 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
2364 | }
|
---|
2365 |
|
---|
2366 | /* Skip length byte until we know the length */
|
---|
2367 | cookie_len_byte = p++;
|
---|
2368 |
|
---|
2369 | if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
|
---|
2370 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
|
---|
2371 | ssl->cli_id, ssl->cli_id_len ) ) != 0 )
|
---|
2372 | {
|
---|
2373 | MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
|
---|
2374 | return( ret );
|
---|
2375 | }
|
---|
2376 |
|
---|
2377 | *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
|
---|
2378 |
|
---|
2379 | MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
|
---|
2380 |
|
---|
2381 | ssl->out_msglen = p - ssl->out_msg;
|
---|
2382 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
2383 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
|
---|
2384 |
|
---|
2385 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
|
---|
2386 |
|
---|
2387 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
2388 | {
|
---|
2389 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
2390 | return( ret );
|
---|
2391 | }
|
---|
2392 |
|
---|
2393 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
2394 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
2395 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
|
---|
2396 | {
|
---|
2397 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
|
---|
2398 | return( ret );
|
---|
2399 | }
|
---|
2400 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
2401 |
|
---|
2402 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
|
---|
2403 |
|
---|
2404 | return( 0 );
|
---|
2405 | }
|
---|
2406 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
2407 |
|
---|
2408 | static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
---|
2409 | {
|
---|
2410 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
2411 | mbedtls_time_t t;
|
---|
2412 | #endif
|
---|
2413 | int ret;
|
---|
2414 | size_t olen, ext_len = 0, n;
|
---|
2415 | unsigned char *buf, *p;
|
---|
2416 |
|
---|
2417 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
|
---|
2418 |
|
---|
2419 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
2420 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
2421 | ssl->handshake->verify_cookie_len != 0 )
|
---|
2422 | {
|
---|
2423 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
|
---|
2424 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
|
---|
2425 |
|
---|
2426 | return( ssl_write_hello_verify_request( ssl ) );
|
---|
2427 | }
|
---|
2428 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
2429 |
|
---|
2430 | if( ssl->conf->f_rng == NULL )
|
---|
2431 | {
|
---|
2432 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
|
---|
2433 | return( MBEDTLS_ERR_SSL_NO_RNG );
|
---|
2434 | }
|
---|
2435 |
|
---|
2436 | /*
|
---|
2437 | * 0 . 0 handshake type
|
---|
2438 | * 1 . 3 handshake length
|
---|
2439 | * 4 . 5 protocol version
|
---|
2440 | * 6 . 9 UNIX time()
|
---|
2441 | * 10 . 37 random bytes
|
---|
2442 | */
|
---|
2443 | buf = ssl->out_msg;
|
---|
2444 | p = buf + 4;
|
---|
2445 |
|
---|
2446 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
---|
2447 | ssl->conf->transport, p );
|
---|
2448 | p += 2;
|
---|
2449 |
|
---|
2450 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
|
---|
2451 | buf[4], buf[5] ) );
|
---|
2452 |
|
---|
2453 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
2454 | t = mbedtls_time( NULL );
|
---|
2455 | *p++ = (unsigned char)( t >> 24 );
|
---|
2456 | *p++ = (unsigned char)( t >> 16 );
|
---|
2457 | *p++ = (unsigned char)( t >> 8 );
|
---|
2458 | *p++ = (unsigned char)( t );
|
---|
2459 |
|
---|
2460 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
|
---|
2461 | #else
|
---|
2462 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
|
---|
2463 | return( ret );
|
---|
2464 |
|
---|
2465 | p += 4;
|
---|
2466 | #endif /* MBEDTLS_HAVE_TIME */
|
---|
2467 |
|
---|
2468 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
|
---|
2469 | return( ret );
|
---|
2470 |
|
---|
2471 | p += 28;
|
---|
2472 |
|
---|
2473 | memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
|
---|
2474 |
|
---|
2475 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
|
---|
2476 |
|
---|
2477 | /*
|
---|
2478 | * Resume is 0 by default, see ssl_handshake_init().
|
---|
2479 | * It may be already set to 1 by ssl_parse_session_ticket_ext().
|
---|
2480 | * If not, try looking up session ID in our cache.
|
---|
2481 | */
|
---|
2482 | if( ssl->handshake->resume == 0 &&
|
---|
2483 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
2484 | ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
|
---|
2485 | #endif
|
---|
2486 | ssl->session_negotiate->id_len != 0 &&
|
---|
2487 | ssl->conf->f_get_cache != NULL &&
|
---|
2488 | ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
|
---|
2489 | {
|
---|
2490 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
|
---|
2491 | ssl->handshake->resume = 1;
|
---|
2492 | }
|
---|
2493 |
|
---|
2494 | if( ssl->handshake->resume == 0 )
|
---|
2495 | {
|
---|
2496 | /*
|
---|
2497 | * New session, create a new session id,
|
---|
2498 | * unless we're about to issue a session ticket
|
---|
2499 | */
|
---|
2500 | ssl->state++;
|
---|
2501 |
|
---|
2502 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
2503 | ssl->session_negotiate->start = mbedtls_time( NULL );
|
---|
2504 | #endif
|
---|
2505 |
|
---|
2506 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
2507 | if( ssl->handshake->new_session_ticket != 0 )
|
---|
2508 | {
|
---|
2509 | ssl->session_negotiate->id_len = n = 0;
|
---|
2510 | memset( ssl->session_negotiate->id, 0, 32 );
|
---|
2511 | }
|
---|
2512 | else
|
---|
2513 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
2514 | {
|
---|
2515 | ssl->session_negotiate->id_len = n = 32;
|
---|
2516 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
|
---|
2517 | n ) ) != 0 )
|
---|
2518 | return( ret );
|
---|
2519 | }
|
---|
2520 | }
|
---|
2521 | else
|
---|
2522 | {
|
---|
2523 | /*
|
---|
2524 | * Resuming a session
|
---|
2525 | */
|
---|
2526 | n = ssl->session_negotiate->id_len;
|
---|
2527 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
|
---|
2528 |
|
---|
2529 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
|
---|
2530 | {
|
---|
2531 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
|
---|
2532 | return( ret );
|
---|
2533 | }
|
---|
2534 | }
|
---|
2535 |
|
---|
2536 | /*
|
---|
2537 | * 38 . 38 session id length
|
---|
2538 | * 39 . 38+n session id
|
---|
2539 | * 39+n . 40+n chosen ciphersuite
|
---|
2540 | * 41+n . 41+n chosen compression alg.
|
---|
2541 | * 42+n . 43+n extensions length
|
---|
2542 | * 44+n . 43+n+m extensions
|
---|
2543 | */
|
---|
2544 | *p++ = (unsigned char) ssl->session_negotiate->id_len;
|
---|
2545 | memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
|
---|
2546 | p += ssl->session_negotiate->id_len;
|
---|
2547 |
|
---|
2548 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
|
---|
2549 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
|
---|
2550 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
|
---|
2551 | ssl->handshake->resume ? "a" : "no" ) );
|
---|
2552 |
|
---|
2553 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
|
---|
2554 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
|
---|
2555 | *p++ = (unsigned char)( ssl->session_negotiate->compression );
|
---|
2556 |
|
---|
2557 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
---|
2558 | mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
|
---|
2559 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
---|
2560 | ssl->session_negotiate->compression ) );
|
---|
2561 |
|
---|
2562 | /* Do not write the extensions if the protocol is SSLv3 */
|
---|
2563 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
2564 | if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
---|
2565 | {
|
---|
2566 | #endif
|
---|
2567 |
|
---|
2568 | /*
|
---|
2569 | * First write extensions, then the total length
|
---|
2570 | */
|
---|
2571 | ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2572 | ext_len += olen;
|
---|
2573 |
|
---|
2574 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
2575 | ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2576 | ext_len += olen;
|
---|
2577 | #endif
|
---|
2578 |
|
---|
2579 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
2580 | ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2581 | ext_len += olen;
|
---|
2582 | #endif
|
---|
2583 |
|
---|
2584 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
2585 | ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2586 | ext_len += olen;
|
---|
2587 | #endif
|
---|
2588 |
|
---|
2589 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
2590 | ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2591 | ext_len += olen;
|
---|
2592 | #endif
|
---|
2593 |
|
---|
2594 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
2595 | ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2596 | ext_len += olen;
|
---|
2597 | #endif
|
---|
2598 |
|
---|
2599 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
2600 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
2601 | if ( mbedtls_ssl_ciphersuite_uses_ec(
|
---|
2602 | mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
|
---|
2603 | {
|
---|
2604 | ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2605 | ext_len += olen;
|
---|
2606 | }
|
---|
2607 | #endif
|
---|
2608 |
|
---|
2609 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
2610 | ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2611 | ext_len += olen;
|
---|
2612 | #endif
|
---|
2613 |
|
---|
2614 | #if defined(MBEDTLS_SSL_ALPN)
|
---|
2615 | ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
|
---|
2616 | ext_len += olen;
|
---|
2617 | #endif
|
---|
2618 |
|
---|
2619 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
|
---|
2620 |
|
---|
2621 | if( ext_len > 0 )
|
---|
2622 | {
|
---|
2623 | *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
|
---|
2624 | *p++ = (unsigned char)( ( ext_len ) & 0xFF );
|
---|
2625 | p += ext_len;
|
---|
2626 | }
|
---|
2627 |
|
---|
2628 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
2629 | }
|
---|
2630 | #endif
|
---|
2631 |
|
---|
2632 | ssl->out_msglen = p - buf;
|
---|
2633 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
2634 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
|
---|
2635 |
|
---|
2636 | ret = mbedtls_ssl_write_handshake_msg( ssl );
|
---|
2637 |
|
---|
2638 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
|
---|
2639 |
|
---|
2640 | return( ret );
|
---|
2641 | }
|
---|
2642 |
|
---|
2643 | #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
|
---|
2644 | !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
|
---|
2645 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
|
---|
2646 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
|
---|
2647 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
|
---|
2648 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
---|
2649 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
---|
2650 | {
|
---|
2651 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
2652 | ssl->transform_negotiate->ciphersuite_info;
|
---|
2653 |
|
---|
2654 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
---|
2655 |
|
---|
2656 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
2657 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
2658 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
2659 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
2660 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
2661 | {
|
---|
2662 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
|
---|
2663 | ssl->state++;
|
---|
2664 | return( 0 );
|
---|
2665 | }
|
---|
2666 |
|
---|
2667 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
2668 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
2669 | }
|
---|
2670 | #else
|
---|
2671 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
---|
2672 | {
|
---|
2673 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
---|
2674 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
2675 | ssl->transform_negotiate->ciphersuite_info;
|
---|
2676 | size_t dn_size, total_dn_size; /* excluding length bytes */
|
---|
2677 | size_t ct_len, sa_len; /* including length bytes */
|
---|
2678 | unsigned char *buf, *p;
|
---|
2679 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
---|
2680 | const mbedtls_x509_crt *crt;
|
---|
2681 | int authmode;
|
---|
2682 |
|
---|
2683 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
---|
2684 |
|
---|
2685 | ssl->state++;
|
---|
2686 |
|
---|
2687 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
2688 | if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
|
---|
2689 | authmode = ssl->handshake->sni_authmode;
|
---|
2690 | else
|
---|
2691 | #endif
|
---|
2692 | authmode = ssl->conf->authmode;
|
---|
2693 |
|
---|
2694 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
2695 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
2696 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
2697 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
2698 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
|
---|
2699 | authmode == MBEDTLS_SSL_VERIFY_NONE )
|
---|
2700 | {
|
---|
2701 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
|
---|
2702 | return( 0 );
|
---|
2703 | }
|
---|
2704 |
|
---|
2705 | /*
|
---|
2706 | * 0 . 0 handshake type
|
---|
2707 | * 1 . 3 handshake length
|
---|
2708 | * 4 . 4 cert type count
|
---|
2709 | * 5 .. m-1 cert types
|
---|
2710 | * m .. m+1 sig alg length (TLS 1.2 only)
|
---|
2711 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
|
---|
2712 | * n .. n+1 length of all DNs
|
---|
2713 | * n+2 .. n+3 length of DN 1
|
---|
2714 | * n+4 .. ... Distinguished Name #1
|
---|
2715 | * ... .. ... length of DN 2, etc.
|
---|
2716 | */
|
---|
2717 | buf = ssl->out_msg;
|
---|
2718 | p = buf + 4;
|
---|
2719 |
|
---|
2720 | /*
|
---|
2721 | * Supported certificate types
|
---|
2722 | *
|
---|
2723 | * ClientCertificateType certificate_types<1..2^8-1>;
|
---|
2724 | * enum { (255) } ClientCertificateType;
|
---|
2725 | */
|
---|
2726 | ct_len = 0;
|
---|
2727 |
|
---|
2728 | #if defined(MBEDTLS_RSA_C)
|
---|
2729 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
|
---|
2730 | #endif
|
---|
2731 | #if defined(MBEDTLS_ECDSA_C)
|
---|
2732 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
|
---|
2733 | #endif
|
---|
2734 |
|
---|
2735 | p[0] = (unsigned char) ct_len++;
|
---|
2736 | p += ct_len;
|
---|
2737 |
|
---|
2738 | sa_len = 0;
|
---|
2739 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
2740 | /*
|
---|
2741 | * Add signature_algorithms for verify (TLS 1.2)
|
---|
2742 | *
|
---|
2743 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
|
---|
2744 | *
|
---|
2745 | * struct {
|
---|
2746 | * HashAlgorithm hash;
|
---|
2747 | * SignatureAlgorithm signature;
|
---|
2748 | * } SignatureAndHashAlgorithm;
|
---|
2749 | *
|
---|
2750 | * enum { (255) } HashAlgorithm;
|
---|
2751 | * enum { (255) } SignatureAlgorithm;
|
---|
2752 | */
|
---|
2753 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
2754 | {
|
---|
2755 | const int *cur;
|
---|
2756 |
|
---|
2757 | /*
|
---|
2758 | * Supported signature algorithms
|
---|
2759 | */
|
---|
2760 | for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
|
---|
2761 | {
|
---|
2762 | unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
|
---|
2763 |
|
---|
2764 | if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
|
---|
2765 | continue;
|
---|
2766 |
|
---|
2767 | #if defined(MBEDTLS_RSA_C)
|
---|
2768 | p[2 + sa_len++] = hash;
|
---|
2769 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
|
---|
2770 | #endif
|
---|
2771 | #if defined(MBEDTLS_ECDSA_C)
|
---|
2772 | p[2 + sa_len++] = hash;
|
---|
2773 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
|
---|
2774 | #endif
|
---|
2775 | }
|
---|
2776 |
|
---|
2777 | p[0] = (unsigned char)( sa_len >> 8 );
|
---|
2778 | p[1] = (unsigned char)( sa_len );
|
---|
2779 | sa_len += 2;
|
---|
2780 | p += sa_len;
|
---|
2781 | }
|
---|
2782 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
2783 |
|
---|
2784 | /*
|
---|
2785 | * DistinguishedName certificate_authorities<0..2^16-1>;
|
---|
2786 | * opaque DistinguishedName<1..2^16-1>;
|
---|
2787 | */
|
---|
2788 | p += 2;
|
---|
2789 |
|
---|
2790 | total_dn_size = 0;
|
---|
2791 |
|
---|
2792 | if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
|
---|
2793 | {
|
---|
2794 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
2795 | if( ssl->handshake->sni_ca_chain != NULL )
|
---|
2796 | crt = ssl->handshake->sni_ca_chain;
|
---|
2797 | else
|
---|
2798 | #endif
|
---|
2799 | crt = ssl->conf->ca_chain;
|
---|
2800 |
|
---|
2801 | while( crt != NULL && crt->version != 0 )
|
---|
2802 | {
|
---|
2803 | dn_size = crt->subject_raw.len;
|
---|
2804 |
|
---|
2805 | if( end < p ||
|
---|
2806 | (size_t)( end - p ) < dn_size ||
|
---|
2807 | (size_t)( end - p ) < 2 + dn_size )
|
---|
2808 | {
|
---|
2809 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
|
---|
2810 | break;
|
---|
2811 | }
|
---|
2812 |
|
---|
2813 | *p++ = (unsigned char)( dn_size >> 8 );
|
---|
2814 | *p++ = (unsigned char)( dn_size );
|
---|
2815 | memcpy( p, crt->subject_raw.p, dn_size );
|
---|
2816 | p += dn_size;
|
---|
2817 |
|
---|
2818 | MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
|
---|
2819 |
|
---|
2820 | total_dn_size += 2 + dn_size;
|
---|
2821 | crt = crt->next;
|
---|
2822 | }
|
---|
2823 | }
|
---|
2824 |
|
---|
2825 | ssl->out_msglen = p - buf;
|
---|
2826 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
2827 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
|
---|
2828 | ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
|
---|
2829 | ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
|
---|
2830 |
|
---|
2831 | ret = mbedtls_ssl_write_handshake_msg( ssl );
|
---|
2832 |
|
---|
2833 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
|
---|
2834 |
|
---|
2835 | return( ret );
|
---|
2836 | }
|
---|
2837 | #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
|
---|
2838 | !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
|
---|
2839 | !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
|
---|
2840 | !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
|
---|
2841 | !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
|
---|
2842 | !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
---|
2843 |
|
---|
2844 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
---|
2845 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
---|
2846 | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
|
---|
2847 | {
|
---|
2848 | int ret;
|
---|
2849 |
|
---|
2850 | if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
|
---|
2851 | {
|
---|
2852 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
|
---|
2853 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
|
---|
2854 | }
|
---|
2855 |
|
---|
2856 | if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
|
---|
2857 | mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
|
---|
2858 | MBEDTLS_ECDH_OURS ) ) != 0 )
|
---|
2859 | {
|
---|
2860 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
|
---|
2861 | return( ret );
|
---|
2862 | }
|
---|
2863 |
|
---|
2864 | return( 0 );
|
---|
2865 | }
|
---|
2866 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
|
---|
2867 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
|
---|
2868 |
|
---|
2869 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
|
---|
2870 | defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
2871 | static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
|
---|
2872 | size_t *signature_len )
|
---|
2873 | {
|
---|
2874 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the
|
---|
2875 | * signature length which will be added in ssl_write_server_key_exchange
|
---|
2876 | * after the call to ssl_prepare_server_key_exchange.
|
---|
2877 | * ssl_write_server_key_exchange also takes care of incrementing
|
---|
2878 | * ssl->out_msglen. */
|
---|
2879 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
|
---|
2880 | size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
|
---|
2881 | - sig_start );
|
---|
2882 | int ret = ssl->conf->f_async_resume( ssl,
|
---|
2883 | sig_start, signature_len, sig_max_len );
|
---|
2884 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
2885 | {
|
---|
2886 | ssl->handshake->async_in_progress = 0;
|
---|
2887 | mbedtls_ssl_set_async_operation_data( ssl, NULL );
|
---|
2888 | }
|
---|
2889 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
|
---|
2890 | return( ret );
|
---|
2891 | }
|
---|
2892 | #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
|
---|
2893 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
|
---|
2894 |
|
---|
2895 | /* Prepare the ServerKeyExchange message, up to and including
|
---|
2896 | * calculating the signature if any, but excluding formatting the
|
---|
2897 | * signature and sending the message. */
|
---|
2898 | static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
---|
2899 | size_t *signature_len )
|
---|
2900 | {
|
---|
2901 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
2902 | ssl->transform_negotiate->ciphersuite_info;
|
---|
2903 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
---|
2904 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
2905 | unsigned char *dig_signed = NULL;
|
---|
2906 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
2907 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
|
---|
2908 |
|
---|
2909 | (void) ciphersuite_info; /* unused in some configurations */
|
---|
2910 | #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
2911 | (void) signature_len;
|
---|
2912 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
2913 |
|
---|
2914 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
|
---|
2915 |
|
---|
2916 | /*
|
---|
2917 | *
|
---|
2918 | * Part 1: Provide key exchange parameters for chosen ciphersuite.
|
---|
2919 | *
|
---|
2920 | */
|
---|
2921 |
|
---|
2922 | /*
|
---|
2923 | * - ECJPAKE key exchanges
|
---|
2924 | */
|
---|
2925 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
2926 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
2927 | {
|
---|
2928 | int ret;
|
---|
2929 | size_t len = 0;
|
---|
2930 |
|
---|
2931 | ret = mbedtls_ecjpake_write_round_two(
|
---|
2932 | &ssl->handshake->ecjpake_ctx,
|
---|
2933 | ssl->out_msg + ssl->out_msglen,
|
---|
2934 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
|
---|
2935 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
2936 | if( ret != 0 )
|
---|
2937 | {
|
---|
2938 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
|
---|
2939 | return( ret );
|
---|
2940 | }
|
---|
2941 |
|
---|
2942 | ssl->out_msglen += len;
|
---|
2943 | }
|
---|
2944 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
2945 |
|
---|
2946 | /*
|
---|
2947 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
|
---|
2948 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
|
---|
2949 | * we use empty support identity hints here.
|
---|
2950 | **/
|
---|
2951 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
---|
2952 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
---|
2953 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
2954 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
---|
2955 | {
|
---|
2956 | ssl->out_msg[ssl->out_msglen++] = 0x00;
|
---|
2957 | ssl->out_msg[ssl->out_msglen++] = 0x00;
|
---|
2958 | }
|
---|
2959 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
|
---|
2960 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
---|
2961 |
|
---|
2962 | /*
|
---|
2963 | * - DHE key exchanges
|
---|
2964 | */
|
---|
2965 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
---|
2966 | if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
|
---|
2967 | {
|
---|
2968 | int ret;
|
---|
2969 | size_t len = 0;
|
---|
2970 |
|
---|
2971 | if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
|
---|
2972 | {
|
---|
2973 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
|
---|
2974 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
2975 | }
|
---|
2976 |
|
---|
2977 | /*
|
---|
2978 | * Ephemeral DH parameters:
|
---|
2979 | *
|
---|
2980 | * struct {
|
---|
2981 | * opaque dh_p<1..2^16-1>;
|
---|
2982 | * opaque dh_g<1..2^16-1>;
|
---|
2983 | * opaque dh_Ys<1..2^16-1>;
|
---|
2984 | * } ServerDHParams;
|
---|
2985 | */
|
---|
2986 | if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
|
---|
2987 | &ssl->conf->dhm_P,
|
---|
2988 | &ssl->conf->dhm_G ) ) != 0 )
|
---|
2989 | {
|
---|
2990 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
|
---|
2991 | return( ret );
|
---|
2992 | }
|
---|
2993 |
|
---|
2994 | if( ( ret = mbedtls_dhm_make_params(
|
---|
2995 | &ssl->handshake->dhm_ctx,
|
---|
2996 | (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
|
---|
2997 | ssl->out_msg + ssl->out_msglen, &len,
|
---|
2998 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
2999 | {
|
---|
3000 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
|
---|
3001 | return( ret );
|
---|
3002 | }
|
---|
3003 |
|
---|
3004 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
3005 | dig_signed = ssl->out_msg + ssl->out_msglen;
|
---|
3006 | #endif
|
---|
3007 |
|
---|
3008 | ssl->out_msglen += len;
|
---|
3009 |
|
---|
3010 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
|
---|
3011 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
|
---|
3012 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
|
---|
3013 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
|
---|
3014 | }
|
---|
3015 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
|
---|
3016 |
|
---|
3017 | /*
|
---|
3018 | * - ECDHE key exchanges
|
---|
3019 | */
|
---|
3020 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
|
---|
3021 | if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
|
---|
3022 | {
|
---|
3023 | /*
|
---|
3024 | * Ephemeral ECDH parameters:
|
---|
3025 | *
|
---|
3026 | * struct {
|
---|
3027 | * ECParameters curve_params;
|
---|
3028 | * ECPoint public;
|
---|
3029 | * } ServerECDHParams;
|
---|
3030 | */
|
---|
3031 | const mbedtls_ecp_curve_info **curve = NULL;
|
---|
3032 | const mbedtls_ecp_group_id *gid;
|
---|
3033 | int ret;
|
---|
3034 | size_t len = 0;
|
---|
3035 |
|
---|
3036 | /* Match our preference list against the offered curves */
|
---|
3037 | for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
|
---|
3038 | for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
|
---|
3039 | if( (*curve)->grp_id == *gid )
|
---|
3040 | goto curve_matching_done;
|
---|
3041 |
|
---|
3042 | curve_matching_done:
|
---|
3043 | if( curve == NULL || *curve == NULL )
|
---|
3044 | {
|
---|
3045 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
|
---|
3046 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
|
---|
3047 | }
|
---|
3048 |
|
---|
3049 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
|
---|
3050 |
|
---|
3051 | if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
|
---|
3052 | (*curve)->grp_id ) ) != 0 )
|
---|
3053 | {
|
---|
3054 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
|
---|
3055 | return( ret );
|
---|
3056 | }
|
---|
3057 |
|
---|
3058 | if( ( ret = mbedtls_ecdh_make_params(
|
---|
3059 | &ssl->handshake->ecdh_ctx, &len,
|
---|
3060 | ssl->out_msg + ssl->out_msglen,
|
---|
3061 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
|
---|
3062 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
3063 | {
|
---|
3064 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
|
---|
3065 | return( ret );
|
---|
3066 | }
|
---|
3067 |
|
---|
3068 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
3069 | dig_signed = ssl->out_msg + ssl->out_msglen;
|
---|
3070 | #endif
|
---|
3071 |
|
---|
3072 | ssl->out_msglen += len;
|
---|
3073 |
|
---|
3074 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
3075 | MBEDTLS_DEBUG_ECDH_Q );
|
---|
3076 | }
|
---|
3077 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
|
---|
3078 |
|
---|
3079 | /*
|
---|
3080 | *
|
---|
3081 | * Part 2: For key exchanges involving the server signing the
|
---|
3082 | * exchange parameters, compute and add the signature here.
|
---|
3083 | *
|
---|
3084 | */
|
---|
3085 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
3086 | if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
|
---|
3087 | {
|
---|
3088 | size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
|
---|
3089 | size_t hashlen = 0;
|
---|
3090 | unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
---|
3091 | int ret;
|
---|
3092 |
|
---|
3093 | /*
|
---|
3094 | * 2.1: Choose hash algorithm:
|
---|
3095 | * A: For TLS 1.2, obey signature-hash-algorithm extension
|
---|
3096 | * to choose appropriate hash.
|
---|
3097 | * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
|
---|
3098 | * (RFC 4492, Sec. 5.4)
|
---|
3099 | * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
|
---|
3100 | */
|
---|
3101 |
|
---|
3102 | mbedtls_md_type_t md_alg;
|
---|
3103 |
|
---|
3104 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
3105 | mbedtls_pk_type_t sig_alg =
|
---|
3106 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
---|
3107 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
3108 | {
|
---|
3109 | /* A: For TLS 1.2, obey signature-hash-algorithm extension
|
---|
3110 | * (RFC 5246, Sec. 7.4.1.4.1). */
|
---|
3111 | if( sig_alg == MBEDTLS_PK_NONE ||
|
---|
3112 | ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
---|
3113 | sig_alg ) ) == MBEDTLS_MD_NONE )
|
---|
3114 | {
|
---|
3115 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
3116 | /* (... because we choose a cipher suite
|
---|
3117 | * only if there is a matching hash.) */
|
---|
3118 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
3119 | }
|
---|
3120 | }
|
---|
3121 | else
|
---|
3122 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
3123 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
---|
3124 | defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
---|
3125 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
---|
3126 | {
|
---|
3127 | /* B: Default hash SHA1 */
|
---|
3128 | md_alg = MBEDTLS_MD_SHA1;
|
---|
3129 | }
|
---|
3130 | else
|
---|
3131 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
---|
3132 | MBEDTLS_SSL_PROTO_TLS1_1 */
|
---|
3133 | {
|
---|
3134 | /* C: MD5 + SHA1 */
|
---|
3135 | md_alg = MBEDTLS_MD_NONE;
|
---|
3136 | }
|
---|
3137 |
|
---|
3138 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
|
---|
3139 |
|
---|
3140 | /*
|
---|
3141 | * 2.2: Compute the hash to be signed
|
---|
3142 | */
|
---|
3143 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
---|
3144 | defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
---|
3145 | if( md_alg == MBEDTLS_MD_NONE )
|
---|
3146 | {
|
---|
3147 | hashlen = 36;
|
---|
3148 | ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
|
---|
3149 | dig_signed,
|
---|
3150 | dig_signed_len );
|
---|
3151 | if( ret != 0 )
|
---|
3152 | return( ret );
|
---|
3153 | }
|
---|
3154 | else
|
---|
3155 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
---|
3156 | MBEDTLS_SSL_PROTO_TLS1_1 */
|
---|
3157 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
---|
3158 | defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
3159 | if( md_alg != MBEDTLS_MD_NONE )
|
---|
3160 | {
|
---|
3161 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
|
---|
3162 | dig_signed,
|
---|
3163 | dig_signed_len,
|
---|
3164 | md_alg );
|
---|
3165 | if( ret != 0 )
|
---|
3166 | return( ret );
|
---|
3167 | }
|
---|
3168 | else
|
---|
3169 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
|
---|
3170 | MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
3171 | {
|
---|
3172 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
3173 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
3174 | }
|
---|
3175 |
|
---|
3176 | MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
|
---|
3177 |
|
---|
3178 | /*
|
---|
3179 | * 2.3: Compute and add the signature
|
---|
3180 | */
|
---|
3181 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
3182 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
3183 | {
|
---|
3184 | /*
|
---|
3185 | * For TLS 1.2, we need to specify signature and hash algorithm
|
---|
3186 | * explicitly through a prefix to the signature.
|
---|
3187 | *
|
---|
3188 | * struct {
|
---|
3189 | * HashAlgorithm hash;
|
---|
3190 | * SignatureAlgorithm signature;
|
---|
3191 | * } SignatureAndHashAlgorithm;
|
---|
3192 | *
|
---|
3193 | * struct {
|
---|
3194 | * SignatureAndHashAlgorithm algorithm;
|
---|
3195 | * opaque signature<0..2^16-1>;
|
---|
3196 | * } DigitallySigned;
|
---|
3197 | *
|
---|
3198 | */
|
---|
3199 |
|
---|
3200 | ssl->out_msg[ssl->out_msglen++] =
|
---|
3201 | mbedtls_ssl_hash_from_md_alg( md_alg );
|
---|
3202 | ssl->out_msg[ssl->out_msglen++] =
|
---|
3203 | mbedtls_ssl_sig_from_pk_alg( sig_alg );
|
---|
3204 | }
|
---|
3205 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
3206 |
|
---|
3207 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3208 | if( ssl->conf->f_async_sign_start != NULL )
|
---|
3209 | {
|
---|
3210 | ret = ssl->conf->f_async_sign_start( ssl,
|
---|
3211 | mbedtls_ssl_own_cert( ssl ),
|
---|
3212 | md_alg, hash, hashlen );
|
---|
3213 | switch( ret )
|
---|
3214 | {
|
---|
3215 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
|
---|
3216 | /* act as if f_async_sign was null */
|
---|
3217 | break;
|
---|
3218 | case 0:
|
---|
3219 | ssl->handshake->async_in_progress = 1;
|
---|
3220 | return( ssl_resume_server_key_exchange( ssl, signature_len ) );
|
---|
3221 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
|
---|
3222 | ssl->handshake->async_in_progress = 1;
|
---|
3223 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
|
---|
3224 | default:
|
---|
3225 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
|
---|
3226 | return( ret );
|
---|
3227 | }
|
---|
3228 | }
|
---|
3229 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
3230 |
|
---|
3231 | if( mbedtls_ssl_own_key( ssl ) == NULL )
|
---|
3232 | {
|
---|
3233 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
---|
3234 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
---|
3235 | }
|
---|
3236 |
|
---|
3237 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the
|
---|
3238 | * signature length which will be added in ssl_write_server_key_exchange
|
---|
3239 | * after the call to ssl_prepare_server_key_exchange.
|
---|
3240 | * ssl_write_server_key_exchange also takes care of incrementing
|
---|
3241 | * ssl->out_msglen. */
|
---|
3242 | if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
|
---|
3243 | md_alg, hash, hashlen,
|
---|
3244 | ssl->out_msg + ssl->out_msglen + 2,
|
---|
3245 | signature_len,
|
---|
3246 | ssl->conf->f_rng,
|
---|
3247 | ssl->conf->p_rng ) ) != 0 )
|
---|
3248 | {
|
---|
3249 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
|
---|
3250 | return( ret );
|
---|
3251 | }
|
---|
3252 | }
|
---|
3253 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
3254 |
|
---|
3255 | return( 0 );
|
---|
3256 | }
|
---|
3257 |
|
---|
3258 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites
|
---|
3259 | * that do not include a ServerKeyExchange message, do nothing. Either
|
---|
3260 | * way, if successful, move on to the next step in the SSL state
|
---|
3261 | * machine. */
|
---|
3262 | static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
---|
3263 | {
|
---|
3264 | int ret;
|
---|
3265 | size_t signature_len = 0;
|
---|
3266 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
---|
3267 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
3268 | ssl->transform_negotiate->ciphersuite_info;
|
---|
3269 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
---|
3270 |
|
---|
3271 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
|
---|
3272 |
|
---|
3273 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
---|
3274 | /* Extract static ECDH parameters and abort if ServerKeyExchange
|
---|
3275 | * is not needed. */
|
---|
3276 | if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
|
---|
3277 | {
|
---|
3278 | /* For suites involving ECDH, extract DH parameters
|
---|
3279 | * from certificate at this point. */
|
---|
3280 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
---|
3281 | if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
|
---|
3282 | {
|
---|
3283 | ssl_get_ecdh_params_from_cert( ssl );
|
---|
3284 | }
|
---|
3285 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
|
---|
3286 |
|
---|
3287 | /* Key exchanges not involving ephemeral keys don't use
|
---|
3288 | * ServerKeyExchange, so end here. */
|
---|
3289 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
|
---|
3290 | ssl->state++;
|
---|
3291 | return( 0 );
|
---|
3292 | }
|
---|
3293 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
---|
3294 |
|
---|
3295 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
|
---|
3296 | defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3297 | /* If we have already prepared the message and there is an ongoing
|
---|
3298 | * signature operation, resume signing. */
|
---|
3299 | if( ssl->handshake->async_in_progress != 0 )
|
---|
3300 | {
|
---|
3301 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
|
---|
3302 | ret = ssl_resume_server_key_exchange( ssl, &signature_len );
|
---|
3303 | }
|
---|
3304 | else
|
---|
3305 | #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
|
---|
3306 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
|
---|
3307 | {
|
---|
3308 | /* ServerKeyExchange is needed. Prepare the message. */
|
---|
3309 | ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
|
---|
3310 | }
|
---|
3311 |
|
---|
3312 | if( ret != 0 )
|
---|
3313 | {
|
---|
3314 | /* If we're starting to write a new message, set ssl->out_msglen
|
---|
3315 | * to 0. But if we're resuming after an asynchronous message,
|
---|
3316 | * out_msglen is the amount of data written so far and mst be
|
---|
3317 | * preserved. */
|
---|
3318 | if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
3319 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
|
---|
3320 | else
|
---|
3321 | ssl->out_msglen = 0;
|
---|
3322 | return( ret );
|
---|
3323 | }
|
---|
3324 |
|
---|
3325 | /* If there is a signature, write its length.
|
---|
3326 | * ssl_prepare_server_key_exchange already wrote the signature
|
---|
3327 | * itself at its proper place in the output buffer. */
|
---|
3328 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
3329 | if( signature_len != 0 )
|
---|
3330 | {
|
---|
3331 | ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
|
---|
3332 | ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
|
---|
3333 |
|
---|
3334 | MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
|
---|
3335 | ssl->out_msg + ssl->out_msglen,
|
---|
3336 | signature_len );
|
---|
3337 |
|
---|
3338 | /* Skip over the already-written signature */
|
---|
3339 | ssl->out_msglen += signature_len;
|
---|
3340 | }
|
---|
3341 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
3342 |
|
---|
3343 | /* Add header and send. */
|
---|
3344 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
3345 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
|
---|
3346 |
|
---|
3347 | ssl->state++;
|
---|
3348 |
|
---|
3349 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
3350 | {
|
---|
3351 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
3352 | return( ret );
|
---|
3353 | }
|
---|
3354 |
|
---|
3355 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
|
---|
3356 | return( 0 );
|
---|
3357 | }
|
---|
3358 |
|
---|
3359 | static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
|
---|
3360 | {
|
---|
3361 | int ret;
|
---|
3362 |
|
---|
3363 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
|
---|
3364 |
|
---|
3365 | ssl->out_msglen = 4;
|
---|
3366 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
3367 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
|
---|
3368 |
|
---|
3369 | ssl->state++;
|
---|
3370 |
|
---|
3371 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
3372 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
3373 | mbedtls_ssl_send_flight_completed( ssl );
|
---|
3374 | #endif
|
---|
3375 |
|
---|
3376 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
3377 | {
|
---|
3378 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
3379 | return( ret );
|
---|
3380 | }
|
---|
3381 |
|
---|
3382 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
3383 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
3384 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
|
---|
3385 | {
|
---|
3386 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
|
---|
3387 | return( ret );
|
---|
3388 | }
|
---|
3389 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
3390 |
|
---|
3391 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
|
---|
3392 |
|
---|
3393 | return( 0 );
|
---|
3394 | }
|
---|
3395 |
|
---|
3396 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
---|
3397 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
---|
3398 | static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
|
---|
3399 | const unsigned char *end )
|
---|
3400 | {
|
---|
3401 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
---|
3402 | size_t n;
|
---|
3403 |
|
---|
3404 | /*
|
---|
3405 | * Receive G^Y mod P, premaster = (G^Y)^X mod P
|
---|
3406 | */
|
---|
3407 | if( *p + 2 > end )
|
---|
3408 | {
|
---|
3409 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3410 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3411 | }
|
---|
3412 |
|
---|
3413 | n = ( (*p)[0] << 8 ) | (*p)[1];
|
---|
3414 | *p += 2;
|
---|
3415 |
|
---|
3416 | if( *p + n > end )
|
---|
3417 | {
|
---|
3418 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3419 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3420 | }
|
---|
3421 |
|
---|
3422 | if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
|
---|
3423 | {
|
---|
3424 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
|
---|
3425 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
---|
3426 | }
|
---|
3427 |
|
---|
3428 | *p += n;
|
---|
3429 |
|
---|
3430 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
|
---|
3431 |
|
---|
3432 | return( ret );
|
---|
3433 | }
|
---|
3434 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
---|
3435 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
---|
3436 |
|
---|
3437 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
---|
3438 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
---|
3439 |
|
---|
3440 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3441 | static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
|
---|
3442 | unsigned char *peer_pms,
|
---|
3443 | size_t *peer_pmslen,
|
---|
3444 | size_t peer_pmssize )
|
---|
3445 | {
|
---|
3446 | int ret = ssl->conf->f_async_resume( ssl,
|
---|
3447 | peer_pms, peer_pmslen, peer_pmssize );
|
---|
3448 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
3449 | {
|
---|
3450 | ssl->handshake->async_in_progress = 0;
|
---|
3451 | mbedtls_ssl_set_async_operation_data( ssl, NULL );
|
---|
3452 | }
|
---|
3453 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
|
---|
3454 | return( ret );
|
---|
3455 | }
|
---|
3456 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
3457 |
|
---|
3458 | static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
|
---|
3459 | const unsigned char *p,
|
---|
3460 | const unsigned char *end,
|
---|
3461 | unsigned char *peer_pms,
|
---|
3462 | size_t *peer_pmslen,
|
---|
3463 | size_t peer_pmssize )
|
---|
3464 | {
|
---|
3465 | int ret;
|
---|
3466 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
|
---|
3467 | mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
|
---|
3468 | size_t len = mbedtls_pk_get_len( public_key );
|
---|
3469 |
|
---|
3470 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3471 | /* If we have already started decoding the message and there is an ongoing
|
---|
3472 | * decryption operation, resume signing. */
|
---|
3473 | if( ssl->handshake->async_in_progress != 0 )
|
---|
3474 | {
|
---|
3475 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
|
---|
3476 | return( ssl_resume_decrypt_pms( ssl,
|
---|
3477 | peer_pms, peer_pmslen, peer_pmssize ) );
|
---|
3478 | }
|
---|
3479 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
3480 |
|
---|
3481 | /*
|
---|
3482 | * Prepare to decrypt the premaster using own private RSA key
|
---|
3483 | */
|
---|
3484 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
---|
3485 | defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
3486 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
3487 | {
|
---|
3488 | if ( p + 2 > end ) {
|
---|
3489 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3490 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3491 | }
|
---|
3492 | if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
|
---|
3493 | *p++ != ( ( len ) & 0xFF ) )
|
---|
3494 | {
|
---|
3495 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3496 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3497 | }
|
---|
3498 | }
|
---|
3499 | #endif
|
---|
3500 |
|
---|
3501 | if( p + len != end )
|
---|
3502 | {
|
---|
3503 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3504 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3505 | }
|
---|
3506 |
|
---|
3507 | /*
|
---|
3508 | * Decrypt the premaster secret
|
---|
3509 | */
|
---|
3510 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3511 | if( ssl->conf->f_async_decrypt_start != NULL )
|
---|
3512 | {
|
---|
3513 | ret = ssl->conf->f_async_decrypt_start( ssl,
|
---|
3514 | mbedtls_ssl_own_cert( ssl ),
|
---|
3515 | p, len );
|
---|
3516 | switch( ret )
|
---|
3517 | {
|
---|
3518 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
|
---|
3519 | /* act as if f_async_decrypt_start was null */
|
---|
3520 | break;
|
---|
3521 | case 0:
|
---|
3522 | ssl->handshake->async_in_progress = 1;
|
---|
3523 | return( ssl_resume_decrypt_pms( ssl,
|
---|
3524 | peer_pms,
|
---|
3525 | peer_pmslen,
|
---|
3526 | peer_pmssize ) );
|
---|
3527 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
|
---|
3528 | ssl->handshake->async_in_progress = 1;
|
---|
3529 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
|
---|
3530 | default:
|
---|
3531 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
|
---|
3532 | return( ret );
|
---|
3533 | }
|
---|
3534 | }
|
---|
3535 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
3536 |
|
---|
3537 | if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
|
---|
3538 | {
|
---|
3539 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
|
---|
3540 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
---|
3541 | }
|
---|
3542 |
|
---|
3543 | ret = mbedtls_pk_decrypt( private_key, p, len,
|
---|
3544 | peer_pms, peer_pmslen, peer_pmssize,
|
---|
3545 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
3546 | return( ret );
|
---|
3547 | }
|
---|
3548 |
|
---|
3549 | static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
---|
3550 | const unsigned char *p,
|
---|
3551 | const unsigned char *end,
|
---|
3552 | size_t pms_offset )
|
---|
3553 | {
|
---|
3554 | int ret;
|
---|
3555 | unsigned char *pms = ssl->handshake->premaster + pms_offset;
|
---|
3556 | unsigned char ver[2];
|
---|
3557 | unsigned char fake_pms[48], peer_pms[48];
|
---|
3558 | unsigned char mask;
|
---|
3559 | size_t i, peer_pmslen;
|
---|
3560 | unsigned int diff;
|
---|
3561 |
|
---|
3562 | /* In case of a failure in decryption, the decryption may write less than
|
---|
3563 | * 2 bytes of output, but we always read the first two bytes. It doesn't
|
---|
3564 | * matter in the end because diff will be nonzero in that case due to
|
---|
3565 | * peer_pmslen being less than 48, and we only care whether diff is 0.
|
---|
3566 | * But do initialize peer_pms for robustness anyway. This also makes
|
---|
3567 | * memory analyzers happy (don't access uninitialized memory, even
|
---|
3568 | * if it's an unsigned char). */
|
---|
3569 | peer_pms[0] = peer_pms[1] = ~0;
|
---|
3570 |
|
---|
3571 | ret = ssl_decrypt_encrypted_pms( ssl, p, end,
|
---|
3572 | peer_pms,
|
---|
3573 | &peer_pmslen,
|
---|
3574 | sizeof( peer_pms ) );
|
---|
3575 |
|
---|
3576 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3577 | if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
3578 | return( ret );
|
---|
3579 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
3580 |
|
---|
3581 | mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
|
---|
3582 | ssl->handshake->max_minor_ver,
|
---|
3583 | ssl->conf->transport, ver );
|
---|
3584 |
|
---|
3585 | /* Avoid data-dependent branches while checking for invalid
|
---|
3586 | * padding, to protect against timing-based Bleichenbacher-type
|
---|
3587 | * attacks. */
|
---|
3588 | diff = (unsigned int) ret;
|
---|
3589 | diff |= peer_pmslen ^ 48;
|
---|
3590 | diff |= peer_pms[0] ^ ver[0];
|
---|
3591 | diff |= peer_pms[1] ^ ver[1];
|
---|
3592 |
|
---|
3593 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
|
---|
3594 | /* MSVC has a warning about unary minus on unsigned, but this is
|
---|
3595 | * well-defined and precisely what we want to do here */
|
---|
3596 | #if defined(_MSC_VER)
|
---|
3597 | #pragma warning( push )
|
---|
3598 | #pragma warning( disable : 4146 )
|
---|
3599 | #endif
|
---|
3600 | mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
|
---|
3601 | #if defined(_MSC_VER)
|
---|
3602 | #pragma warning( pop )
|
---|
3603 | #endif
|
---|
3604 |
|
---|
3605 | /*
|
---|
3606 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
|
---|
3607 | * must not cause the connection to end immediately; instead, send a
|
---|
3608 | * bad_record_mac later in the handshake.
|
---|
3609 | * To protect against timing-based variants of the attack, we must
|
---|
3610 | * not have any branch that depends on whether the decryption was
|
---|
3611 | * successful. In particular, always generate the fake premaster secret,
|
---|
3612 | * regardless of whether it will ultimately influence the output or not.
|
---|
3613 | */
|
---|
3614 | ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
|
---|
3615 | if( ret != 0 )
|
---|
3616 | {
|
---|
3617 | /* It's ok to abort on an RNG failure, since this does not reveal
|
---|
3618 | * anything about the RSA decryption. */
|
---|
3619 | return( ret );
|
---|
3620 | }
|
---|
3621 |
|
---|
3622 | #if defined(MBEDTLS_SSL_DEBUG_ALL)
|
---|
3623 | if( diff != 0 )
|
---|
3624 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3625 | #endif
|
---|
3626 |
|
---|
3627 | if( sizeof( ssl->handshake->premaster ) < pms_offset ||
|
---|
3628 | sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
|
---|
3629 | {
|
---|
3630 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
3631 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
3632 | }
|
---|
3633 | ssl->handshake->pmslen = 48;
|
---|
3634 |
|
---|
3635 | /* Set pms to either the true or the fake PMS, without
|
---|
3636 | * data-dependent branches. */
|
---|
3637 | for( i = 0; i < ssl->handshake->pmslen; i++ )
|
---|
3638 | pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
|
---|
3639 |
|
---|
3640 | return( 0 );
|
---|
3641 | }
|
---|
3642 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
|
---|
3643 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
---|
3644 |
|
---|
3645 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
---|
3646 | static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
|
---|
3647 | const unsigned char *end )
|
---|
3648 | {
|
---|
3649 | int ret = 0;
|
---|
3650 | size_t n;
|
---|
3651 |
|
---|
3652 | if( ssl->conf->f_psk == NULL &&
|
---|
3653 | ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
|
---|
3654 | ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
|
---|
3655 | {
|
---|
3656 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
|
---|
3657 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
---|
3658 | }
|
---|
3659 |
|
---|
3660 | /*
|
---|
3661 | * Receive client pre-shared key identity name
|
---|
3662 | */
|
---|
3663 | if( end - *p < 2 )
|
---|
3664 | {
|
---|
3665 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3666 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3667 | }
|
---|
3668 |
|
---|
3669 | n = ( (*p)[0] << 8 ) | (*p)[1];
|
---|
3670 | *p += 2;
|
---|
3671 |
|
---|
3672 | if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
|
---|
3673 | {
|
---|
3674 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3675 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3676 | }
|
---|
3677 |
|
---|
3678 | if( ssl->conf->f_psk != NULL )
|
---|
3679 | {
|
---|
3680 | if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
|
---|
3681 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
---|
3682 | }
|
---|
3683 | else
|
---|
3684 | {
|
---|
3685 | /* Identity is not a big secret since clients send it in the clear,
|
---|
3686 | * but treat it carefully anyway, just in case */
|
---|
3687 | if( n != ssl->conf->psk_identity_len ||
|
---|
3688 | mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
|
---|
3689 | {
|
---|
3690 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
---|
3691 | }
|
---|
3692 | }
|
---|
3693 |
|
---|
3694 | if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
|
---|
3695 | {
|
---|
3696 | MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
|
---|
3697 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
3698 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
|
---|
3699 | return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
|
---|
3700 | }
|
---|
3701 |
|
---|
3702 | *p += n;
|
---|
3703 |
|
---|
3704 | return( 0 );
|
---|
3705 | }
|
---|
3706 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
---|
3707 |
|
---|
3708 | static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
---|
3709 | {
|
---|
3710 | int ret;
|
---|
3711 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
---|
3712 | unsigned char *p, *end;
|
---|
3713 |
|
---|
3714 | ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
|
---|
3715 |
|
---|
3716 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
|
---|
3717 |
|
---|
3718 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
---|
3719 | ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
---|
3720 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
|
---|
3721 | if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
3722 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
|
---|
3723 | ( ssl->handshake->async_in_progress != 0 ) )
|
---|
3724 | {
|
---|
3725 | /* We've already read a record and there is an asynchronous
|
---|
3726 | * operation in progress to decrypt it. So skip reading the
|
---|
3727 | * record. */
|
---|
3728 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
|
---|
3729 | }
|
---|
3730 | else
|
---|
3731 | #endif
|
---|
3732 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
|
---|
3733 | {
|
---|
3734 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
|
---|
3735 | return( ret );
|
---|
3736 | }
|
---|
3737 |
|
---|
3738 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
|
---|
3739 | end = ssl->in_msg + ssl->in_hslen;
|
---|
3740 |
|
---|
3741 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
|
---|
3742 | {
|
---|
3743 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3744 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3745 | }
|
---|
3746 |
|
---|
3747 | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
|
---|
3748 | {
|
---|
3749 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
3750 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3751 | }
|
---|
3752 |
|
---|
3753 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
---|
3754 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
---|
3755 | {
|
---|
3756 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
|
---|
3757 | {
|
---|
3758 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
|
---|
3759 | return( ret );
|
---|
3760 | }
|
---|
3761 |
|
---|
3762 | if( p != end )
|
---|
3763 | {
|
---|
3764 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
|
---|
3765 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3766 | }
|
---|
3767 |
|
---|
3768 | if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
|
---|
3769 | ssl->handshake->premaster,
|
---|
3770 | MBEDTLS_PREMASTER_SIZE,
|
---|
3771 | &ssl->handshake->pmslen,
|
---|
3772 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
3773 | {
|
---|
3774 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
|
---|
3775 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
|
---|
3776 | }
|
---|
3777 |
|
---|
3778 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
|
---|
3779 | }
|
---|
3780 | else
|
---|
3781 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
---|
3782 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
---|
3783 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
---|
3784 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
---|
3785 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
---|
3786 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
---|
3787 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
---|
3788 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
---|
3789 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
---|
3790 | {
|
---|
3791 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
---|
3792 | p, end - p) ) != 0 )
|
---|
3793 | {
|
---|
3794 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
|
---|
3795 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
---|
3796 | }
|
---|
3797 |
|
---|
3798 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
3799 | MBEDTLS_DEBUG_ECDH_QP );
|
---|
3800 |
|
---|
3801 | if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
|
---|
3802 | &ssl->handshake->pmslen,
|
---|
3803 | ssl->handshake->premaster,
|
---|
3804 | MBEDTLS_MPI_MAX_SIZE,
|
---|
3805 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
3806 | {
|
---|
3807 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
|
---|
3808 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
|
---|
3809 | }
|
---|
3810 |
|
---|
3811 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
3812 | MBEDTLS_DEBUG_ECDH_Z );
|
---|
3813 | }
|
---|
3814 | else
|
---|
3815 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
---|
3816 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
|
---|
3817 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
|
---|
3818 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
|
---|
3819 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
---|
3820 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
|
---|
3821 | {
|
---|
3822 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
3823 | {
|
---|
3824 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
3825 | return( ret );
|
---|
3826 | }
|
---|
3827 |
|
---|
3828 | if( p != end )
|
---|
3829 | {
|
---|
3830 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
|
---|
3831 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3832 | }
|
---|
3833 |
|
---|
3834 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
3835 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
3836 | {
|
---|
3837 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
3838 | return( ret );
|
---|
3839 | }
|
---|
3840 | }
|
---|
3841 | else
|
---|
3842 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
---|
3843 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
---|
3844 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
---|
3845 | {
|
---|
3846 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
3847 | if ( ssl->handshake->async_in_progress != 0 )
|
---|
3848 | {
|
---|
3849 | /* There is an asynchronous operation in progress to
|
---|
3850 | * decrypt the encrypted premaster secret, so skip
|
---|
3851 | * directly to resuming this operation. */
|
---|
3852 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
|
---|
3853 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
|
---|
3854 | * won't actually use it, but maintain p anyway for robustness. */
|
---|
3855 | p += ssl->conf->psk_identity_len + 2;
|
---|
3856 | }
|
---|
3857 | else
|
---|
3858 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
3859 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
3860 | {
|
---|
3861 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
3862 | return( ret );
|
---|
3863 | }
|
---|
3864 |
|
---|
3865 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
|
---|
3866 | {
|
---|
3867 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
|
---|
3868 | return( ret );
|
---|
3869 | }
|
---|
3870 |
|
---|
3871 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
3872 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
3873 | {
|
---|
3874 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
3875 | return( ret );
|
---|
3876 | }
|
---|
3877 | }
|
---|
3878 | else
|
---|
3879 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
---|
3880 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
---|
3881 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
---|
3882 | {
|
---|
3883 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
3884 | {
|
---|
3885 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
3886 | return( ret );
|
---|
3887 | }
|
---|
3888 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
|
---|
3889 | {
|
---|
3890 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
|
---|
3891 | return( ret );
|
---|
3892 | }
|
---|
3893 |
|
---|
3894 | if( p != end )
|
---|
3895 | {
|
---|
3896 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
|
---|
3897 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
3898 | }
|
---|
3899 |
|
---|
3900 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
3901 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
3902 | {
|
---|
3903 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
3904 | return( ret );
|
---|
3905 | }
|
---|
3906 | }
|
---|
3907 | else
|
---|
3908 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
---|
3909 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
---|
3910 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
---|
3911 | {
|
---|
3912 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
3913 | {
|
---|
3914 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
3915 | return( ret );
|
---|
3916 | }
|
---|
3917 |
|
---|
3918 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
---|
3919 | p, end - p ) ) != 0 )
|
---|
3920 | {
|
---|
3921 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
|
---|
3922 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
---|
3923 | }
|
---|
3924 |
|
---|
3925 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
3926 | MBEDTLS_DEBUG_ECDH_QP );
|
---|
3927 |
|
---|
3928 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
3929 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
3930 | {
|
---|
3931 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
3932 | return( ret );
|
---|
3933 | }
|
---|
3934 | }
|
---|
3935 | else
|
---|
3936 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
---|
3937 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
---|
3938 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
---|
3939 | {
|
---|
3940 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
|
---|
3941 | {
|
---|
3942 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
|
---|
3943 | return( ret );
|
---|
3944 | }
|
---|
3945 | }
|
---|
3946 | else
|
---|
3947 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
---|
3948 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
3949 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
3950 | {
|
---|
3951 | ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
|
---|
3952 | p, end - p );
|
---|
3953 | if( ret != 0 )
|
---|
3954 | {
|
---|
3955 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
|
---|
3956 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
|
---|
3957 | }
|
---|
3958 |
|
---|
3959 | ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
|
---|
3960 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
|
---|
3961 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
3962 | if( ret != 0 )
|
---|
3963 | {
|
---|
3964 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
|
---|
3965 | return( ret );
|
---|
3966 | }
|
---|
3967 | }
|
---|
3968 | else
|
---|
3969 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
3970 | {
|
---|
3971 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
3972 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
3973 | }
|
---|
3974 |
|
---|
3975 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
|
---|
3976 | {
|
---|
3977 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
|
---|
3978 | return( ret );
|
---|
3979 | }
|
---|
3980 |
|
---|
3981 | ssl->state++;
|
---|
3982 |
|
---|
3983 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
|
---|
3984 |
|
---|
3985 | return( 0 );
|
---|
3986 | }
|
---|
3987 |
|
---|
3988 | #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
|
---|
3989 | !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
|
---|
3990 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
|
---|
3991 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
|
---|
3992 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
|
---|
3993 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
---|
3994 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
---|
3995 | {
|
---|
3996 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
3997 | ssl->transform_negotiate->ciphersuite_info;
|
---|
3998 |
|
---|
3999 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
---|
4000 |
|
---|
4001 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
4002 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
4003 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
4004 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
4005 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
4006 | {
|
---|
4007 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
|
---|
4008 | ssl->state++;
|
---|
4009 | return( 0 );
|
---|
4010 | }
|
---|
4011 |
|
---|
4012 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
4013 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
4014 | }
|
---|
4015 | #else
|
---|
4016 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
---|
4017 | {
|
---|
4018 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
---|
4019 | size_t i, sig_len;
|
---|
4020 | unsigned char hash[48];
|
---|
4021 | unsigned char *hash_start = hash;
|
---|
4022 | size_t hashlen;
|
---|
4023 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
4024 | mbedtls_pk_type_t pk_alg;
|
---|
4025 | #endif
|
---|
4026 | mbedtls_md_type_t md_alg;
|
---|
4027 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
4028 | ssl->transform_negotiate->ciphersuite_info;
|
---|
4029 |
|
---|
4030 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
---|
4031 |
|
---|
4032 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
4033 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
4034 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
4035 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
4036 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
|
---|
4037 | ssl->session_negotiate->peer_cert == NULL )
|
---|
4038 | {
|
---|
4039 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
|
---|
4040 | ssl->state++;
|
---|
4041 | return( 0 );
|
---|
4042 | }
|
---|
4043 |
|
---|
4044 | /* Read the message without adding it to the checksum */
|
---|
4045 | ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
|
---|
4046 | if( 0 != ret )
|
---|
4047 | {
|
---|
4048 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
|
---|
4049 | return( ret );
|
---|
4050 | }
|
---|
4051 |
|
---|
4052 | ssl->state++;
|
---|
4053 |
|
---|
4054 | /* Process the message contents */
|
---|
4055 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
|
---|
4056 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
|
---|
4057 | {
|
---|
4058 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
4059 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4060 | }
|
---|
4061 |
|
---|
4062 | i = mbedtls_ssl_hs_hdr_len( ssl );
|
---|
4063 |
|
---|
4064 | /*
|
---|
4065 | * struct {
|
---|
4066 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
|
---|
4067 | * opaque signature<0..2^16-1>;
|
---|
4068 | * } DigitallySigned;
|
---|
4069 | */
|
---|
4070 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
---|
4071 | defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
---|
4072 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
4073 | {
|
---|
4074 | md_alg = MBEDTLS_MD_NONE;
|
---|
4075 | hashlen = 36;
|
---|
4076 |
|
---|
4077 | /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
|
---|
4078 | if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
|
---|
4079 | MBEDTLS_PK_ECDSA ) )
|
---|
4080 | {
|
---|
4081 | hash_start += 16;
|
---|
4082 | hashlen -= 16;
|
---|
4083 | md_alg = MBEDTLS_MD_SHA1;
|
---|
4084 | }
|
---|
4085 | }
|
---|
4086 | else
|
---|
4087 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
|
---|
4088 | MBEDTLS_SSL_PROTO_TLS1_1 */
|
---|
4089 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
4090 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
4091 | {
|
---|
4092 | if( i + 2 > ssl->in_hslen )
|
---|
4093 | {
|
---|
4094 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
4095 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4096 | }
|
---|
4097 |
|
---|
4098 | /*
|
---|
4099 | * Hash
|
---|
4100 | */
|
---|
4101 | md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
|
---|
4102 |
|
---|
4103 | if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
|
---|
4104 | {
|
---|
4105 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
|
---|
4106 | " for verify message" ) );
|
---|
4107 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4108 | }
|
---|
4109 |
|
---|
4110 | #if !defined(MBEDTLS_MD_SHA1)
|
---|
4111 | if( MBEDTLS_MD_SHA1 == md_alg )
|
---|
4112 | hash_start += 16;
|
---|
4113 | #endif
|
---|
4114 |
|
---|
4115 | /* Info from md_alg will be used instead */
|
---|
4116 | hashlen = 0;
|
---|
4117 |
|
---|
4118 | i++;
|
---|
4119 |
|
---|
4120 | /*
|
---|
4121 | * Signature
|
---|
4122 | */
|
---|
4123 | if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
|
---|
4124 | == MBEDTLS_PK_NONE )
|
---|
4125 | {
|
---|
4126 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
|
---|
4127 | " for verify message" ) );
|
---|
4128 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4129 | }
|
---|
4130 |
|
---|
4131 | /*
|
---|
4132 | * Check the certificate's key type matches the signature alg
|
---|
4133 | */
|
---|
4134 | if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
|
---|
4135 | {
|
---|
4136 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
|
---|
4137 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4138 | }
|
---|
4139 |
|
---|
4140 | i++;
|
---|
4141 | }
|
---|
4142 | else
|
---|
4143 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
4144 | {
|
---|
4145 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
4146 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
4147 | }
|
---|
4148 |
|
---|
4149 | if( i + 2 > ssl->in_hslen )
|
---|
4150 | {
|
---|
4151 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
4152 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4153 | }
|
---|
4154 |
|
---|
4155 | sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
|
---|
4156 | i += 2;
|
---|
4157 |
|
---|
4158 | if( i + sig_len != ssl->in_hslen )
|
---|
4159 | {
|
---|
4160 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
4161 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
4162 | }
|
---|
4163 |
|
---|
4164 | /* Calculate hash and verify signature */
|
---|
4165 | ssl->handshake->calc_verify( ssl, hash );
|
---|
4166 |
|
---|
4167 | if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
|
---|
4168 | md_alg, hash_start, hashlen,
|
---|
4169 | ssl->in_msg + i, sig_len ) ) != 0 )
|
---|
4170 | {
|
---|
4171 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
|
---|
4172 | return( ret );
|
---|
4173 | }
|
---|
4174 |
|
---|
4175 | mbedtls_ssl_update_handshake_status( ssl );
|
---|
4176 |
|
---|
4177 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
|
---|
4178 |
|
---|
4179 | return( ret );
|
---|
4180 | }
|
---|
4181 | #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
|
---|
4182 | !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
|
---|
4183 | !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
|
---|
4184 | !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
|
---|
4185 | !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
|
---|
4186 | !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
---|
4187 |
|
---|
4188 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
4189 | static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
|
---|
4190 | {
|
---|
4191 | int ret;
|
---|
4192 | size_t tlen;
|
---|
4193 | uint32_t lifetime;
|
---|
4194 |
|
---|
4195 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
|
---|
4196 |
|
---|
4197 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
4198 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
|
---|
4199 |
|
---|
4200 | /*
|
---|
4201 | * struct {
|
---|
4202 | * uint32 ticket_lifetime_hint;
|
---|
4203 | * opaque ticket<0..2^16-1>;
|
---|
4204 | * } NewSessionTicket;
|
---|
4205 | *
|
---|
4206 | * 4 . 7 ticket_lifetime_hint (0 = unspecified)
|
---|
4207 | * 8 . 9 ticket_len (n)
|
---|
4208 | * 10 . 9+n ticket content
|
---|
4209 | */
|
---|
4210 |
|
---|
4211 | if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
|
---|
4212 | ssl->session_negotiate,
|
---|
4213 | ssl->out_msg + 10,
|
---|
4214 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
|
---|
4215 | &tlen, &lifetime ) ) != 0 )
|
---|
4216 | {
|
---|
4217 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
|
---|
4218 | tlen = 0;
|
---|
4219 | }
|
---|
4220 |
|
---|
4221 | ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
|
---|
4222 | ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
|
---|
4223 | ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
|
---|
4224 | ssl->out_msg[7] = ( lifetime ) & 0xFF;
|
---|
4225 |
|
---|
4226 | ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
|
---|
4227 | ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
|
---|
4228 |
|
---|
4229 | ssl->out_msglen = 10 + tlen;
|
---|
4230 |
|
---|
4231 | /*
|
---|
4232 | * Morally equivalent to updating ssl->state, but NewSessionTicket and
|
---|
4233 | * ChangeCipherSpec share the same state.
|
---|
4234 | */
|
---|
4235 | ssl->handshake->new_session_ticket = 0;
|
---|
4236 |
|
---|
4237 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
4238 | {
|
---|
4239 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
4240 | return( ret );
|
---|
4241 | }
|
---|
4242 |
|
---|
4243 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
|
---|
4244 |
|
---|
4245 | return( 0 );
|
---|
4246 | }
|
---|
4247 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
4248 |
|
---|
4249 | /*
|
---|
4250 | * SSL handshake -- server side -- single step
|
---|
4251 | */
|
---|
4252 | int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
|
---|
4253 | {
|
---|
4254 | int ret = 0;
|
---|
4255 |
|
---|
4256 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
|
---|
4257 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
4258 |
|
---|
4259 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
|
---|
4260 |
|
---|
4261 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
|
---|
4262 | return( ret );
|
---|
4263 |
|
---|
4264 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
4265 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
4266 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
|
---|
4267 | {
|
---|
4268 | if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
|
---|
4269 | return( ret );
|
---|
4270 | }
|
---|
4271 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
4272 |
|
---|
4273 | switch( ssl->state )
|
---|
4274 | {
|
---|
4275 | case MBEDTLS_SSL_HELLO_REQUEST:
|
---|
4276 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
|
---|
4277 | break;
|
---|
4278 |
|
---|
4279 | /*
|
---|
4280 | * <== ClientHello
|
---|
4281 | */
|
---|
4282 | case MBEDTLS_SSL_CLIENT_HELLO:
|
---|
4283 | ret = ssl_parse_client_hello( ssl );
|
---|
4284 | break;
|
---|
4285 |
|
---|
4286 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
4287 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
|
---|
4288 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
|
---|
4289 | #endif
|
---|
4290 |
|
---|
4291 | /*
|
---|
4292 | * ==> ServerHello
|
---|
4293 | * Certificate
|
---|
4294 | * ( ServerKeyExchange )
|
---|
4295 | * ( CertificateRequest )
|
---|
4296 | * ServerHelloDone
|
---|
4297 | */
|
---|
4298 | case MBEDTLS_SSL_SERVER_HELLO:
|
---|
4299 | ret = ssl_write_server_hello( ssl );
|
---|
4300 | break;
|
---|
4301 |
|
---|
4302 | case MBEDTLS_SSL_SERVER_CERTIFICATE:
|
---|
4303 | ret = mbedtls_ssl_write_certificate( ssl );
|
---|
4304 | break;
|
---|
4305 |
|
---|
4306 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
|
---|
4307 | ret = ssl_write_server_key_exchange( ssl );
|
---|
4308 | break;
|
---|
4309 |
|
---|
4310 | case MBEDTLS_SSL_CERTIFICATE_REQUEST:
|
---|
4311 | ret = ssl_write_certificate_request( ssl );
|
---|
4312 | break;
|
---|
4313 |
|
---|
4314 | case MBEDTLS_SSL_SERVER_HELLO_DONE:
|
---|
4315 | ret = ssl_write_server_hello_done( ssl );
|
---|
4316 | break;
|
---|
4317 |
|
---|
4318 | /*
|
---|
4319 | * <== ( Certificate/Alert )
|
---|
4320 | * ClientKeyExchange
|
---|
4321 | * ( CertificateVerify )
|
---|
4322 | * ChangeCipherSpec
|
---|
4323 | * Finished
|
---|
4324 | */
|
---|
4325 | case MBEDTLS_SSL_CLIENT_CERTIFICATE:
|
---|
4326 | ret = mbedtls_ssl_parse_certificate( ssl );
|
---|
4327 | break;
|
---|
4328 |
|
---|
4329 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
|
---|
4330 | ret = ssl_parse_client_key_exchange( ssl );
|
---|
4331 | break;
|
---|
4332 |
|
---|
4333 | case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
---|
4334 | ret = ssl_parse_certificate_verify( ssl );
|
---|
4335 | break;
|
---|
4336 |
|
---|
4337 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
|
---|
4338 | ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
|
---|
4339 | break;
|
---|
4340 |
|
---|
4341 | case MBEDTLS_SSL_CLIENT_FINISHED:
|
---|
4342 | ret = mbedtls_ssl_parse_finished( ssl );
|
---|
4343 | break;
|
---|
4344 |
|
---|
4345 | /*
|
---|
4346 | * ==> ( NewSessionTicket )
|
---|
4347 | * ChangeCipherSpec
|
---|
4348 | * Finished
|
---|
4349 | */
|
---|
4350 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
|
---|
4351 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
4352 | if( ssl->handshake->new_session_ticket != 0 )
|
---|
4353 | ret = ssl_write_new_session_ticket( ssl );
|
---|
4354 | else
|
---|
4355 | #endif
|
---|
4356 | ret = mbedtls_ssl_write_change_cipher_spec( ssl );
|
---|
4357 | break;
|
---|
4358 |
|
---|
4359 | case MBEDTLS_SSL_SERVER_FINISHED:
|
---|
4360 | ret = mbedtls_ssl_write_finished( ssl );
|
---|
4361 | break;
|
---|
4362 |
|
---|
4363 | case MBEDTLS_SSL_FLUSH_BUFFERS:
|
---|
4364 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
|
---|
4365 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
|
---|
4366 | break;
|
---|
4367 |
|
---|
4368 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
|
---|
4369 | mbedtls_ssl_handshake_wrapup( ssl );
|
---|
4370 | break;
|
---|
4371 |
|
---|
4372 | default:
|
---|
4373 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
|
---|
4374 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
4375 | }
|
---|
4376 |
|
---|
4377 | return( ret );
|
---|
4378 | }
|
---|
4379 | #endif /* MBEDTLS_SSL_SRV_C */
|
---|