[398] | 1 | /*
|
---|
| 2 | * SSLv3/TLSv1 server-side functions
|
---|
| 3 | *
|
---|
| 4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
---|
| 5 | * SPDX-License-Identifier: Apache-2.0
|
---|
| 6 | *
|
---|
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
| 8 | * not use this file except in compliance with the License.
|
---|
| 9 | * You may obtain a copy of the License at
|
---|
| 10 | *
|
---|
| 11 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
| 12 | *
|
---|
| 13 | * Unless required by applicable law or agreed to in writing, software
|
---|
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
| 16 | * See the License for the specific language governing permissions and
|
---|
| 17 | * limitations under the License.
|
---|
| 18 | *
|
---|
| 19 | * This file is part of mbed TLS (https://tls.mbed.org)
|
---|
| 20 | */
|
---|
| 21 |
|
---|
| 22 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
| 23 | #include "mbedtls/config.h"
|
---|
| 24 | #else
|
---|
| 25 | #include MBEDTLS_CONFIG_FILE
|
---|
| 26 | #endif
|
---|
| 27 |
|
---|
| 28 | #if defined(MBEDTLS_SSL_SRV_C)
|
---|
| 29 |
|
---|
| 30 | #if defined(MBEDTLS_PLATFORM_C)
|
---|
| 31 | #include "mbedtls/platform.h"
|
---|
| 32 | #else
|
---|
| 33 | #include <stdlib.h>
|
---|
| 34 | #define mbedtls_calloc calloc
|
---|
| 35 | #define mbedtls_free free
|
---|
| 36 | #endif
|
---|
| 37 |
|
---|
| 38 | #include "mbedtls/debug.h"
|
---|
| 39 | #include "mbedtls/ssl.h"
|
---|
| 40 | #include "mbedtls/ssl_internal.h"
|
---|
| 41 | #include "mbedtls/platform_util.h"
|
---|
| 42 |
|
---|
| 43 | #include <string.h>
|
---|
| 44 |
|
---|
| 45 | #if defined(MBEDTLS_ECP_C)
|
---|
| 46 | #include "mbedtls/ecp.h"
|
---|
| 47 | #endif
|
---|
| 48 |
|
---|
| 49 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
| 50 | #include "mbedtls/platform_time.h"
|
---|
| 51 | #endif
|
---|
| 52 |
|
---|
| 53 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
| 54 | int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
|
---|
| 55 | const unsigned char *info,
|
---|
| 56 | size_t ilen )
|
---|
| 57 | {
|
---|
| 58 | if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
|
---|
| 59 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
| 60 |
|
---|
| 61 | mbedtls_free( ssl->cli_id );
|
---|
| 62 |
|
---|
| 63 | if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
|
---|
| 64 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
---|
| 65 |
|
---|
| 66 | memcpy( ssl->cli_id, info, ilen );
|
---|
| 67 | ssl->cli_id_len = ilen;
|
---|
| 68 |
|
---|
| 69 | return( 0 );
|
---|
| 70 | }
|
---|
| 71 |
|
---|
| 72 | void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
|
---|
| 73 | mbedtls_ssl_cookie_write_t *f_cookie_write,
|
---|
| 74 | mbedtls_ssl_cookie_check_t *f_cookie_check,
|
---|
| 75 | void *p_cookie )
|
---|
| 76 | {
|
---|
| 77 | conf->f_cookie_write = f_cookie_write;
|
---|
| 78 | conf->f_cookie_check = f_cookie_check;
|
---|
| 79 | conf->p_cookie = p_cookie;
|
---|
| 80 | }
|
---|
| 81 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
| 82 |
|
---|
| 83 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
| 84 | static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
|
---|
| 85 | const unsigned char *buf,
|
---|
| 86 | size_t len )
|
---|
| 87 | {
|
---|
| 88 | int ret;
|
---|
| 89 | size_t servername_list_size, hostname_len;
|
---|
| 90 | const unsigned char *p;
|
---|
| 91 |
|
---|
| 92 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
|
---|
| 93 |
|
---|
| 94 | if( len < 2 )
|
---|
| 95 | {
|
---|
| 96 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 97 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 98 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 99 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 100 | }
|
---|
| 101 | servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
---|
| 102 | if( servername_list_size + 2 != len )
|
---|
| 103 | {
|
---|
| 104 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 105 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 106 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 107 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 108 | }
|
---|
| 109 |
|
---|
| 110 | p = buf + 2;
|
---|
| 111 | while( servername_list_size > 2 )
|
---|
| 112 | {
|
---|
| 113 | hostname_len = ( ( p[1] << 8 ) | p[2] );
|
---|
| 114 | if( hostname_len + 3 > servername_list_size )
|
---|
| 115 | {
|
---|
| 116 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 117 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 118 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 119 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 120 | }
|
---|
| 121 |
|
---|
| 122 | if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
|
---|
| 123 | {
|
---|
| 124 | ret = ssl->conf->f_sni( ssl->conf->p_sni,
|
---|
| 125 | ssl, p + 3, hostname_len );
|
---|
| 126 | if( ret != 0 )
|
---|
| 127 | {
|
---|
| 128 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
|
---|
| 129 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 130 | MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
|
---|
| 131 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 132 | }
|
---|
| 133 | return( 0 );
|
---|
| 134 | }
|
---|
| 135 |
|
---|
| 136 | servername_list_size -= hostname_len + 3;
|
---|
| 137 | p += hostname_len + 3;
|
---|
| 138 | }
|
---|
| 139 |
|
---|
| 140 | if( servername_list_size != 0 )
|
---|
| 141 | {
|
---|
| 142 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 143 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 144 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
| 145 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 146 | }
|
---|
| 147 |
|
---|
| 148 | return( 0 );
|
---|
| 149 | }
|
---|
| 150 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
---|
| 151 |
|
---|
| 152 | static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
---|
| 153 | const unsigned char *buf,
|
---|
| 154 | size_t len )
|
---|
| 155 | {
|
---|
| 156 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 157 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
| 158 | {
|
---|
| 159 | /* Check verify-data in constant-time. The length OTOH is no secret */
|
---|
| 160 | if( len != 1 + ssl->verify_data_len ||
|
---|
| 161 | buf[0] != ssl->verify_data_len ||
|
---|
| 162 | mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
|
---|
| 163 | ssl->verify_data_len ) != 0 )
|
---|
| 164 | {
|
---|
| 165 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
---|
| 166 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 167 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 168 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 169 | }
|
---|
| 170 | }
|
---|
| 171 | else
|
---|
| 172 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
| 173 | {
|
---|
| 174 | if( len != 1 || buf[0] != 0x0 )
|
---|
| 175 | {
|
---|
| 176 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
|
---|
| 177 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 178 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 179 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 180 | }
|
---|
| 181 |
|
---|
| 182 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
---|
| 183 | }
|
---|
| 184 |
|
---|
| 185 | return( 0 );
|
---|
| 186 | }
|
---|
| 187 |
|
---|
| 188 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 189 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 190 |
|
---|
| 191 | /*
|
---|
| 192 | * Status of the implementation of signature-algorithms extension:
|
---|
| 193 | *
|
---|
| 194 | * Currently, we are only considering the signature-algorithm extension
|
---|
| 195 | * to pick a ciphersuite which allows us to send the ServerKeyExchange
|
---|
| 196 | * message with a signature-hash combination that the user allows.
|
---|
| 197 | *
|
---|
| 198 | * We do *not* check whether all certificates in our certificate
|
---|
| 199 | * chain are signed with an allowed signature-hash pair.
|
---|
| 200 | * This needs to be done at a later stage.
|
---|
| 201 | *
|
---|
| 202 | */
|
---|
| 203 | static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
|
---|
| 204 | const unsigned char *buf,
|
---|
| 205 | size_t len )
|
---|
| 206 | {
|
---|
| 207 | size_t sig_alg_list_size;
|
---|
| 208 |
|
---|
| 209 | const unsigned char *p;
|
---|
| 210 | const unsigned char *end = buf + len;
|
---|
| 211 |
|
---|
| 212 | mbedtls_md_type_t md_cur;
|
---|
| 213 | mbedtls_pk_type_t sig_cur;
|
---|
| 214 |
|
---|
| 215 | if ( len < 2 ) {
|
---|
| 216 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 217 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 218 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 219 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 220 | }
|
---|
| 221 | sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
---|
| 222 | if( sig_alg_list_size + 2 != len ||
|
---|
| 223 | sig_alg_list_size % 2 != 0 )
|
---|
| 224 | {
|
---|
| 225 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 226 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 227 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 228 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 229 | }
|
---|
| 230 |
|
---|
| 231 | /* Currently we only guarantee signing the ServerKeyExchange message according
|
---|
| 232 | * to the constraints specified in this extension (see above), so it suffices
|
---|
| 233 | * to remember only one suitable hash for each possible signature algorithm.
|
---|
| 234 | *
|
---|
| 235 | * This will change when we also consider certificate signatures,
|
---|
| 236 | * in which case we will need to remember the whole signature-hash
|
---|
| 237 | * pair list from the extension.
|
---|
| 238 | */
|
---|
| 239 |
|
---|
| 240 | for( p = buf + 2; p < end; p += 2 )
|
---|
| 241 | {
|
---|
| 242 | /* Silently ignore unknown signature or hash algorithms. */
|
---|
| 243 |
|
---|
| 244 | if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
|
---|
| 245 | {
|
---|
| 246 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
|
---|
| 247 | " unknown sig alg encoding %d", p[1] ) );
|
---|
| 248 | continue;
|
---|
| 249 | }
|
---|
| 250 |
|
---|
| 251 | /* Check if we support the hash the user proposes */
|
---|
| 252 | md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
|
---|
| 253 | if( md_cur == MBEDTLS_MD_NONE )
|
---|
| 254 | {
|
---|
| 255 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
|
---|
| 256 | " unknown hash alg encoding %d", p[0] ) );
|
---|
| 257 | continue;
|
---|
| 258 | }
|
---|
| 259 |
|
---|
| 260 | if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
|
---|
| 261 | {
|
---|
| 262 | mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
|
---|
| 263 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
|
---|
| 264 | " match sig %d and hash %d",
|
---|
| 265 | sig_cur, md_cur ) );
|
---|
| 266 | }
|
---|
| 267 | else
|
---|
| 268 | {
|
---|
| 269 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
|
---|
| 270 | "hash alg %d not supported", md_cur ) );
|
---|
| 271 | }
|
---|
| 272 | }
|
---|
| 273 |
|
---|
| 274 | return( 0 );
|
---|
| 275 | }
|
---|
| 276 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
| 277 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
| 278 |
|
---|
| 279 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
| 280 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 281 | static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
|
---|
| 282 | const unsigned char *buf,
|
---|
| 283 | size_t len )
|
---|
| 284 | {
|
---|
| 285 | size_t list_size, our_size;
|
---|
| 286 | const unsigned char *p;
|
---|
| 287 | const mbedtls_ecp_curve_info *curve_info, **curves;
|
---|
| 288 |
|
---|
| 289 | if ( len < 2 ) {
|
---|
| 290 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 291 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 292 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 293 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 294 | }
|
---|
| 295 | list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
---|
| 296 | if( list_size + 2 != len ||
|
---|
| 297 | list_size % 2 != 0 )
|
---|
| 298 | {
|
---|
| 299 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 300 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 301 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 302 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 303 | }
|
---|
| 304 |
|
---|
| 305 | /* Should never happen unless client duplicates the extension */
|
---|
| 306 | if( ssl->handshake->curves != NULL )
|
---|
| 307 | {
|
---|
| 308 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 309 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 310 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 311 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 312 | }
|
---|
| 313 |
|
---|
| 314 | /* Don't allow our peer to make us allocate too much memory,
|
---|
| 315 | * and leave room for a final 0 */
|
---|
| 316 | our_size = list_size / 2 + 1;
|
---|
| 317 | if( our_size > MBEDTLS_ECP_DP_MAX )
|
---|
| 318 | our_size = MBEDTLS_ECP_DP_MAX;
|
---|
| 319 |
|
---|
| 320 | if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
|
---|
| 321 | {
|
---|
| 322 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 323 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
---|
| 324 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
---|
| 325 | }
|
---|
| 326 |
|
---|
| 327 | ssl->handshake->curves = curves;
|
---|
| 328 |
|
---|
| 329 | p = buf + 2;
|
---|
| 330 | while( list_size > 0 && our_size > 1 )
|
---|
| 331 | {
|
---|
| 332 | curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
|
---|
| 333 |
|
---|
| 334 | if( curve_info != NULL )
|
---|
| 335 | {
|
---|
| 336 | *curves++ = curve_info;
|
---|
| 337 | our_size--;
|
---|
| 338 | }
|
---|
| 339 |
|
---|
| 340 | list_size -= 2;
|
---|
| 341 | p += 2;
|
---|
| 342 | }
|
---|
| 343 |
|
---|
| 344 | return( 0 );
|
---|
| 345 | }
|
---|
| 346 |
|
---|
| 347 | static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
|
---|
| 348 | const unsigned char *buf,
|
---|
| 349 | size_t len )
|
---|
| 350 | {
|
---|
| 351 | size_t list_size;
|
---|
| 352 | const unsigned char *p;
|
---|
| 353 |
|
---|
| 354 | if( len == 0 || (size_t)( buf[0] + 1 ) != len )
|
---|
| 355 | {
|
---|
| 356 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 357 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 358 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 359 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 360 | }
|
---|
| 361 | list_size = buf[0];
|
---|
| 362 |
|
---|
| 363 | p = buf + 1;
|
---|
| 364 | while( list_size > 0 )
|
---|
| 365 | {
|
---|
| 366 | if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
|
---|
| 367 | p[0] == MBEDTLS_ECP_PF_COMPRESSED )
|
---|
| 368 | {
|
---|
| 369 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
|
---|
| 370 | ssl->handshake->ecdh_ctx.point_format = p[0];
|
---|
| 371 | #endif
|
---|
| 372 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 373 | ssl->handshake->ecjpake_ctx.point_format = p[0];
|
---|
| 374 | #endif
|
---|
| 375 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
|
---|
| 376 | return( 0 );
|
---|
| 377 | }
|
---|
| 378 |
|
---|
| 379 | list_size--;
|
---|
| 380 | p++;
|
---|
| 381 | }
|
---|
| 382 |
|
---|
| 383 | return( 0 );
|
---|
| 384 | }
|
---|
| 385 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
---|
| 386 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 387 |
|
---|
| 388 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 389 | static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
|
---|
| 390 | const unsigned char *buf,
|
---|
| 391 | size_t len )
|
---|
| 392 | {
|
---|
| 393 | int ret;
|
---|
| 394 |
|
---|
| 395 | if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
---|
| 396 | {
|
---|
| 397 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
|
---|
| 398 | return( 0 );
|
---|
| 399 | }
|
---|
| 400 |
|
---|
| 401 | if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
|
---|
| 402 | buf, len ) ) != 0 )
|
---|
| 403 | {
|
---|
| 404 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
|
---|
| 405 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 406 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
| 407 | return( ret );
|
---|
| 408 | }
|
---|
| 409 |
|
---|
| 410 | /* Only mark the extension as OK when we're sure it is */
|
---|
| 411 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
|
---|
| 412 |
|
---|
| 413 | return( 0 );
|
---|
| 414 | }
|
---|
| 415 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 416 |
|
---|
| 417 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
| 418 | static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
---|
| 419 | const unsigned char *buf,
|
---|
| 420 | size_t len )
|
---|
| 421 | {
|
---|
| 422 | if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
|
---|
| 423 | {
|
---|
| 424 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 425 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 426 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
| 427 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 428 | }
|
---|
| 429 |
|
---|
| 430 | ssl->session_negotiate->mfl_code = buf[0];
|
---|
| 431 |
|
---|
| 432 | return( 0 );
|
---|
| 433 | }
|
---|
| 434 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
---|
| 435 |
|
---|
| 436 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
| 437 | static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
---|
| 438 | const unsigned char *buf,
|
---|
| 439 | size_t len )
|
---|
| 440 | {
|
---|
| 441 | if( len != 0 )
|
---|
| 442 | {
|
---|
| 443 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 444 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 445 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 446 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 447 | }
|
---|
| 448 |
|
---|
| 449 | ((void) buf);
|
---|
| 450 |
|
---|
| 451 | if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
|
---|
| 452 | ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
|
---|
| 453 |
|
---|
| 454 | return( 0 );
|
---|
| 455 | }
|
---|
| 456 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
---|
| 457 |
|
---|
| 458 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
| 459 | static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
---|
| 460 | const unsigned char *buf,
|
---|
| 461 | size_t len )
|
---|
| 462 | {
|
---|
| 463 | if( len != 0 )
|
---|
| 464 | {
|
---|
| 465 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 466 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 467 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 468 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 469 | }
|
---|
| 470 |
|
---|
| 471 | ((void) buf);
|
---|
| 472 |
|
---|
| 473 | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
|
---|
| 474 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
| 475 | {
|
---|
| 476 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
|
---|
| 477 | }
|
---|
| 478 |
|
---|
| 479 | return( 0 );
|
---|
| 480 | }
|
---|
| 481 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
---|
| 482 |
|
---|
| 483 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
| 484 | static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
---|
| 485 | const unsigned char *buf,
|
---|
| 486 | size_t len )
|
---|
| 487 | {
|
---|
| 488 | if( len != 0 )
|
---|
| 489 | {
|
---|
| 490 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 491 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 492 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 493 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 494 | }
|
---|
| 495 |
|
---|
| 496 | ((void) buf);
|
---|
| 497 |
|
---|
| 498 | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
---|
| 499 | ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
| 500 | {
|
---|
| 501 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
---|
| 502 | }
|
---|
| 503 |
|
---|
| 504 | return( 0 );
|
---|
| 505 | }
|
---|
| 506 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
---|
| 507 |
|
---|
| 508 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 509 | static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
|
---|
| 510 | unsigned char *buf,
|
---|
| 511 | size_t len )
|
---|
| 512 | {
|
---|
| 513 | int ret;
|
---|
| 514 | mbedtls_ssl_session session;
|
---|
| 515 |
|
---|
| 516 | mbedtls_ssl_session_init( &session );
|
---|
| 517 |
|
---|
| 518 | if( ssl->conf->f_ticket_parse == NULL ||
|
---|
| 519 | ssl->conf->f_ticket_write == NULL )
|
---|
| 520 | {
|
---|
| 521 | return( 0 );
|
---|
| 522 | }
|
---|
| 523 |
|
---|
| 524 | /* Remember the client asked us to send a new ticket */
|
---|
| 525 | ssl->handshake->new_session_ticket = 1;
|
---|
| 526 |
|
---|
| 527 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
|
---|
| 528 |
|
---|
| 529 | if( len == 0 )
|
---|
| 530 | return( 0 );
|
---|
| 531 |
|
---|
| 532 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 533 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
| 534 | {
|
---|
| 535 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
|
---|
| 536 | return( 0 );
|
---|
| 537 | }
|
---|
| 538 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
| 539 |
|
---|
| 540 | /*
|
---|
| 541 | * Failures are ok: just ignore the ticket and proceed.
|
---|
| 542 | */
|
---|
| 543 | if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
|
---|
| 544 | buf, len ) ) != 0 )
|
---|
| 545 | {
|
---|
| 546 | mbedtls_ssl_session_free( &session );
|
---|
| 547 |
|
---|
| 548 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
|
---|
| 549 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
|
---|
| 550 | else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
|
---|
| 551 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
|
---|
| 552 | else
|
---|
| 553 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
|
---|
| 554 |
|
---|
| 555 | return( 0 );
|
---|
| 556 | }
|
---|
| 557 |
|
---|
| 558 | /*
|
---|
| 559 | * Keep the session ID sent by the client, since we MUST send it back to
|
---|
| 560 | * inform them we're accepting the ticket (RFC 5077 section 3.4)
|
---|
| 561 | */
|
---|
| 562 | session.id_len = ssl->session_negotiate->id_len;
|
---|
| 563 | memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
|
---|
| 564 |
|
---|
| 565 | mbedtls_ssl_session_free( ssl->session_negotiate );
|
---|
| 566 | memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
|
---|
| 567 |
|
---|
| 568 | /* Zeroize instead of free as we copied the content */
|
---|
| 569 | mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
|
---|
| 570 |
|
---|
| 571 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
|
---|
| 572 |
|
---|
| 573 | ssl->handshake->resume = 1;
|
---|
| 574 |
|
---|
| 575 | /* Don't send a new ticket after all, this one is OK */
|
---|
| 576 | ssl->handshake->new_session_ticket = 0;
|
---|
| 577 |
|
---|
| 578 | return( 0 );
|
---|
| 579 | }
|
---|
| 580 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
| 581 |
|
---|
| 582 | #if defined(MBEDTLS_SSL_ALPN)
|
---|
| 583 | static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
|
---|
| 584 | const unsigned char *buf, size_t len )
|
---|
| 585 | {
|
---|
| 586 | size_t list_len, cur_len, ours_len;
|
---|
| 587 | const unsigned char *theirs, *start, *end;
|
---|
| 588 | const char **ours;
|
---|
| 589 |
|
---|
| 590 | /* If ALPN not configured, just ignore the extension */
|
---|
| 591 | if( ssl->conf->alpn_list == NULL )
|
---|
| 592 | return( 0 );
|
---|
| 593 |
|
---|
| 594 | /*
|
---|
| 595 | * opaque ProtocolName<1..2^8-1>;
|
---|
| 596 | *
|
---|
| 597 | * struct {
|
---|
| 598 | * ProtocolName protocol_name_list<2..2^16-1>
|
---|
| 599 | * } ProtocolNameList;
|
---|
| 600 | */
|
---|
| 601 |
|
---|
| 602 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
|
---|
| 603 | if( len < 4 )
|
---|
| 604 | {
|
---|
| 605 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 606 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 607 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 608 | }
|
---|
| 609 |
|
---|
| 610 | list_len = ( buf[0] << 8 ) | buf[1];
|
---|
| 611 | if( list_len != len - 2 )
|
---|
| 612 | {
|
---|
| 613 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 614 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 615 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 616 | }
|
---|
| 617 |
|
---|
| 618 | /*
|
---|
| 619 | * Validate peer's list (lengths)
|
---|
| 620 | */
|
---|
| 621 | start = buf + 2;
|
---|
| 622 | end = buf + len;
|
---|
| 623 | for( theirs = start; theirs != end; theirs += cur_len )
|
---|
| 624 | {
|
---|
| 625 | cur_len = *theirs++;
|
---|
| 626 |
|
---|
| 627 | /* Current identifier must fit in list */
|
---|
| 628 | if( cur_len > (size_t)( end - theirs ) )
|
---|
| 629 | {
|
---|
| 630 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 631 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 632 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 633 | }
|
---|
| 634 |
|
---|
| 635 | /* Empty strings MUST NOT be included */
|
---|
| 636 | if( cur_len == 0 )
|
---|
| 637 | {
|
---|
| 638 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 639 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
---|
| 640 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 641 | }
|
---|
| 642 | }
|
---|
| 643 |
|
---|
| 644 | /*
|
---|
| 645 | * Use our order of preference
|
---|
| 646 | */
|
---|
| 647 | for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
|
---|
| 648 | {
|
---|
| 649 | ours_len = strlen( *ours );
|
---|
| 650 | for( theirs = start; theirs != end; theirs += cur_len )
|
---|
| 651 | {
|
---|
| 652 | cur_len = *theirs++;
|
---|
| 653 |
|
---|
| 654 | if( cur_len == ours_len &&
|
---|
| 655 | memcmp( theirs, *ours, cur_len ) == 0 )
|
---|
| 656 | {
|
---|
| 657 | ssl->alpn_chosen = *ours;
|
---|
| 658 | return( 0 );
|
---|
| 659 | }
|
---|
| 660 | }
|
---|
| 661 | }
|
---|
| 662 |
|
---|
| 663 | /* If we get there, no match was found */
|
---|
| 664 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 665 | MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
|
---|
| 666 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 667 | }
|
---|
| 668 | #endif /* MBEDTLS_SSL_ALPN */
|
---|
| 669 |
|
---|
| 670 | /*
|
---|
| 671 | * Auxiliary functions for ServerHello parsing and related actions
|
---|
| 672 | */
|
---|
| 673 |
|
---|
| 674 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
| 675 | /*
|
---|
| 676 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
|
---|
| 677 | */
|
---|
| 678 | #if defined(MBEDTLS_ECDSA_C)
|
---|
| 679 | static int ssl_check_key_curve( mbedtls_pk_context *pk,
|
---|
| 680 | const mbedtls_ecp_curve_info **curves )
|
---|
| 681 | {
|
---|
| 682 | const mbedtls_ecp_curve_info **crv = curves;
|
---|
| 683 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
|
---|
| 684 |
|
---|
| 685 | while( *crv != NULL )
|
---|
| 686 | {
|
---|
| 687 | if( (*crv)->grp_id == grp_id )
|
---|
| 688 | return( 0 );
|
---|
| 689 | crv++;
|
---|
| 690 | }
|
---|
| 691 |
|
---|
| 692 | return( -1 );
|
---|
| 693 | }
|
---|
| 694 | #endif /* MBEDTLS_ECDSA_C */
|
---|
| 695 |
|
---|
| 696 | /*
|
---|
| 697 | * Try picking a certificate for this ciphersuite,
|
---|
| 698 | * return 0 on success and -1 on failure.
|
---|
| 699 | */
|
---|
| 700 | static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
---|
| 701 | const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
|
---|
| 702 | {
|
---|
| 703 | mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
|
---|
| 704 | mbedtls_pk_type_t pk_alg =
|
---|
| 705 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
---|
| 706 | uint32_t flags;
|
---|
| 707 |
|
---|
| 708 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
| 709 | if( ssl->handshake->sni_key_cert != NULL )
|
---|
| 710 | list = ssl->handshake->sni_key_cert;
|
---|
| 711 | else
|
---|
| 712 | #endif
|
---|
| 713 | list = ssl->conf->key_cert;
|
---|
| 714 |
|
---|
| 715 | if( pk_alg == MBEDTLS_PK_NONE )
|
---|
| 716 | return( 0 );
|
---|
| 717 |
|
---|
| 718 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
|
---|
| 719 |
|
---|
| 720 | if( list == NULL )
|
---|
| 721 | {
|
---|
| 722 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
|
---|
| 723 | return( -1 );
|
---|
| 724 | }
|
---|
| 725 |
|
---|
| 726 | for( cur = list; cur != NULL; cur = cur->next )
|
---|
| 727 | {
|
---|
| 728 | MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
|
---|
| 729 | cur->cert );
|
---|
| 730 |
|
---|
| 731 | if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
|
---|
| 732 | {
|
---|
| 733 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
|
---|
| 734 | continue;
|
---|
| 735 | }
|
---|
| 736 |
|
---|
| 737 | /*
|
---|
| 738 | * This avoids sending the client a cert it'll reject based on
|
---|
| 739 | * keyUsage or other extensions.
|
---|
| 740 | *
|
---|
| 741 | * It also allows the user to provision different certificates for
|
---|
| 742 | * different uses based on keyUsage, eg if they want to avoid signing
|
---|
| 743 | * and decrypting with the same RSA key.
|
---|
| 744 | */
|
---|
| 745 | if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
---|
| 746 | MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
|
---|
| 747 | {
|
---|
| 748 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
|
---|
| 749 | "(extended) key usage extension" ) );
|
---|
| 750 | continue;
|
---|
| 751 | }
|
---|
| 752 |
|
---|
| 753 | #if defined(MBEDTLS_ECDSA_C)
|
---|
| 754 | if( pk_alg == MBEDTLS_PK_ECDSA &&
|
---|
| 755 | ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
|
---|
| 756 | {
|
---|
| 757 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
|
---|
| 758 | continue;
|
---|
| 759 | }
|
---|
| 760 | #endif
|
---|
| 761 |
|
---|
| 762 | /*
|
---|
| 763 | * Try to select a SHA-1 certificate for pre-1.2 clients, but still
|
---|
| 764 | * present them a SHA-higher cert rather than failing if it's the only
|
---|
| 765 | * one we got that satisfies the other conditions.
|
---|
| 766 | */
|
---|
| 767 | if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
|
---|
| 768 | cur->cert->sig_md != MBEDTLS_MD_SHA1 )
|
---|
| 769 | {
|
---|
| 770 | if( fallback == NULL )
|
---|
| 771 | fallback = cur;
|
---|
| 772 | {
|
---|
| 773 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
|
---|
| 774 | "sha-2 with pre-TLS 1.2 client" ) );
|
---|
| 775 | continue;
|
---|
| 776 | }
|
---|
| 777 | }
|
---|
| 778 |
|
---|
| 779 | /* If we get there, we got a winner */
|
---|
| 780 | break;
|
---|
| 781 | }
|
---|
| 782 |
|
---|
| 783 | if( cur == NULL )
|
---|
| 784 | cur = fallback;
|
---|
| 785 |
|
---|
| 786 | /* Do not update ssl->handshake->key_cert unless there is a match */
|
---|
| 787 | if( cur != NULL )
|
---|
| 788 | {
|
---|
| 789 | ssl->handshake->key_cert = cur;
|
---|
| 790 | MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
|
---|
| 791 | ssl->handshake->key_cert->cert );
|
---|
| 792 | return( 0 );
|
---|
| 793 | }
|
---|
| 794 |
|
---|
| 795 | return( -1 );
|
---|
| 796 | }
|
---|
| 797 | #endif /* MBEDTLS_X509_CRT_PARSE_C */
|
---|
| 798 |
|
---|
| 799 | /*
|
---|
| 800 | * Check if a given ciphersuite is suitable for use with our config/keys/etc
|
---|
| 801 | * Sets ciphersuite_info only if the suite matches.
|
---|
| 802 | */
|
---|
| 803 | static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
---|
| 804 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
|
---|
| 805 | {
|
---|
| 806 | const mbedtls_ssl_ciphersuite_t *suite_info;
|
---|
| 807 |
|
---|
| 808 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 809 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 810 | mbedtls_pk_type_t sig_type;
|
---|
| 811 | #endif
|
---|
| 812 |
|
---|
| 813 | suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
|
---|
| 814 | if( suite_info == NULL )
|
---|
| 815 | {
|
---|
| 816 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 817 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 818 | }
|
---|
| 819 |
|
---|
| 820 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
|
---|
| 821 |
|
---|
| 822 | if( suite_info->min_minor_ver > ssl->minor_ver ||
|
---|
| 823 | suite_info->max_minor_ver < ssl->minor_ver )
|
---|
| 824 | {
|
---|
| 825 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
---|
| 826 | return( 0 );
|
---|
| 827 | }
|
---|
| 828 |
|
---|
| 829 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 830 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
| 831 | ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
|
---|
| 832 | return( 0 );
|
---|
| 833 | #endif
|
---|
| 834 |
|
---|
| 835 | #if defined(MBEDTLS_ARC4_C)
|
---|
| 836 | if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
|
---|
| 837 | suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
---|
| 838 | {
|
---|
| 839 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
|
---|
| 840 | return( 0 );
|
---|
| 841 | }
|
---|
| 842 | #endif
|
---|
| 843 |
|
---|
| 844 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 845 | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
---|
| 846 | ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
|
---|
| 847 | {
|
---|
| 848 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
|
---|
| 849 | "not configured or ext missing" ) );
|
---|
| 850 | return( 0 );
|
---|
| 851 | }
|
---|
| 852 | #endif
|
---|
| 853 |
|
---|
| 854 |
|
---|
| 855 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
|
---|
| 856 | if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
|
---|
| 857 | ( ssl->handshake->curves == NULL ||
|
---|
| 858 | ssl->handshake->curves[0] == NULL ) )
|
---|
| 859 | {
|
---|
| 860 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
|
---|
| 861 | "no common elliptic curve" ) );
|
---|
| 862 | return( 0 );
|
---|
| 863 | }
|
---|
| 864 | #endif
|
---|
| 865 |
|
---|
| 866 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
---|
| 867 | /* If the ciphersuite requires a pre-shared key and we don't
|
---|
| 868 | * have one, skip it now rather than failing later */
|
---|
| 869 | if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
|
---|
| 870 | ssl->conf->f_psk == NULL &&
|
---|
| 871 | ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
|
---|
| 872 | ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
|
---|
| 873 | {
|
---|
| 874 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
|
---|
| 875 | return( 0 );
|
---|
| 876 | }
|
---|
| 877 | #endif
|
---|
| 878 |
|
---|
| 879 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 880 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 881 | /* If the ciphersuite requires signing, check whether
|
---|
| 882 | * a suitable hash algorithm is present. */
|
---|
| 883 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 884 | {
|
---|
| 885 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
|
---|
| 886 | if( sig_type != MBEDTLS_PK_NONE &&
|
---|
| 887 | mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
|
---|
| 888 | {
|
---|
| 889 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
|
---|
| 890 | "for signature algorithm %d", sig_type ) );
|
---|
| 891 | return( 0 );
|
---|
| 892 | }
|
---|
| 893 | }
|
---|
| 894 |
|
---|
| 895 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
| 896 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
| 897 |
|
---|
| 898 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
| 899 | /*
|
---|
| 900 | * Final check: if ciphersuite requires us to have a
|
---|
| 901 | * certificate/key of a particular type:
|
---|
| 902 | * - select the appropriate certificate if we have one, or
|
---|
| 903 | * - try the next ciphersuite if we don't
|
---|
| 904 | * This must be done last since we modify the key_cert list.
|
---|
| 905 | */
|
---|
| 906 | if( ssl_pick_cert( ssl, suite_info ) != 0 )
|
---|
| 907 | {
|
---|
| 908 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
|
---|
| 909 | "no suitable certificate" ) );
|
---|
| 910 | return( 0 );
|
---|
| 911 | }
|
---|
| 912 | #endif
|
---|
| 913 |
|
---|
| 914 | *ciphersuite_info = suite_info;
|
---|
| 915 | return( 0 );
|
---|
| 916 | }
|
---|
| 917 |
|
---|
| 918 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
|
---|
| 919 | static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
---|
| 920 | {
|
---|
| 921 | int ret, got_common_suite;
|
---|
| 922 | unsigned int i, j;
|
---|
| 923 | size_t n;
|
---|
| 924 | unsigned int ciph_len, sess_len, chal_len;
|
---|
| 925 | unsigned char *buf, *p;
|
---|
| 926 | const int *ciphersuites;
|
---|
| 927 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
---|
| 928 |
|
---|
| 929 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
---|
| 930 |
|
---|
| 931 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 932 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
| 933 | {
|
---|
| 934 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
|
---|
| 935 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 936 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 937 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 938 | }
|
---|
| 939 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
| 940 |
|
---|
| 941 | buf = ssl->in_hdr;
|
---|
| 942 |
|
---|
| 943 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
|
---|
| 944 |
|
---|
| 945 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
|
---|
| 946 | buf[2] ) );
|
---|
| 947 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
|
---|
| 948 | ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
|
---|
| 949 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
|
---|
| 950 | buf[3], buf[4] ) );
|
---|
| 951 |
|
---|
| 952 | /*
|
---|
| 953 | * SSLv2 Client Hello
|
---|
| 954 | *
|
---|
| 955 | * Record layer:
|
---|
| 956 | * 0 . 1 message length
|
---|
| 957 | *
|
---|
| 958 | * SSL layer:
|
---|
| 959 | * 2 . 2 message type
|
---|
| 960 | * 3 . 4 protocol version
|
---|
| 961 | */
|
---|
| 962 | if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
|
---|
| 963 | buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
|
---|
| 964 | {
|
---|
| 965 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 966 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 967 | }
|
---|
| 968 |
|
---|
| 969 | n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
|
---|
| 970 |
|
---|
| 971 | if( n < 17 || n > 512 )
|
---|
| 972 | {
|
---|
| 973 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 974 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 975 | }
|
---|
| 976 |
|
---|
| 977 | ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
---|
| 978 | ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
|
---|
| 979 | ? buf[4] : ssl->conf->max_minor_ver;
|
---|
| 980 |
|
---|
| 981 | if( ssl->minor_ver < ssl->conf->min_minor_ver )
|
---|
| 982 | {
|
---|
| 983 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
---|
| 984 | " [%d:%d] < [%d:%d]",
|
---|
| 985 | ssl->major_ver, ssl->minor_ver,
|
---|
| 986 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
|
---|
| 987 |
|
---|
| 988 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 989 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
---|
| 990 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
---|
| 991 | }
|
---|
| 992 |
|
---|
| 993 | ssl->handshake->max_major_ver = buf[3];
|
---|
| 994 | ssl->handshake->max_minor_ver = buf[4];
|
---|
| 995 |
|
---|
| 996 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
|
---|
| 997 | {
|
---|
| 998 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
|
---|
| 999 | return( ret );
|
---|
| 1000 | }
|
---|
| 1001 |
|
---|
| 1002 | ssl->handshake->update_checksum( ssl, buf + 2, n );
|
---|
| 1003 |
|
---|
| 1004 | buf = ssl->in_msg;
|
---|
| 1005 | n = ssl->in_left - 5;
|
---|
| 1006 |
|
---|
| 1007 | /*
|
---|
| 1008 | * 0 . 1 ciphersuitelist length
|
---|
| 1009 | * 2 . 3 session id length
|
---|
| 1010 | * 4 . 5 challenge length
|
---|
| 1011 | * 6 . .. ciphersuitelist
|
---|
| 1012 | * .. . .. session id
|
---|
| 1013 | * .. . .. challenge
|
---|
| 1014 | */
|
---|
| 1015 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
|
---|
| 1016 |
|
---|
| 1017 | ciph_len = ( buf[0] << 8 ) | buf[1];
|
---|
| 1018 | sess_len = ( buf[2] << 8 ) | buf[3];
|
---|
| 1019 | chal_len = ( buf[4] << 8 ) | buf[5];
|
---|
| 1020 |
|
---|
| 1021 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
|
---|
| 1022 | ciph_len, sess_len, chal_len ) );
|
---|
| 1023 |
|
---|
| 1024 | /*
|
---|
| 1025 | * Make sure each parameter length is valid
|
---|
| 1026 | */
|
---|
| 1027 | if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
|
---|
| 1028 | {
|
---|
| 1029 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1030 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1031 | }
|
---|
| 1032 |
|
---|
| 1033 | if( sess_len > 32 )
|
---|
| 1034 | {
|
---|
| 1035 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1036 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1037 | }
|
---|
| 1038 |
|
---|
| 1039 | if( chal_len < 8 || chal_len > 32 )
|
---|
| 1040 | {
|
---|
| 1041 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1042 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1043 | }
|
---|
| 1044 |
|
---|
| 1045 | if( n != 6 + ciph_len + sess_len + chal_len )
|
---|
| 1046 | {
|
---|
| 1047 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1048 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1049 | }
|
---|
| 1050 |
|
---|
| 1051 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
|
---|
| 1052 | buf + 6, ciph_len );
|
---|
| 1053 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
|
---|
| 1054 | buf + 6 + ciph_len, sess_len );
|
---|
| 1055 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
|
---|
| 1056 | buf + 6 + ciph_len + sess_len, chal_len );
|
---|
| 1057 |
|
---|
| 1058 | p = buf + 6 + ciph_len;
|
---|
| 1059 | ssl->session_negotiate->id_len = sess_len;
|
---|
| 1060 | memset( ssl->session_negotiate->id, 0,
|
---|
| 1061 | sizeof( ssl->session_negotiate->id ) );
|
---|
| 1062 | memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
|
---|
| 1063 |
|
---|
| 1064 | p += sess_len;
|
---|
| 1065 | memset( ssl->handshake->randbytes, 0, 64 );
|
---|
| 1066 | memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
|
---|
| 1067 |
|
---|
| 1068 | /*
|
---|
| 1069 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
|
---|
| 1070 | */
|
---|
| 1071 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
|
---|
| 1072 | {
|
---|
| 1073 | if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
|
---|
| 1074 | {
|
---|
| 1075 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
|
---|
| 1076 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1077 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
|
---|
| 1078 | {
|
---|
| 1079 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
|
---|
| 1080 | "during renegotiation" ) );
|
---|
| 1081 |
|
---|
| 1082 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1083 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 1084 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1085 | }
|
---|
| 1086 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
| 1087 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
---|
| 1088 | break;
|
---|
| 1089 | }
|
---|
| 1090 | }
|
---|
| 1091 |
|
---|
| 1092 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
---|
| 1093 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
|
---|
| 1094 | {
|
---|
| 1095 | if( p[0] == 0 &&
|
---|
| 1096 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
|
---|
| 1097 | p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
|
---|
| 1098 | {
|
---|
| 1099 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
---|
| 1100 |
|
---|
| 1101 | if( ssl->minor_ver < ssl->conf->max_minor_ver )
|
---|
| 1102 | {
|
---|
| 1103 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
---|
| 1104 |
|
---|
| 1105 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1106 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
|
---|
| 1107 |
|
---|
| 1108 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1109 | }
|
---|
| 1110 |
|
---|
| 1111 | break;
|
---|
| 1112 | }
|
---|
| 1113 | }
|
---|
| 1114 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
|
---|
| 1115 |
|
---|
| 1116 | got_common_suite = 0;
|
---|
| 1117 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
---|
| 1118 | ciphersuite_info = NULL;
|
---|
| 1119 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
---|
| 1120 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
---|
| 1121 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
| 1122 | #else
|
---|
| 1123 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
| 1124 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
---|
| 1125 | #endif
|
---|
| 1126 | {
|
---|
| 1127 | if( p[0] != 0 ||
|
---|
| 1128 | p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
|
---|
| 1129 | p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
|
---|
| 1130 | continue;
|
---|
| 1131 |
|
---|
| 1132 | got_common_suite = 1;
|
---|
| 1133 |
|
---|
| 1134 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
|
---|
| 1135 | &ciphersuite_info ) ) != 0 )
|
---|
| 1136 | return( ret );
|
---|
| 1137 |
|
---|
| 1138 | if( ciphersuite_info != NULL )
|
---|
| 1139 | goto have_ciphersuite_v2;
|
---|
| 1140 | }
|
---|
| 1141 |
|
---|
| 1142 | if( got_common_suite )
|
---|
| 1143 | {
|
---|
| 1144 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
|
---|
| 1145 | "but none of them usable" ) );
|
---|
| 1146 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
|
---|
| 1147 | }
|
---|
| 1148 | else
|
---|
| 1149 | {
|
---|
| 1150 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
|
---|
| 1151 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
|
---|
| 1152 | }
|
---|
| 1153 |
|
---|
| 1154 | have_ciphersuite_v2:
|
---|
| 1155 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
---|
| 1156 |
|
---|
| 1157 | ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
---|
| 1158 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
|
---|
| 1159 |
|
---|
| 1160 | /*
|
---|
| 1161 | * SSLv2 Client Hello relevant renegotiation security checks
|
---|
| 1162 | */
|
---|
| 1163 | if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
---|
| 1164 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
---|
| 1165 | {
|
---|
| 1166 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
---|
| 1167 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1168 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 1169 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1170 | }
|
---|
| 1171 |
|
---|
| 1172 | ssl->in_left = 0;
|
---|
| 1173 | ssl->state++;
|
---|
| 1174 |
|
---|
| 1175 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
|
---|
| 1176 |
|
---|
| 1177 | return( 0 );
|
---|
| 1178 | }
|
---|
| 1179 | #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
|
---|
| 1180 |
|
---|
| 1181 | /* This function doesn't alert on errors that happen early during
|
---|
| 1182 | ClientHello parsing because they might indicate that the client is
|
---|
| 1183 | not talking SSL/TLS at all and would not understand our alert. */
|
---|
| 1184 | static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
---|
| 1185 | {
|
---|
| 1186 | int ret, got_common_suite;
|
---|
| 1187 | size_t i, j;
|
---|
| 1188 | size_t ciph_offset, comp_offset, ext_offset;
|
---|
| 1189 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
|
---|
| 1190 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1191 | size_t cookie_offset, cookie_len;
|
---|
| 1192 | #endif
|
---|
| 1193 | unsigned char *buf, *p, *ext;
|
---|
| 1194 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1195 | int renegotiation_info_seen = 0;
|
---|
| 1196 | #endif
|
---|
| 1197 | int handshake_failure = 0;
|
---|
| 1198 | const int *ciphersuites;
|
---|
| 1199 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
---|
| 1200 | int major, minor;
|
---|
| 1201 |
|
---|
| 1202 | /* If there is no signature-algorithm extension present,
|
---|
| 1203 | * we need to fall back to the default values for allowed
|
---|
| 1204 | * signature-hash pairs. */
|
---|
| 1205 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 1206 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 1207 | int sig_hash_alg_ext_present = 0;
|
---|
| 1208 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
| 1209 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
| 1210 |
|
---|
| 1211 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
|
---|
| 1212 |
|
---|
| 1213 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
---|
| 1214 | read_record_header:
|
---|
| 1215 | #endif
|
---|
| 1216 | /*
|
---|
| 1217 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
|
---|
| 1218 | * otherwise read it ourselves manually in order to support SSLv2
|
---|
| 1219 | * ClientHello, which doesn't use the same record layer format.
|
---|
| 1220 | */
|
---|
| 1221 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1222 | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
| 1223 | #endif
|
---|
| 1224 | {
|
---|
| 1225 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
|
---|
| 1226 | {
|
---|
| 1227 | /* No alert on a read error. */
|
---|
| 1228 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
|
---|
| 1229 | return( ret );
|
---|
| 1230 | }
|
---|
| 1231 | }
|
---|
| 1232 |
|
---|
| 1233 | buf = ssl->in_hdr;
|
---|
| 1234 |
|
---|
| 1235 | #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
|
---|
| 1236 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1237 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
|
---|
| 1238 | #endif
|
---|
| 1239 | if( ( buf[0] & 0x80 ) != 0 )
|
---|
| 1240 | return( ssl_parse_client_hello_v2( ssl ) );
|
---|
| 1241 | #endif
|
---|
| 1242 |
|
---|
| 1243 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
|
---|
| 1244 |
|
---|
| 1245 | /*
|
---|
| 1246 | * SSLv3/TLS Client Hello
|
---|
| 1247 | *
|
---|
| 1248 | * Record layer:
|
---|
| 1249 | * 0 . 0 message type
|
---|
| 1250 | * 1 . 2 protocol version
|
---|
| 1251 | * 3 . 11 DTLS: epoch + record sequence number
|
---|
| 1252 | * 3 . 4 message length
|
---|
| 1253 | */
|
---|
| 1254 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
|
---|
| 1255 | buf[0] ) );
|
---|
| 1256 |
|
---|
| 1257 | if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
|
---|
| 1258 | {
|
---|
| 1259 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1260 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1261 | }
|
---|
| 1262 |
|
---|
| 1263 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
|
---|
| 1264 | ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
|
---|
| 1265 |
|
---|
| 1266 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
|
---|
| 1267 | buf[1], buf[2] ) );
|
---|
| 1268 |
|
---|
| 1269 | mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
|
---|
| 1270 |
|
---|
| 1271 | /* According to RFC 5246 Appendix E.1, the version here is typically
|
---|
| 1272 | * "{03,00}, the lowest version number supported by the client, [or] the
|
---|
| 1273 | * value of ClientHello.client_version", so the only meaningful check here
|
---|
| 1274 | * is the major version shouldn't be less than 3 */
|
---|
| 1275 | if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
|
---|
| 1276 | {
|
---|
| 1277 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1278 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1279 | }
|
---|
| 1280 |
|
---|
| 1281 | /* For DTLS if this is the initial handshake, remember the client sequence
|
---|
| 1282 | * number to use it in our next message (RFC 6347 4.2.1) */
|
---|
| 1283 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1284 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
|
---|
| 1285 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1286 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
|
---|
| 1287 | #endif
|
---|
| 1288 | )
|
---|
| 1289 | {
|
---|
| 1290 | /* Epoch should be 0 for initial handshakes */
|
---|
| 1291 | if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
|
---|
| 1292 | {
|
---|
| 1293 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1294 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1295 | }
|
---|
| 1296 |
|
---|
| 1297 | memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
|
---|
| 1298 |
|
---|
| 1299 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
---|
| 1300 | if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
|
---|
| 1301 | {
|
---|
| 1302 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
|
---|
| 1303 | ssl->next_record_offset = 0;
|
---|
| 1304 | ssl->in_left = 0;
|
---|
| 1305 | goto read_record_header;
|
---|
| 1306 | }
|
---|
| 1307 |
|
---|
| 1308 | /* No MAC to check yet, so we can update right now */
|
---|
| 1309 | mbedtls_ssl_dtls_replay_update( ssl );
|
---|
| 1310 | #endif
|
---|
| 1311 | }
|
---|
| 1312 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
| 1313 |
|
---|
| 1314 | msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
|
---|
| 1315 |
|
---|
| 1316 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1317 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
| 1318 | {
|
---|
| 1319 | /* Set by mbedtls_ssl_read_record() */
|
---|
| 1320 | msg_len = ssl->in_hslen;
|
---|
| 1321 | }
|
---|
| 1322 | else
|
---|
| 1323 | #endif
|
---|
| 1324 | {
|
---|
| 1325 | if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
|
---|
| 1326 | {
|
---|
| 1327 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1328 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1329 | }
|
---|
| 1330 |
|
---|
| 1331 | if( ( ret = mbedtls_ssl_fetch_input( ssl,
|
---|
| 1332 | mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
|
---|
| 1333 | {
|
---|
| 1334 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
|
---|
| 1335 | return( ret );
|
---|
| 1336 | }
|
---|
| 1337 |
|
---|
| 1338 | /* Done reading this record, get ready for the next one */
|
---|
| 1339 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1340 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
| 1341 | ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
|
---|
| 1342 | else
|
---|
| 1343 | #endif
|
---|
| 1344 | ssl->in_left = 0;
|
---|
| 1345 | }
|
---|
| 1346 |
|
---|
| 1347 | buf = ssl->in_msg;
|
---|
| 1348 |
|
---|
| 1349 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
|
---|
| 1350 |
|
---|
| 1351 | ssl->handshake->update_checksum( ssl, buf, msg_len );
|
---|
| 1352 |
|
---|
| 1353 | /*
|
---|
| 1354 | * Handshake layer:
|
---|
| 1355 | * 0 . 0 handshake type
|
---|
| 1356 | * 1 . 3 handshake length
|
---|
| 1357 | * 4 . 5 DTLS only: message seqence number
|
---|
| 1358 | * 6 . 8 DTLS only: fragment offset
|
---|
| 1359 | * 9 . 11 DTLS only: fragment length
|
---|
| 1360 | */
|
---|
| 1361 | if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
|
---|
| 1362 | {
|
---|
| 1363 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1364 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1365 | }
|
---|
| 1366 |
|
---|
| 1367 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
|
---|
| 1368 |
|
---|
| 1369 | if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
|
---|
| 1370 | {
|
---|
| 1371 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1372 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1373 | }
|
---|
| 1374 |
|
---|
| 1375 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
|
---|
| 1376 | ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
|
---|
| 1377 |
|
---|
| 1378 | /* We don't support fragmentation of ClientHello (yet?) */
|
---|
| 1379 | if( buf[1] != 0 ||
|
---|
| 1380 | msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
|
---|
| 1381 | {
|
---|
| 1382 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1383 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1384 | }
|
---|
| 1385 |
|
---|
| 1386 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1387 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
| 1388 | {
|
---|
| 1389 | /*
|
---|
| 1390 | * Copy the client's handshake message_seq on initial handshakes,
|
---|
| 1391 | * check sequence number on renego.
|
---|
| 1392 | */
|
---|
| 1393 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1394 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
|
---|
| 1395 | {
|
---|
| 1396 | /* This couldn't be done in ssl_prepare_handshake_record() */
|
---|
| 1397 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
---|
| 1398 | ssl->in_msg[5];
|
---|
| 1399 |
|
---|
| 1400 | if( cli_msg_seq != ssl->handshake->in_msg_seq )
|
---|
| 1401 | {
|
---|
| 1402 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
|
---|
| 1403 | "%d (expected %d)", cli_msg_seq,
|
---|
| 1404 | ssl->handshake->in_msg_seq ) );
|
---|
| 1405 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1406 | }
|
---|
| 1407 |
|
---|
| 1408 | ssl->handshake->in_msg_seq++;
|
---|
| 1409 | }
|
---|
| 1410 | else
|
---|
| 1411 | #endif
|
---|
| 1412 | {
|
---|
| 1413 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
---|
| 1414 | ssl->in_msg[5];
|
---|
| 1415 | ssl->handshake->out_msg_seq = cli_msg_seq;
|
---|
| 1416 | ssl->handshake->in_msg_seq = cli_msg_seq + 1;
|
---|
| 1417 | }
|
---|
| 1418 |
|
---|
| 1419 | /*
|
---|
| 1420 | * For now we don't support fragmentation, so make sure
|
---|
| 1421 | * fragment_offset == 0 and fragment_length == length
|
---|
| 1422 | */
|
---|
| 1423 | if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
|
---|
| 1424 | memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
|
---|
| 1425 | {
|
---|
| 1426 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
|
---|
| 1427 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
---|
| 1428 | }
|
---|
| 1429 | }
|
---|
| 1430 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
| 1431 |
|
---|
| 1432 | buf += mbedtls_ssl_hs_hdr_len( ssl );
|
---|
| 1433 | msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
|
---|
| 1434 |
|
---|
| 1435 | /*
|
---|
| 1436 | * ClientHello layer:
|
---|
| 1437 | * 0 . 1 protocol version
|
---|
| 1438 | * 2 . 33 random bytes (starting with 4 bytes of Unix time)
|
---|
| 1439 | * 34 . 35 session id length (1 byte)
|
---|
| 1440 | * 35 . 34+x session id
|
---|
| 1441 | * 35+x . 35+x DTLS only: cookie length (1 byte)
|
---|
| 1442 | * 36+x . .. DTLS only: cookie
|
---|
| 1443 | * .. . .. ciphersuite list length (2 bytes)
|
---|
| 1444 | * .. . .. ciphersuite list
|
---|
| 1445 | * .. . .. compression alg. list length (1 byte)
|
---|
| 1446 | * .. . .. compression alg. list
|
---|
| 1447 | * .. . .. extensions length (2 bytes, optional)
|
---|
| 1448 | * .. . .. extensions (optional)
|
---|
| 1449 | */
|
---|
| 1450 |
|
---|
| 1451 | /*
|
---|
| 1452 | * Minimal length (with everything empty and extensions ommitted) is
|
---|
| 1453 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
|
---|
| 1454 | * read at least up to session id length without worrying.
|
---|
| 1455 | */
|
---|
| 1456 | if( msg_len < 38 )
|
---|
| 1457 | {
|
---|
| 1458 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1459 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1460 | }
|
---|
| 1461 |
|
---|
| 1462 | /*
|
---|
| 1463 | * Check and save the protocol version
|
---|
| 1464 | */
|
---|
| 1465 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
|
---|
| 1466 |
|
---|
| 1467 | mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
|
---|
| 1468 | ssl->conf->transport, buf );
|
---|
| 1469 |
|
---|
| 1470 | ssl->handshake->max_major_ver = ssl->major_ver;
|
---|
| 1471 | ssl->handshake->max_minor_ver = ssl->minor_ver;
|
---|
| 1472 |
|
---|
| 1473 | if( ssl->major_ver < ssl->conf->min_major_ver ||
|
---|
| 1474 | ssl->minor_ver < ssl->conf->min_minor_ver )
|
---|
| 1475 | {
|
---|
| 1476 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
---|
| 1477 | " [%d:%d] < [%d:%d]",
|
---|
| 1478 | ssl->major_ver, ssl->minor_ver,
|
---|
| 1479 | ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
|
---|
| 1480 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1481 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
---|
| 1482 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
---|
| 1483 | }
|
---|
| 1484 |
|
---|
| 1485 | if( ssl->major_ver > ssl->conf->max_major_ver )
|
---|
| 1486 | {
|
---|
| 1487 | ssl->major_ver = ssl->conf->max_major_ver;
|
---|
| 1488 | ssl->minor_ver = ssl->conf->max_minor_ver;
|
---|
| 1489 | }
|
---|
| 1490 | else if( ssl->minor_ver > ssl->conf->max_minor_ver )
|
---|
| 1491 | ssl->minor_ver = ssl->conf->max_minor_ver;
|
---|
| 1492 |
|
---|
| 1493 | /*
|
---|
| 1494 | * Save client random (inc. Unix time)
|
---|
| 1495 | */
|
---|
| 1496 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
|
---|
| 1497 |
|
---|
| 1498 | memcpy( ssl->handshake->randbytes, buf + 2, 32 );
|
---|
| 1499 |
|
---|
| 1500 | /*
|
---|
| 1501 | * Check the session ID length and save session ID
|
---|
| 1502 | */
|
---|
| 1503 | sess_len = buf[34];
|
---|
| 1504 |
|
---|
| 1505 | if( sess_len > sizeof( ssl->session_negotiate->id ) ||
|
---|
| 1506 | sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
|
---|
| 1507 | {
|
---|
| 1508 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1509 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1510 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1511 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1512 | }
|
---|
| 1513 |
|
---|
| 1514 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
|
---|
| 1515 |
|
---|
| 1516 | ssl->session_negotiate->id_len = sess_len;
|
---|
| 1517 | memset( ssl->session_negotiate->id, 0,
|
---|
| 1518 | sizeof( ssl->session_negotiate->id ) );
|
---|
| 1519 | memcpy( ssl->session_negotiate->id, buf + 35,
|
---|
| 1520 | ssl->session_negotiate->id_len );
|
---|
| 1521 |
|
---|
| 1522 | /*
|
---|
| 1523 | * Check the cookie length and content
|
---|
| 1524 | */
|
---|
| 1525 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1526 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
| 1527 | {
|
---|
| 1528 | cookie_offset = 35 + sess_len;
|
---|
| 1529 | cookie_len = buf[cookie_offset];
|
---|
| 1530 |
|
---|
| 1531 | if( cookie_offset + 1 + cookie_len + 2 > msg_len )
|
---|
| 1532 | {
|
---|
| 1533 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1534 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1535 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
---|
| 1536 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1537 | }
|
---|
| 1538 |
|
---|
| 1539 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
|
---|
| 1540 | buf + cookie_offset + 1, cookie_len );
|
---|
| 1541 |
|
---|
| 1542 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
| 1543 | if( ssl->conf->f_cookie_check != NULL
|
---|
| 1544 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1545 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
|
---|
| 1546 | #endif
|
---|
| 1547 | )
|
---|
| 1548 | {
|
---|
| 1549 | if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
|
---|
| 1550 | buf + cookie_offset + 1, cookie_len,
|
---|
| 1551 | ssl->cli_id, ssl->cli_id_len ) != 0 )
|
---|
| 1552 | {
|
---|
| 1553 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
|
---|
| 1554 | ssl->handshake->verify_cookie_len = 1;
|
---|
| 1555 | }
|
---|
| 1556 | else
|
---|
| 1557 | {
|
---|
| 1558 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
|
---|
| 1559 | ssl->handshake->verify_cookie_len = 0;
|
---|
| 1560 | }
|
---|
| 1561 | }
|
---|
| 1562 | else
|
---|
| 1563 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
| 1564 | {
|
---|
| 1565 | /* We know we didn't send a cookie, so it should be empty */
|
---|
| 1566 | if( cookie_len != 0 )
|
---|
| 1567 | {
|
---|
| 1568 | /* This may be an attacker's probe, so don't send an alert */
|
---|
| 1569 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1570 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1571 | }
|
---|
| 1572 |
|
---|
| 1573 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
|
---|
| 1574 | }
|
---|
| 1575 |
|
---|
| 1576 | /*
|
---|
| 1577 | * Check the ciphersuitelist length (will be parsed later)
|
---|
| 1578 | */
|
---|
| 1579 | ciph_offset = cookie_offset + 1 + cookie_len;
|
---|
| 1580 | }
|
---|
| 1581 | else
|
---|
| 1582 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
| 1583 | ciph_offset = 35 + sess_len;
|
---|
| 1584 |
|
---|
| 1585 | ciph_len = ( buf[ciph_offset + 0] << 8 )
|
---|
| 1586 | | ( buf[ciph_offset + 1] );
|
---|
| 1587 |
|
---|
| 1588 | if( ciph_len < 2 ||
|
---|
| 1589 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
|
---|
| 1590 | ( ciph_len % 2 ) != 0 )
|
---|
| 1591 | {
|
---|
| 1592 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1593 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1594 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1595 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1596 | }
|
---|
| 1597 |
|
---|
| 1598 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
|
---|
| 1599 | buf + ciph_offset + 2, ciph_len );
|
---|
| 1600 |
|
---|
| 1601 | /*
|
---|
| 1602 | * Check the compression algorithms length and pick one
|
---|
| 1603 | */
|
---|
| 1604 | comp_offset = ciph_offset + 2 + ciph_len;
|
---|
| 1605 |
|
---|
| 1606 | comp_len = buf[comp_offset];
|
---|
| 1607 |
|
---|
| 1608 | if( comp_len < 1 ||
|
---|
| 1609 | comp_len > 16 ||
|
---|
| 1610 | comp_len + comp_offset + 1 > msg_len )
|
---|
| 1611 | {
|
---|
| 1612 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1613 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1614 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1615 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1616 | }
|
---|
| 1617 |
|
---|
| 1618 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
|
---|
| 1619 | buf + comp_offset + 1, comp_len );
|
---|
| 1620 |
|
---|
| 1621 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
|
---|
| 1622 | #if defined(MBEDTLS_ZLIB_SUPPORT)
|
---|
| 1623 | for( i = 0; i < comp_len; ++i )
|
---|
| 1624 | {
|
---|
| 1625 | if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
|
---|
| 1626 | {
|
---|
| 1627 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
|
---|
| 1628 | break;
|
---|
| 1629 | }
|
---|
| 1630 | }
|
---|
| 1631 | #endif
|
---|
| 1632 |
|
---|
| 1633 | /* See comments in ssl_write_client_hello() */
|
---|
| 1634 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 1635 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
| 1636 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
|
---|
| 1637 | #endif
|
---|
| 1638 |
|
---|
| 1639 | /* Do not parse the extensions if the protocol is SSLv3 */
|
---|
| 1640 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
| 1641 | if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
---|
| 1642 | {
|
---|
| 1643 | #endif
|
---|
| 1644 | /*
|
---|
| 1645 | * Check the extension length
|
---|
| 1646 | */
|
---|
| 1647 | ext_offset = comp_offset + 1 + comp_len;
|
---|
| 1648 | if( msg_len > ext_offset )
|
---|
| 1649 | {
|
---|
| 1650 | if( msg_len < ext_offset + 2 )
|
---|
| 1651 | {
|
---|
| 1652 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1653 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1654 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1655 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1656 | }
|
---|
| 1657 |
|
---|
| 1658 | ext_len = ( buf[ext_offset + 0] << 8 )
|
---|
| 1659 | | ( buf[ext_offset + 1] );
|
---|
| 1660 |
|
---|
| 1661 | if( ( ext_len > 0 && ext_len < 4 ) ||
|
---|
| 1662 | msg_len != ext_offset + 2 + ext_len )
|
---|
| 1663 | {
|
---|
| 1664 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1665 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1666 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1667 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1668 | }
|
---|
| 1669 | }
|
---|
| 1670 | else
|
---|
| 1671 | ext_len = 0;
|
---|
| 1672 |
|
---|
| 1673 | ext = buf + ext_offset + 2;
|
---|
| 1674 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
|
---|
| 1675 |
|
---|
| 1676 | while( ext_len != 0 )
|
---|
| 1677 | {
|
---|
| 1678 | unsigned int ext_id;
|
---|
| 1679 | unsigned int ext_size;
|
---|
| 1680 | if ( ext_len < 4 ) {
|
---|
| 1681 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1682 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1683 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1684 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1685 | }
|
---|
| 1686 | ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
|
---|
| 1687 | ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
|
---|
| 1688 |
|
---|
| 1689 | if( ext_size + 4 > ext_len )
|
---|
| 1690 | {
|
---|
| 1691 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1692 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1693 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1694 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1695 | }
|
---|
| 1696 | switch( ext_id )
|
---|
| 1697 | {
|
---|
| 1698 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
| 1699 | case MBEDTLS_TLS_EXT_SERVERNAME:
|
---|
| 1700 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
|
---|
| 1701 | if( ssl->conf->f_sni == NULL )
|
---|
| 1702 | break;
|
---|
| 1703 |
|
---|
| 1704 | ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
|
---|
| 1705 | if( ret != 0 )
|
---|
| 1706 | return( ret );
|
---|
| 1707 | break;
|
---|
| 1708 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
---|
| 1709 |
|
---|
| 1710 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
|
---|
| 1711 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
|
---|
| 1712 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1713 | renegotiation_info_seen = 1;
|
---|
| 1714 | #endif
|
---|
| 1715 |
|
---|
| 1716 | ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
|
---|
| 1717 | if( ret != 0 )
|
---|
| 1718 | return( ret );
|
---|
| 1719 | break;
|
---|
| 1720 |
|
---|
| 1721 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 1722 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 1723 | case MBEDTLS_TLS_EXT_SIG_ALG:
|
---|
| 1724 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
|
---|
| 1725 |
|
---|
| 1726 | ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
|
---|
| 1727 | if( ret != 0 )
|
---|
| 1728 | return( ret );
|
---|
| 1729 |
|
---|
| 1730 | sig_hash_alg_ext_present = 1;
|
---|
| 1731 | break;
|
---|
| 1732 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
| 1733 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
| 1734 |
|
---|
| 1735 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
| 1736 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 1737 | case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
|
---|
| 1738 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
|
---|
| 1739 |
|
---|
| 1740 | ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
|
---|
| 1741 | if( ret != 0 )
|
---|
| 1742 | return( ret );
|
---|
| 1743 | break;
|
---|
| 1744 |
|
---|
| 1745 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
|
---|
| 1746 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
|
---|
| 1747 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
|
---|
| 1748 |
|
---|
| 1749 | ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
|
---|
| 1750 | if( ret != 0 )
|
---|
| 1751 | return( ret );
|
---|
| 1752 | break;
|
---|
| 1753 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
---|
| 1754 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 1755 |
|
---|
| 1756 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 1757 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
|
---|
| 1758 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
|
---|
| 1759 |
|
---|
| 1760 | ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
|
---|
| 1761 | if( ret != 0 )
|
---|
| 1762 | return( ret );
|
---|
| 1763 | break;
|
---|
| 1764 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 1765 |
|
---|
| 1766 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
| 1767 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
|
---|
| 1768 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
|
---|
| 1769 |
|
---|
| 1770 | ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
|
---|
| 1771 | if( ret != 0 )
|
---|
| 1772 | return( ret );
|
---|
| 1773 | break;
|
---|
| 1774 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
---|
| 1775 |
|
---|
| 1776 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
| 1777 | case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
|
---|
| 1778 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
|
---|
| 1779 |
|
---|
| 1780 | ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
|
---|
| 1781 | if( ret != 0 )
|
---|
| 1782 | return( ret );
|
---|
| 1783 | break;
|
---|
| 1784 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
---|
| 1785 |
|
---|
| 1786 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
| 1787 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
|
---|
| 1788 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
|
---|
| 1789 |
|
---|
| 1790 | ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
|
---|
| 1791 | if( ret != 0 )
|
---|
| 1792 | return( ret );
|
---|
| 1793 | break;
|
---|
| 1794 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
---|
| 1795 |
|
---|
| 1796 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
| 1797 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
|
---|
| 1798 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
|
---|
| 1799 |
|
---|
| 1800 | ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
|
---|
| 1801 | if( ret != 0 )
|
---|
| 1802 | return( ret );
|
---|
| 1803 | break;
|
---|
| 1804 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
---|
| 1805 |
|
---|
| 1806 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 1807 | case MBEDTLS_TLS_EXT_SESSION_TICKET:
|
---|
| 1808 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
|
---|
| 1809 |
|
---|
| 1810 | ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
|
---|
| 1811 | if( ret != 0 )
|
---|
| 1812 | return( ret );
|
---|
| 1813 | break;
|
---|
| 1814 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
| 1815 |
|
---|
| 1816 | #if defined(MBEDTLS_SSL_ALPN)
|
---|
| 1817 | case MBEDTLS_TLS_EXT_ALPN:
|
---|
| 1818 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
|
---|
| 1819 |
|
---|
| 1820 | ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
|
---|
| 1821 | if( ret != 0 )
|
---|
| 1822 | return( ret );
|
---|
| 1823 | break;
|
---|
| 1824 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
| 1825 |
|
---|
| 1826 | default:
|
---|
| 1827 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
|
---|
| 1828 | ext_id ) );
|
---|
| 1829 | }
|
---|
| 1830 |
|
---|
| 1831 | ext_len -= 4 + ext_size;
|
---|
| 1832 | ext += 4 + ext_size;
|
---|
| 1833 |
|
---|
| 1834 | if( ext_len > 0 && ext_len < 4 )
|
---|
| 1835 | {
|
---|
| 1836 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
---|
| 1837 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1838 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
---|
| 1839 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1840 | }
|
---|
| 1841 | }
|
---|
| 1842 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
| 1843 | }
|
---|
| 1844 | #endif
|
---|
| 1845 |
|
---|
| 1846 | #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
---|
| 1847 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
|
---|
| 1848 | {
|
---|
| 1849 | if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
|
---|
| 1850 | p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
|
---|
| 1851 | {
|
---|
| 1852 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
|
---|
| 1853 |
|
---|
| 1854 | if( ssl->minor_ver < ssl->conf->max_minor_ver )
|
---|
| 1855 | {
|
---|
| 1856 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
---|
| 1857 |
|
---|
| 1858 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1859 | MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
|
---|
| 1860 |
|
---|
| 1861 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1862 | }
|
---|
| 1863 |
|
---|
| 1864 | break;
|
---|
| 1865 | }
|
---|
| 1866 | }
|
---|
| 1867 | #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
|
---|
| 1868 |
|
---|
| 1869 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 1870 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 1871 |
|
---|
| 1872 | /*
|
---|
| 1873 | * Try to fall back to default hash SHA1 if the client
|
---|
| 1874 | * hasn't provided any preferred signature-hash combinations.
|
---|
| 1875 | */
|
---|
| 1876 | if( sig_hash_alg_ext_present == 0 )
|
---|
| 1877 | {
|
---|
| 1878 | mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
|
---|
| 1879 |
|
---|
| 1880 | if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
|
---|
| 1881 | md_default = MBEDTLS_MD_NONE;
|
---|
| 1882 |
|
---|
| 1883 | mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
|
---|
| 1884 | }
|
---|
| 1885 |
|
---|
| 1886 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
---|
| 1887 | MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
---|
| 1888 |
|
---|
| 1889 | /*
|
---|
| 1890 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
|
---|
| 1891 | */
|
---|
| 1892 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
|
---|
| 1893 | {
|
---|
| 1894 | if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
|
---|
| 1895 | {
|
---|
| 1896 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
|
---|
| 1897 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1898 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
|
---|
| 1899 | {
|
---|
| 1900 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
|
---|
| 1901 | "during renegotiation" ) );
|
---|
| 1902 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1903 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 1904 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1905 | }
|
---|
| 1906 | #endif
|
---|
| 1907 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
---|
| 1908 | break;
|
---|
| 1909 | }
|
---|
| 1910 | }
|
---|
| 1911 |
|
---|
| 1912 | /*
|
---|
| 1913 | * Renegotiation security checks
|
---|
| 1914 | */
|
---|
| 1915 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
|
---|
| 1916 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
---|
| 1917 | {
|
---|
| 1918 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
---|
| 1919 | handshake_failure = 1;
|
---|
| 1920 | }
|
---|
| 1921 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 1922 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
---|
| 1923 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
|
---|
| 1924 | renegotiation_info_seen == 0 )
|
---|
| 1925 | {
|
---|
| 1926 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
|
---|
| 1927 | handshake_failure = 1;
|
---|
| 1928 | }
|
---|
| 1929 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
---|
| 1930 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
---|
| 1931 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
|
---|
| 1932 | {
|
---|
| 1933 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
|
---|
| 1934 | handshake_failure = 1;
|
---|
| 1935 | }
|
---|
| 1936 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
---|
| 1937 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
---|
| 1938 | renegotiation_info_seen == 1 )
|
---|
| 1939 | {
|
---|
| 1940 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
|
---|
| 1941 | handshake_failure = 1;
|
---|
| 1942 | }
|
---|
| 1943 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
| 1944 |
|
---|
| 1945 | if( handshake_failure == 1 )
|
---|
| 1946 | {
|
---|
| 1947 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1948 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 1949 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
---|
| 1950 | }
|
---|
| 1951 |
|
---|
| 1952 | /*
|
---|
| 1953 | * Search for a matching ciphersuite
|
---|
| 1954 | * (At the end because we need information from the EC-based extensions
|
---|
| 1955 | * and certificate from the SNI callback triggered by the SNI extension.)
|
---|
| 1956 | */
|
---|
| 1957 | got_common_suite = 0;
|
---|
| 1958 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
---|
| 1959 | ciphersuite_info = NULL;
|
---|
| 1960 | #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
---|
| 1961 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
---|
| 1962 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
| 1963 | #else
|
---|
| 1964 | for( i = 0; ciphersuites[i] != 0; i++ )
|
---|
| 1965 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
---|
| 1966 | #endif
|
---|
| 1967 | {
|
---|
| 1968 | if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
|
---|
| 1969 | p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
|
---|
| 1970 | continue;
|
---|
| 1971 |
|
---|
| 1972 | got_common_suite = 1;
|
---|
| 1973 |
|
---|
| 1974 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
|
---|
| 1975 | &ciphersuite_info ) ) != 0 )
|
---|
| 1976 | return( ret );
|
---|
| 1977 |
|
---|
| 1978 | if( ciphersuite_info != NULL )
|
---|
| 1979 | goto have_ciphersuite;
|
---|
| 1980 | }
|
---|
| 1981 |
|
---|
| 1982 | if( got_common_suite )
|
---|
| 1983 | {
|
---|
| 1984 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
|
---|
| 1985 | "but none of them usable" ) );
|
---|
| 1986 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1987 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 1988 | return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
|
---|
| 1989 | }
|
---|
| 1990 | else
|
---|
| 1991 | {
|
---|
| 1992 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
|
---|
| 1993 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 1994 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
---|
| 1995 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
|
---|
| 1996 | }
|
---|
| 1997 |
|
---|
| 1998 | have_ciphersuite:
|
---|
| 1999 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
---|
| 2000 |
|
---|
| 2001 | ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
---|
| 2002 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
|
---|
| 2003 |
|
---|
| 2004 | ssl->state++;
|
---|
| 2005 |
|
---|
| 2006 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 2007 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
| 2008 | mbedtls_ssl_recv_flight_completed( ssl );
|
---|
| 2009 | #endif
|
---|
| 2010 |
|
---|
| 2011 | /* Debugging-only output for testsuite */
|
---|
| 2012 | #if defined(MBEDTLS_DEBUG_C) && \
|
---|
| 2013 | defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
---|
| 2014 | defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
---|
| 2015 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 2016 | {
|
---|
| 2017 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
|
---|
| 2018 | if( sig_alg != MBEDTLS_PK_NONE )
|
---|
| 2019 | {
|
---|
| 2020 | mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
---|
| 2021 | sig_alg );
|
---|
| 2022 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
|
---|
| 2023 | mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
|
---|
| 2024 | }
|
---|
| 2025 | else
|
---|
| 2026 | {
|
---|
| 2027 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
|
---|
| 2028 | "%d - should not happen", sig_alg ) );
|
---|
| 2029 | }
|
---|
| 2030 | }
|
---|
| 2031 | #endif
|
---|
| 2032 |
|
---|
| 2033 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
|
---|
| 2034 |
|
---|
| 2035 | return( 0 );
|
---|
| 2036 | }
|
---|
| 2037 |
|
---|
| 2038 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
| 2039 | static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
---|
| 2040 | unsigned char *buf,
|
---|
| 2041 | size_t *olen )
|
---|
| 2042 | {
|
---|
| 2043 | unsigned char *p = buf;
|
---|
| 2044 |
|
---|
| 2045 | if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
|
---|
| 2046 | {
|
---|
| 2047 | *olen = 0;
|
---|
| 2048 | return;
|
---|
| 2049 | }
|
---|
| 2050 |
|
---|
| 2051 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
|
---|
| 2052 |
|
---|
| 2053 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
|
---|
| 2054 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
|
---|
| 2055 |
|
---|
| 2056 | *p++ = 0x00;
|
---|
| 2057 | *p++ = 0x00;
|
---|
| 2058 |
|
---|
| 2059 | *olen = 4;
|
---|
| 2060 | }
|
---|
| 2061 | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
---|
| 2062 |
|
---|
| 2063 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
| 2064 | static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
---|
| 2065 | unsigned char *buf,
|
---|
| 2066 | size_t *olen )
|
---|
| 2067 | {
|
---|
| 2068 | unsigned char *p = buf;
|
---|
| 2069 | const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
---|
| 2070 | const mbedtls_cipher_info_t *cipher = NULL;
|
---|
| 2071 |
|
---|
| 2072 | if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
---|
| 2073 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
| 2074 | {
|
---|
| 2075 | *olen = 0;
|
---|
| 2076 | return;
|
---|
| 2077 | }
|
---|
| 2078 |
|
---|
| 2079 | /*
|
---|
| 2080 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension
|
---|
| 2081 | * from a client and then selects a stream or Authenticated Encryption
|
---|
| 2082 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
|
---|
| 2083 | * encrypt-then-MAC response extension back to the client."
|
---|
| 2084 | */
|
---|
| 2085 | if( ( suite = mbedtls_ssl_ciphersuite_from_id(
|
---|
| 2086 | ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
---|
| 2087 | ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
---|
| 2088 | cipher->mode != MBEDTLS_MODE_CBC )
|
---|
| 2089 | {
|
---|
| 2090 | *olen = 0;
|
---|
| 2091 | return;
|
---|
| 2092 | }
|
---|
| 2093 |
|
---|
| 2094 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
|
---|
| 2095 |
|
---|
| 2096 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
|
---|
| 2097 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
|
---|
| 2098 |
|
---|
| 2099 | *p++ = 0x00;
|
---|
| 2100 | *p++ = 0x00;
|
---|
| 2101 |
|
---|
| 2102 | *olen = 4;
|
---|
| 2103 | }
|
---|
| 2104 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
---|
| 2105 |
|
---|
| 2106 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
| 2107 | static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
---|
| 2108 | unsigned char *buf,
|
---|
| 2109 | size_t *olen )
|
---|
| 2110 | {
|
---|
| 2111 | unsigned char *p = buf;
|
---|
| 2112 |
|
---|
| 2113 | if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
---|
| 2114 | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
| 2115 | {
|
---|
| 2116 | *olen = 0;
|
---|
| 2117 | return;
|
---|
| 2118 | }
|
---|
| 2119 |
|
---|
| 2120 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
|
---|
| 2121 | "extension" ) );
|
---|
| 2122 |
|
---|
| 2123 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
|
---|
| 2124 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
|
---|
| 2125 |
|
---|
| 2126 | *p++ = 0x00;
|
---|
| 2127 | *p++ = 0x00;
|
---|
| 2128 |
|
---|
| 2129 | *olen = 4;
|
---|
| 2130 | }
|
---|
| 2131 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
---|
| 2132 |
|
---|
| 2133 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 2134 | static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
|
---|
| 2135 | unsigned char *buf,
|
---|
| 2136 | size_t *olen )
|
---|
| 2137 | {
|
---|
| 2138 | unsigned char *p = buf;
|
---|
| 2139 |
|
---|
| 2140 | if( ssl->handshake->new_session_ticket == 0 )
|
---|
| 2141 | {
|
---|
| 2142 | *olen = 0;
|
---|
| 2143 | return;
|
---|
| 2144 | }
|
---|
| 2145 |
|
---|
| 2146 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
|
---|
| 2147 |
|
---|
| 2148 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
|
---|
| 2149 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
|
---|
| 2150 |
|
---|
| 2151 | *p++ = 0x00;
|
---|
| 2152 | *p++ = 0x00;
|
---|
| 2153 |
|
---|
| 2154 | *olen = 4;
|
---|
| 2155 | }
|
---|
| 2156 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
| 2157 |
|
---|
| 2158 | static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
|
---|
| 2159 | unsigned char *buf,
|
---|
| 2160 | size_t *olen )
|
---|
| 2161 | {
|
---|
| 2162 | unsigned char *p = buf;
|
---|
| 2163 |
|
---|
| 2164 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
|
---|
| 2165 | {
|
---|
| 2166 | *olen = 0;
|
---|
| 2167 | return;
|
---|
| 2168 | }
|
---|
| 2169 |
|
---|
| 2170 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
|
---|
| 2171 |
|
---|
| 2172 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
|
---|
| 2173 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
|
---|
| 2174 |
|
---|
| 2175 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 2176 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
---|
| 2177 | {
|
---|
| 2178 | *p++ = 0x00;
|
---|
| 2179 | *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
|
---|
| 2180 | *p++ = ssl->verify_data_len * 2 & 0xFF;
|
---|
| 2181 |
|
---|
| 2182 | memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
|
---|
| 2183 | p += ssl->verify_data_len;
|
---|
| 2184 | memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
|
---|
| 2185 | p += ssl->verify_data_len;
|
---|
| 2186 | }
|
---|
| 2187 | else
|
---|
| 2188 | #endif /* MBEDTLS_SSL_RENEGOTIATION */
|
---|
| 2189 | {
|
---|
| 2190 | *p++ = 0x00;
|
---|
| 2191 | *p++ = 0x01;
|
---|
| 2192 | *p++ = 0x00;
|
---|
| 2193 | }
|
---|
| 2194 |
|
---|
| 2195 | *olen = p - buf;
|
---|
| 2196 | }
|
---|
| 2197 |
|
---|
| 2198 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
| 2199 | static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
---|
| 2200 | unsigned char *buf,
|
---|
| 2201 | size_t *olen )
|
---|
| 2202 | {
|
---|
| 2203 | unsigned char *p = buf;
|
---|
| 2204 |
|
---|
| 2205 | if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
|
---|
| 2206 | {
|
---|
| 2207 | *olen = 0;
|
---|
| 2208 | return;
|
---|
| 2209 | }
|
---|
| 2210 |
|
---|
| 2211 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
|
---|
| 2212 |
|
---|
| 2213 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
|
---|
| 2214 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
|
---|
| 2215 |
|
---|
| 2216 | *p++ = 0x00;
|
---|
| 2217 | *p++ = 1;
|
---|
| 2218 |
|
---|
| 2219 | *p++ = ssl->session_negotiate->mfl_code;
|
---|
| 2220 |
|
---|
| 2221 | *olen = 5;
|
---|
| 2222 | }
|
---|
| 2223 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
---|
| 2224 |
|
---|
| 2225 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
| 2226 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 2227 | static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
|
---|
| 2228 | unsigned char *buf,
|
---|
| 2229 | size_t *olen )
|
---|
| 2230 | {
|
---|
| 2231 | unsigned char *p = buf;
|
---|
| 2232 | ((void) ssl);
|
---|
| 2233 |
|
---|
| 2234 | if( ( ssl->handshake->cli_exts &
|
---|
| 2235 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
|
---|
| 2236 | {
|
---|
| 2237 | *olen = 0;
|
---|
| 2238 | return;
|
---|
| 2239 | }
|
---|
| 2240 |
|
---|
| 2241 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
|
---|
| 2242 |
|
---|
| 2243 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
|
---|
| 2244 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
|
---|
| 2245 |
|
---|
| 2246 | *p++ = 0x00;
|
---|
| 2247 | *p++ = 2;
|
---|
| 2248 |
|
---|
| 2249 | *p++ = 1;
|
---|
| 2250 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
|
---|
| 2251 |
|
---|
| 2252 | *olen = 6;
|
---|
| 2253 | }
|
---|
| 2254 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 2255 |
|
---|
| 2256 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 2257 | static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
---|
| 2258 | unsigned char *buf,
|
---|
| 2259 | size_t *olen )
|
---|
| 2260 | {
|
---|
| 2261 | int ret;
|
---|
| 2262 | unsigned char *p = buf;
|
---|
| 2263 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
---|
| 2264 | size_t kkpp_len;
|
---|
| 2265 |
|
---|
| 2266 | *olen = 0;
|
---|
| 2267 |
|
---|
| 2268 | /* Skip costly computation if not needed */
|
---|
| 2269 | if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
|
---|
| 2270 | MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
| 2271 | return;
|
---|
| 2272 |
|
---|
| 2273 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
|
---|
| 2274 |
|
---|
| 2275 | if( end - p < 4 )
|
---|
| 2276 | {
|
---|
| 2277 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
|
---|
| 2278 | return;
|
---|
| 2279 | }
|
---|
| 2280 |
|
---|
| 2281 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
|
---|
| 2282 | *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
|
---|
| 2283 |
|
---|
| 2284 | ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
|
---|
| 2285 | p + 2, end - p - 2, &kkpp_len,
|
---|
| 2286 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
| 2287 | if( ret != 0 )
|
---|
| 2288 | {
|
---|
| 2289 | MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
|
---|
| 2290 | return;
|
---|
| 2291 | }
|
---|
| 2292 |
|
---|
| 2293 | *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
|
---|
| 2294 | *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
|
---|
| 2295 |
|
---|
| 2296 | *olen = kkpp_len + 4;
|
---|
| 2297 | }
|
---|
| 2298 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 2299 |
|
---|
| 2300 | #if defined(MBEDTLS_SSL_ALPN )
|
---|
| 2301 | static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
|
---|
| 2302 | unsigned char *buf, size_t *olen )
|
---|
| 2303 | {
|
---|
| 2304 | if( ssl->alpn_chosen == NULL )
|
---|
| 2305 | {
|
---|
| 2306 | *olen = 0;
|
---|
| 2307 | return;
|
---|
| 2308 | }
|
---|
| 2309 |
|
---|
| 2310 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
|
---|
| 2311 |
|
---|
| 2312 | /*
|
---|
| 2313 | * 0 . 1 ext identifier
|
---|
| 2314 | * 2 . 3 ext length
|
---|
| 2315 | * 4 . 5 protocol list length
|
---|
| 2316 | * 6 . 6 protocol name length
|
---|
| 2317 | * 7 . 7+n protocol name
|
---|
| 2318 | */
|
---|
| 2319 | buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
|
---|
| 2320 | buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
|
---|
| 2321 |
|
---|
| 2322 | *olen = 7 + strlen( ssl->alpn_chosen );
|
---|
| 2323 |
|
---|
| 2324 | buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
|
---|
| 2325 | buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
|
---|
| 2326 |
|
---|
| 2327 | buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
|
---|
| 2328 | buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
|
---|
| 2329 |
|
---|
| 2330 | buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
|
---|
| 2331 |
|
---|
| 2332 | memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
|
---|
| 2333 | }
|
---|
| 2334 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
|
---|
| 2335 |
|
---|
| 2336 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
| 2337 | static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
|
---|
| 2338 | {
|
---|
| 2339 | int ret;
|
---|
| 2340 | unsigned char *p = ssl->out_msg + 4;
|
---|
| 2341 | unsigned char *cookie_len_byte;
|
---|
| 2342 |
|
---|
| 2343 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
|
---|
| 2344 |
|
---|
| 2345 | /*
|
---|
| 2346 | * struct {
|
---|
| 2347 | * ProtocolVersion server_version;
|
---|
| 2348 | * opaque cookie<0..2^8-1>;
|
---|
| 2349 | * } HelloVerifyRequest;
|
---|
| 2350 | */
|
---|
| 2351 |
|
---|
| 2352 | /* The RFC is not clear on this point, but sending the actual negotiated
|
---|
| 2353 | * version looks like the most interoperable thing to do. */
|
---|
| 2354 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
---|
| 2355 | ssl->conf->transport, p );
|
---|
| 2356 | MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
|
---|
| 2357 | p += 2;
|
---|
| 2358 |
|
---|
| 2359 | /* If we get here, f_cookie_check is not null */
|
---|
| 2360 | if( ssl->conf->f_cookie_write == NULL )
|
---|
| 2361 | {
|
---|
| 2362 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
|
---|
| 2363 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 2364 | }
|
---|
| 2365 |
|
---|
| 2366 | /* Skip length byte until we know the length */
|
---|
| 2367 | cookie_len_byte = p++;
|
---|
| 2368 |
|
---|
| 2369 | if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
|
---|
| 2370 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
|
---|
| 2371 | ssl->cli_id, ssl->cli_id_len ) ) != 0 )
|
---|
| 2372 | {
|
---|
| 2373 | MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
|
---|
| 2374 | return( ret );
|
---|
| 2375 | }
|
---|
| 2376 |
|
---|
| 2377 | *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
|
---|
| 2378 |
|
---|
| 2379 | MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
|
---|
| 2380 |
|
---|
| 2381 | ssl->out_msglen = p - ssl->out_msg;
|
---|
| 2382 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
| 2383 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
|
---|
| 2384 |
|
---|
| 2385 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
|
---|
| 2386 |
|
---|
| 2387 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
| 2388 | {
|
---|
| 2389 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
| 2390 | return( ret );
|
---|
| 2391 | }
|
---|
| 2392 |
|
---|
| 2393 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 2394 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
| 2395 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
|
---|
| 2396 | {
|
---|
| 2397 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
|
---|
| 2398 | return( ret );
|
---|
| 2399 | }
|
---|
| 2400 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
| 2401 |
|
---|
| 2402 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
|
---|
| 2403 |
|
---|
| 2404 | return( 0 );
|
---|
| 2405 | }
|
---|
| 2406 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
| 2407 |
|
---|
| 2408 | static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
---|
| 2409 | {
|
---|
| 2410 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
| 2411 | mbedtls_time_t t;
|
---|
| 2412 | #endif
|
---|
| 2413 | int ret;
|
---|
| 2414 | size_t olen, ext_len = 0, n;
|
---|
| 2415 | unsigned char *buf, *p;
|
---|
| 2416 |
|
---|
| 2417 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
|
---|
| 2418 |
|
---|
| 2419 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
---|
| 2420 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
| 2421 | ssl->handshake->verify_cookie_len != 0 )
|
---|
| 2422 | {
|
---|
| 2423 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
|
---|
| 2424 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
|
---|
| 2425 |
|
---|
| 2426 | return( ssl_write_hello_verify_request( ssl ) );
|
---|
| 2427 | }
|
---|
| 2428 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
|
---|
| 2429 |
|
---|
| 2430 | if( ssl->conf->f_rng == NULL )
|
---|
| 2431 | {
|
---|
| 2432 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
|
---|
| 2433 | return( MBEDTLS_ERR_SSL_NO_RNG );
|
---|
| 2434 | }
|
---|
| 2435 |
|
---|
| 2436 | /*
|
---|
| 2437 | * 0 . 0 handshake type
|
---|
| 2438 | * 1 . 3 handshake length
|
---|
| 2439 | * 4 . 5 protocol version
|
---|
| 2440 | * 6 . 9 UNIX time()
|
---|
| 2441 | * 10 . 37 random bytes
|
---|
| 2442 | */
|
---|
| 2443 | buf = ssl->out_msg;
|
---|
| 2444 | p = buf + 4;
|
---|
| 2445 |
|
---|
| 2446 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
---|
| 2447 | ssl->conf->transport, p );
|
---|
| 2448 | p += 2;
|
---|
| 2449 |
|
---|
| 2450 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
|
---|
| 2451 | buf[4], buf[5] ) );
|
---|
| 2452 |
|
---|
| 2453 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
| 2454 | t = mbedtls_time( NULL );
|
---|
| 2455 | *p++ = (unsigned char)( t >> 24 );
|
---|
| 2456 | *p++ = (unsigned char)( t >> 16 );
|
---|
| 2457 | *p++ = (unsigned char)( t >> 8 );
|
---|
| 2458 | *p++ = (unsigned char)( t );
|
---|
| 2459 |
|
---|
| 2460 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
|
---|
| 2461 | #else
|
---|
| 2462 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
|
---|
| 2463 | return( ret );
|
---|
| 2464 |
|
---|
| 2465 | p += 4;
|
---|
| 2466 | #endif /* MBEDTLS_HAVE_TIME */
|
---|
| 2467 |
|
---|
| 2468 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
|
---|
| 2469 | return( ret );
|
---|
| 2470 |
|
---|
| 2471 | p += 28;
|
---|
| 2472 |
|
---|
| 2473 | memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
|
---|
| 2474 |
|
---|
| 2475 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
|
---|
| 2476 |
|
---|
| 2477 | /*
|
---|
| 2478 | * Resume is 0 by default, see ssl_handshake_init().
|
---|
| 2479 | * It may be already set to 1 by ssl_parse_session_ticket_ext().
|
---|
| 2480 | * If not, try looking up session ID in our cache.
|
---|
| 2481 | */
|
---|
| 2482 | if( ssl->handshake->resume == 0 &&
|
---|
| 2483 | #if defined(MBEDTLS_SSL_RENEGOTIATION)
|
---|
| 2484 | ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
|
---|
| 2485 | #endif
|
---|
| 2486 | ssl->session_negotiate->id_len != 0 &&
|
---|
| 2487 | ssl->conf->f_get_cache != NULL &&
|
---|
| 2488 | ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
|
---|
| 2489 | {
|
---|
| 2490 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
|
---|
| 2491 | ssl->handshake->resume = 1;
|
---|
| 2492 | }
|
---|
| 2493 |
|
---|
| 2494 | if( ssl->handshake->resume == 0 )
|
---|
| 2495 | {
|
---|
| 2496 | /*
|
---|
| 2497 | * New session, create a new session id,
|
---|
| 2498 | * unless we're about to issue a session ticket
|
---|
| 2499 | */
|
---|
| 2500 | ssl->state++;
|
---|
| 2501 |
|
---|
| 2502 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
| 2503 | ssl->session_negotiate->start = mbedtls_time( NULL );
|
---|
| 2504 | #endif
|
---|
| 2505 |
|
---|
| 2506 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 2507 | if( ssl->handshake->new_session_ticket != 0 )
|
---|
| 2508 | {
|
---|
| 2509 | ssl->session_negotiate->id_len = n = 0;
|
---|
| 2510 | memset( ssl->session_negotiate->id, 0, 32 );
|
---|
| 2511 | }
|
---|
| 2512 | else
|
---|
| 2513 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
| 2514 | {
|
---|
| 2515 | ssl->session_negotiate->id_len = n = 32;
|
---|
| 2516 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
|
---|
| 2517 | n ) ) != 0 )
|
---|
| 2518 | return( ret );
|
---|
| 2519 | }
|
---|
| 2520 | }
|
---|
| 2521 | else
|
---|
| 2522 | {
|
---|
| 2523 | /*
|
---|
| 2524 | * Resuming a session
|
---|
| 2525 | */
|
---|
| 2526 | n = ssl->session_negotiate->id_len;
|
---|
| 2527 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
|
---|
| 2528 |
|
---|
| 2529 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
|
---|
| 2530 | {
|
---|
| 2531 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
|
---|
| 2532 | return( ret );
|
---|
| 2533 | }
|
---|
| 2534 | }
|
---|
| 2535 |
|
---|
| 2536 | /*
|
---|
| 2537 | * 38 . 38 session id length
|
---|
| 2538 | * 39 . 38+n session id
|
---|
| 2539 | * 39+n . 40+n chosen ciphersuite
|
---|
| 2540 | * 41+n . 41+n chosen compression alg.
|
---|
| 2541 | * 42+n . 43+n extensions length
|
---|
| 2542 | * 44+n . 43+n+m extensions
|
---|
| 2543 | */
|
---|
| 2544 | *p++ = (unsigned char) ssl->session_negotiate->id_len;
|
---|
| 2545 | memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
|
---|
| 2546 | p += ssl->session_negotiate->id_len;
|
---|
| 2547 |
|
---|
| 2548 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
|
---|
| 2549 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
|
---|
| 2550 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
|
---|
| 2551 | ssl->handshake->resume ? "a" : "no" ) );
|
---|
| 2552 |
|
---|
| 2553 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
|
---|
| 2554 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
|
---|
| 2555 | *p++ = (unsigned char)( ssl->session_negotiate->compression );
|
---|
| 2556 |
|
---|
| 2557 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
---|
| 2558 | mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
|
---|
| 2559 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
---|
| 2560 | ssl->session_negotiate->compression ) );
|
---|
| 2561 |
|
---|
| 2562 | /* Do not write the extensions if the protocol is SSLv3 */
|
---|
| 2563 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
| 2564 | if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
---|
| 2565 | {
|
---|
| 2566 | #endif
|
---|
| 2567 |
|
---|
| 2568 | /*
|
---|
| 2569 | * First write extensions, then the total length
|
---|
| 2570 | */
|
---|
| 2571 | ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2572 | ext_len += olen;
|
---|
| 2573 |
|
---|
| 2574 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
---|
| 2575 | ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2576 | ext_len += olen;
|
---|
| 2577 | #endif
|
---|
| 2578 |
|
---|
| 2579 | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
---|
| 2580 | ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2581 | ext_len += olen;
|
---|
| 2582 | #endif
|
---|
| 2583 |
|
---|
| 2584 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
---|
| 2585 | ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2586 | ext_len += olen;
|
---|
| 2587 | #endif
|
---|
| 2588 |
|
---|
| 2589 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
---|
| 2590 | ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2591 | ext_len += olen;
|
---|
| 2592 | #endif
|
---|
| 2593 |
|
---|
| 2594 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 2595 | ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2596 | ext_len += olen;
|
---|
| 2597 | #endif
|
---|
| 2598 |
|
---|
| 2599 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
---|
| 2600 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 2601 | if ( mbedtls_ssl_ciphersuite_uses_ec(
|
---|
| 2602 | mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
|
---|
| 2603 | {
|
---|
| 2604 | ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2605 | ext_len += olen;
|
---|
| 2606 | }
|
---|
| 2607 | #endif
|
---|
| 2608 |
|
---|
| 2609 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 2610 | ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2611 | ext_len += olen;
|
---|
| 2612 | #endif
|
---|
| 2613 |
|
---|
| 2614 | #if defined(MBEDTLS_SSL_ALPN)
|
---|
| 2615 | ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
|
---|
| 2616 | ext_len += olen;
|
---|
| 2617 | #endif
|
---|
| 2618 |
|
---|
| 2619 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
|
---|
| 2620 |
|
---|
| 2621 | if( ext_len > 0 )
|
---|
| 2622 | {
|
---|
| 2623 | *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
|
---|
| 2624 | *p++ = (unsigned char)( ( ext_len ) & 0xFF );
|
---|
| 2625 | p += ext_len;
|
---|
| 2626 | }
|
---|
| 2627 |
|
---|
| 2628 | #if defined(MBEDTLS_SSL_PROTO_SSL3)
|
---|
| 2629 | }
|
---|
| 2630 | #endif
|
---|
| 2631 |
|
---|
| 2632 | ssl->out_msglen = p - buf;
|
---|
| 2633 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
| 2634 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
|
---|
| 2635 |
|
---|
| 2636 | ret = mbedtls_ssl_write_handshake_msg( ssl );
|
---|
| 2637 |
|
---|
| 2638 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
|
---|
| 2639 |
|
---|
| 2640 | return( ret );
|
---|
| 2641 | }
|
---|
| 2642 |
|
---|
| 2643 | #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
|
---|
| 2644 | !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
|
---|
| 2645 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
|
---|
| 2646 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
|
---|
| 2647 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
|
---|
| 2648 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
---|
| 2649 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
---|
| 2650 | {
|
---|
| 2651 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
| 2652 | ssl->transform_negotiate->ciphersuite_info;
|
---|
| 2653 |
|
---|
| 2654 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
---|
| 2655 |
|
---|
| 2656 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
| 2657 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
| 2658 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
| 2659 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
| 2660 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
| 2661 | {
|
---|
| 2662 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
|
---|
| 2663 | ssl->state++;
|
---|
| 2664 | return( 0 );
|
---|
| 2665 | }
|
---|
| 2666 |
|
---|
| 2667 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 2668 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 2669 | }
|
---|
| 2670 | #else
|
---|
| 2671 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
---|
| 2672 | {
|
---|
| 2673 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
---|
| 2674 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
| 2675 | ssl->transform_negotiate->ciphersuite_info;
|
---|
| 2676 | size_t dn_size, total_dn_size; /* excluding length bytes */
|
---|
| 2677 | size_t ct_len, sa_len; /* including length bytes */
|
---|
| 2678 | unsigned char *buf, *p;
|
---|
| 2679 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
---|
| 2680 | const mbedtls_x509_crt *crt;
|
---|
| 2681 | int authmode;
|
---|
| 2682 |
|
---|
| 2683 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
---|
| 2684 |
|
---|
| 2685 | ssl->state++;
|
---|
| 2686 |
|
---|
| 2687 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
| 2688 | if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
|
---|
| 2689 | authmode = ssl->handshake->sni_authmode;
|
---|
| 2690 | else
|
---|
| 2691 | #endif
|
---|
| 2692 | authmode = ssl->conf->authmode;
|
---|
| 2693 |
|
---|
| 2694 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
| 2695 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
| 2696 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
| 2697 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
| 2698 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
|
---|
| 2699 | authmode == MBEDTLS_SSL_VERIFY_NONE )
|
---|
| 2700 | {
|
---|
| 2701 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
|
---|
| 2702 | return( 0 );
|
---|
| 2703 | }
|
---|
| 2704 |
|
---|
| 2705 | /*
|
---|
| 2706 | * 0 . 0 handshake type
|
---|
| 2707 | * 1 . 3 handshake length
|
---|
| 2708 | * 4 . 4 cert type count
|
---|
| 2709 | * 5 .. m-1 cert types
|
---|
| 2710 | * m .. m+1 sig alg length (TLS 1.2 only)
|
---|
| 2711 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
|
---|
| 2712 | * n .. n+1 length of all DNs
|
---|
| 2713 | * n+2 .. n+3 length of DN 1
|
---|
| 2714 | * n+4 .. ... Distinguished Name #1
|
---|
| 2715 | * ... .. ... length of DN 2, etc.
|
---|
| 2716 | */
|
---|
| 2717 | buf = ssl->out_msg;
|
---|
| 2718 | p = buf + 4;
|
---|
| 2719 |
|
---|
| 2720 | /*
|
---|
| 2721 | * Supported certificate types
|
---|
| 2722 | *
|
---|
| 2723 | * ClientCertificateType certificate_types<1..2^8-1>;
|
---|
| 2724 | * enum { (255) } ClientCertificateType;
|
---|
| 2725 | */
|
---|
| 2726 | ct_len = 0;
|
---|
| 2727 |
|
---|
| 2728 | #if defined(MBEDTLS_RSA_C)
|
---|
| 2729 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
|
---|
| 2730 | #endif
|
---|
| 2731 | #if defined(MBEDTLS_ECDSA_C)
|
---|
| 2732 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
|
---|
| 2733 | #endif
|
---|
| 2734 |
|
---|
| 2735 | p[0] = (unsigned char) ct_len++;
|
---|
| 2736 | p += ct_len;
|
---|
| 2737 |
|
---|
| 2738 | sa_len = 0;
|
---|
| 2739 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 2740 | /*
|
---|
| 2741 | * Add signature_algorithms for verify (TLS 1.2)
|
---|
| 2742 | *
|
---|
| 2743 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
|
---|
| 2744 | *
|
---|
| 2745 | * struct {
|
---|
| 2746 | * HashAlgorithm hash;
|
---|
| 2747 | * SignatureAlgorithm signature;
|
---|
| 2748 | * } SignatureAndHashAlgorithm;
|
---|
| 2749 | *
|
---|
| 2750 | * enum { (255) } HashAlgorithm;
|
---|
| 2751 | * enum { (255) } SignatureAlgorithm;
|
---|
| 2752 | */
|
---|
| 2753 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 2754 | {
|
---|
| 2755 | const int *cur;
|
---|
| 2756 |
|
---|
| 2757 | /*
|
---|
| 2758 | * Supported signature algorithms
|
---|
| 2759 | */
|
---|
| 2760 | for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
|
---|
| 2761 | {
|
---|
| 2762 | unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
|
---|
| 2763 |
|
---|
| 2764 | if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
|
---|
| 2765 | continue;
|
---|
| 2766 |
|
---|
| 2767 | #if defined(MBEDTLS_RSA_C)
|
---|
| 2768 | p[2 + sa_len++] = hash;
|
---|
| 2769 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
|
---|
| 2770 | #endif
|
---|
| 2771 | #if defined(MBEDTLS_ECDSA_C)
|
---|
| 2772 | p[2 + sa_len++] = hash;
|
---|
| 2773 | p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
|
---|
| 2774 | #endif
|
---|
| 2775 | }
|
---|
| 2776 |
|
---|
| 2777 | p[0] = (unsigned char)( sa_len >> 8 );
|
---|
| 2778 | p[1] = (unsigned char)( sa_len );
|
---|
| 2779 | sa_len += 2;
|
---|
| 2780 | p += sa_len;
|
---|
| 2781 | }
|
---|
| 2782 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
| 2783 |
|
---|
| 2784 | /*
|
---|
| 2785 | * DistinguishedName certificate_authorities<0..2^16-1>;
|
---|
| 2786 | * opaque DistinguishedName<1..2^16-1>;
|
---|
| 2787 | */
|
---|
| 2788 | p += 2;
|
---|
| 2789 |
|
---|
| 2790 | total_dn_size = 0;
|
---|
| 2791 |
|
---|
| 2792 | if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
|
---|
| 2793 | {
|
---|
| 2794 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
---|
| 2795 | if( ssl->handshake->sni_ca_chain != NULL )
|
---|
| 2796 | crt = ssl->handshake->sni_ca_chain;
|
---|
| 2797 | else
|
---|
| 2798 | #endif
|
---|
| 2799 | crt = ssl->conf->ca_chain;
|
---|
| 2800 |
|
---|
| 2801 | while( crt != NULL && crt->version != 0 )
|
---|
| 2802 | {
|
---|
| 2803 | dn_size = crt->subject_raw.len;
|
---|
| 2804 |
|
---|
| 2805 | if( end < p ||
|
---|
| 2806 | (size_t)( end - p ) < dn_size ||
|
---|
| 2807 | (size_t)( end - p ) < 2 + dn_size )
|
---|
| 2808 | {
|
---|
| 2809 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
|
---|
| 2810 | break;
|
---|
| 2811 | }
|
---|
| 2812 |
|
---|
| 2813 | *p++ = (unsigned char)( dn_size >> 8 );
|
---|
| 2814 | *p++ = (unsigned char)( dn_size );
|
---|
| 2815 | memcpy( p, crt->subject_raw.p, dn_size );
|
---|
| 2816 | p += dn_size;
|
---|
| 2817 |
|
---|
| 2818 | MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
|
---|
| 2819 |
|
---|
| 2820 | total_dn_size += 2 + dn_size;
|
---|
| 2821 | crt = crt->next;
|
---|
| 2822 | }
|
---|
| 2823 | }
|
---|
| 2824 |
|
---|
| 2825 | ssl->out_msglen = p - buf;
|
---|
| 2826 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
| 2827 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
|
---|
| 2828 | ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
|
---|
| 2829 | ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
|
---|
| 2830 |
|
---|
| 2831 | ret = mbedtls_ssl_write_handshake_msg( ssl );
|
---|
| 2832 |
|
---|
| 2833 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
|
---|
| 2834 |
|
---|
| 2835 | return( ret );
|
---|
| 2836 | }
|
---|
| 2837 | #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
|
---|
| 2838 | !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
|
---|
| 2839 | !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
|
---|
| 2840 | !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
|
---|
| 2841 | !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
|
---|
| 2842 | !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
---|
| 2843 |
|
---|
| 2844 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
---|
| 2845 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
---|
| 2846 | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
|
---|
| 2847 | {
|
---|
| 2848 | int ret;
|
---|
| 2849 |
|
---|
| 2850 | if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
|
---|
| 2851 | {
|
---|
| 2852 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
|
---|
| 2853 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
|
---|
| 2854 | }
|
---|
| 2855 |
|
---|
| 2856 | if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
|
---|
| 2857 | mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
|
---|
| 2858 | MBEDTLS_ECDH_OURS ) ) != 0 )
|
---|
| 2859 | {
|
---|
| 2860 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
|
---|
| 2861 | return( ret );
|
---|
| 2862 | }
|
---|
| 2863 |
|
---|
| 2864 | return( 0 );
|
---|
| 2865 | }
|
---|
| 2866 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
|
---|
| 2867 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
|
---|
| 2868 |
|
---|
| 2869 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
|
---|
| 2870 | defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 2871 | static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
|
---|
| 2872 | size_t *signature_len )
|
---|
| 2873 | {
|
---|
| 2874 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the
|
---|
| 2875 | * signature length which will be added in ssl_write_server_key_exchange
|
---|
| 2876 | * after the call to ssl_prepare_server_key_exchange.
|
---|
| 2877 | * ssl_write_server_key_exchange also takes care of incrementing
|
---|
| 2878 | * ssl->out_msglen. */
|
---|
| 2879 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
|
---|
| 2880 | size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
|
---|
| 2881 | - sig_start );
|
---|
| 2882 | int ret = ssl->conf->f_async_resume( ssl,
|
---|
| 2883 | sig_start, signature_len, sig_max_len );
|
---|
| 2884 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
| 2885 | {
|
---|
| 2886 | ssl->handshake->async_in_progress = 0;
|
---|
| 2887 | mbedtls_ssl_set_async_operation_data( ssl, NULL );
|
---|
| 2888 | }
|
---|
| 2889 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
|
---|
| 2890 | return( ret );
|
---|
| 2891 | }
|
---|
| 2892 | #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
|
---|
| 2893 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
|
---|
| 2894 |
|
---|
| 2895 | /* Prepare the ServerKeyExchange message, up to and including
|
---|
| 2896 | * calculating the signature if any, but excluding formatting the
|
---|
| 2897 | * signature and sending the message. */
|
---|
| 2898 | static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
---|
| 2899 | size_t *signature_len )
|
---|
| 2900 | {
|
---|
| 2901 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
| 2902 | ssl->transform_negotiate->ciphersuite_info;
|
---|
| 2903 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
---|
| 2904 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
| 2905 | unsigned char *dig_signed = NULL;
|
---|
| 2906 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
| 2907 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
|
---|
| 2908 |
|
---|
| 2909 | (void) ciphersuite_info; /* unused in some configurations */
|
---|
| 2910 | #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
| 2911 | (void) signature_len;
|
---|
| 2912 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
| 2913 |
|
---|
| 2914 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
|
---|
| 2915 |
|
---|
| 2916 | /*
|
---|
| 2917 | *
|
---|
| 2918 | * Part 1: Provide key exchange parameters for chosen ciphersuite.
|
---|
| 2919 | *
|
---|
| 2920 | */
|
---|
| 2921 |
|
---|
| 2922 | /*
|
---|
| 2923 | * - ECJPAKE key exchanges
|
---|
| 2924 | */
|
---|
| 2925 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 2926 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
| 2927 | {
|
---|
| 2928 | int ret;
|
---|
| 2929 | size_t len = 0;
|
---|
| 2930 |
|
---|
| 2931 | ret = mbedtls_ecjpake_write_round_two(
|
---|
| 2932 | &ssl->handshake->ecjpake_ctx,
|
---|
| 2933 | ssl->out_msg + ssl->out_msglen,
|
---|
| 2934 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
|
---|
| 2935 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
| 2936 | if( ret != 0 )
|
---|
| 2937 | {
|
---|
| 2938 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
|
---|
| 2939 | return( ret );
|
---|
| 2940 | }
|
---|
| 2941 |
|
---|
| 2942 | ssl->out_msglen += len;
|
---|
| 2943 | }
|
---|
| 2944 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 2945 |
|
---|
| 2946 | /*
|
---|
| 2947 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
|
---|
| 2948 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
|
---|
| 2949 | * we use empty support identity hints here.
|
---|
| 2950 | **/
|
---|
| 2951 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
---|
| 2952 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
---|
| 2953 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
| 2954 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
---|
| 2955 | {
|
---|
| 2956 | ssl->out_msg[ssl->out_msglen++] = 0x00;
|
---|
| 2957 | ssl->out_msg[ssl->out_msglen++] = 0x00;
|
---|
| 2958 | }
|
---|
| 2959 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
|
---|
| 2960 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
---|
| 2961 |
|
---|
| 2962 | /*
|
---|
| 2963 | * - DHE key exchanges
|
---|
| 2964 | */
|
---|
| 2965 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
---|
| 2966 | if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
|
---|
| 2967 | {
|
---|
| 2968 | int ret;
|
---|
| 2969 | size_t len = 0;
|
---|
| 2970 |
|
---|
| 2971 | if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
|
---|
| 2972 | {
|
---|
| 2973 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
|
---|
| 2974 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
| 2975 | }
|
---|
| 2976 |
|
---|
| 2977 | /*
|
---|
| 2978 | * Ephemeral DH parameters:
|
---|
| 2979 | *
|
---|
| 2980 | * struct {
|
---|
| 2981 | * opaque dh_p<1..2^16-1>;
|
---|
| 2982 | * opaque dh_g<1..2^16-1>;
|
---|
| 2983 | * opaque dh_Ys<1..2^16-1>;
|
---|
| 2984 | * } ServerDHParams;
|
---|
| 2985 | */
|
---|
| 2986 | if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
|
---|
| 2987 | &ssl->conf->dhm_P,
|
---|
| 2988 | &ssl->conf->dhm_G ) ) != 0 )
|
---|
| 2989 | {
|
---|
| 2990 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
|
---|
| 2991 | return( ret );
|
---|
| 2992 | }
|
---|
| 2993 |
|
---|
| 2994 | if( ( ret = mbedtls_dhm_make_params(
|
---|
| 2995 | &ssl->handshake->dhm_ctx,
|
---|
| 2996 | (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
|
---|
| 2997 | ssl->out_msg + ssl->out_msglen, &len,
|
---|
| 2998 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
| 2999 | {
|
---|
| 3000 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
|
---|
| 3001 | return( ret );
|
---|
| 3002 | }
|
---|
| 3003 |
|
---|
| 3004 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
| 3005 | dig_signed = ssl->out_msg + ssl->out_msglen;
|
---|
| 3006 | #endif
|
---|
| 3007 |
|
---|
| 3008 | ssl->out_msglen += len;
|
---|
| 3009 |
|
---|
| 3010 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
|
---|
| 3011 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
|
---|
| 3012 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
|
---|
| 3013 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
|
---|
| 3014 | }
|
---|
| 3015 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
|
---|
| 3016 |
|
---|
| 3017 | /*
|
---|
| 3018 | * - ECDHE key exchanges
|
---|
| 3019 | */
|
---|
| 3020 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
|
---|
| 3021 | if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
|
---|
| 3022 | {
|
---|
| 3023 | /*
|
---|
| 3024 | * Ephemeral ECDH parameters:
|
---|
| 3025 | *
|
---|
| 3026 | * struct {
|
---|
| 3027 | * ECParameters curve_params;
|
---|
| 3028 | * ECPoint public;
|
---|
| 3029 | * } ServerECDHParams;
|
---|
| 3030 | */
|
---|
| 3031 | const mbedtls_ecp_curve_info **curve = NULL;
|
---|
| 3032 | const mbedtls_ecp_group_id *gid;
|
---|
| 3033 | int ret;
|
---|
| 3034 | size_t len = 0;
|
---|
| 3035 |
|
---|
| 3036 | /* Match our preference list against the offered curves */
|
---|
| 3037 | for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
|
---|
| 3038 | for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
|
---|
| 3039 | if( (*curve)->grp_id == *gid )
|
---|
| 3040 | goto curve_matching_done;
|
---|
| 3041 |
|
---|
| 3042 | curve_matching_done:
|
---|
| 3043 | if( curve == NULL || *curve == NULL )
|
---|
| 3044 | {
|
---|
| 3045 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
|
---|
| 3046 | return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
|
---|
| 3047 | }
|
---|
| 3048 |
|
---|
| 3049 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
|
---|
| 3050 |
|
---|
| 3051 | if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
|
---|
| 3052 | (*curve)->grp_id ) ) != 0 )
|
---|
| 3053 | {
|
---|
| 3054 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
|
---|
| 3055 | return( ret );
|
---|
| 3056 | }
|
---|
| 3057 |
|
---|
| 3058 | if( ( ret = mbedtls_ecdh_make_params(
|
---|
| 3059 | &ssl->handshake->ecdh_ctx, &len,
|
---|
| 3060 | ssl->out_msg + ssl->out_msglen,
|
---|
| 3061 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
|
---|
| 3062 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
| 3063 | {
|
---|
| 3064 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
|
---|
| 3065 | return( ret );
|
---|
| 3066 | }
|
---|
| 3067 |
|
---|
| 3068 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
| 3069 | dig_signed = ssl->out_msg + ssl->out_msglen;
|
---|
| 3070 | #endif
|
---|
| 3071 |
|
---|
| 3072 | ssl->out_msglen += len;
|
---|
| 3073 |
|
---|
| 3074 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
| 3075 | MBEDTLS_DEBUG_ECDH_Q );
|
---|
| 3076 | }
|
---|
| 3077 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
|
---|
| 3078 |
|
---|
| 3079 | /*
|
---|
| 3080 | *
|
---|
| 3081 | * Part 2: For key exchanges involving the server signing the
|
---|
| 3082 | * exchange parameters, compute and add the signature here.
|
---|
| 3083 | *
|
---|
| 3084 | */
|
---|
| 3085 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
| 3086 | if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
|
---|
| 3087 | {
|
---|
| 3088 | size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
|
---|
| 3089 | size_t hashlen = 0;
|
---|
| 3090 | unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
---|
| 3091 | int ret;
|
---|
| 3092 |
|
---|
| 3093 | /*
|
---|
| 3094 | * 2.1: Choose hash algorithm:
|
---|
| 3095 | * A: For TLS 1.2, obey signature-hash-algorithm extension
|
---|
| 3096 | * to choose appropriate hash.
|
---|
| 3097 | * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
|
---|
| 3098 | * (RFC 4492, Sec. 5.4)
|
---|
| 3099 | * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
|
---|
| 3100 | */
|
---|
| 3101 |
|
---|
| 3102 | mbedtls_md_type_t md_alg;
|
---|
| 3103 |
|
---|
| 3104 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 3105 | mbedtls_pk_type_t sig_alg =
|
---|
| 3106 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
---|
| 3107 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 3108 | {
|
---|
| 3109 | /* A: For TLS 1.2, obey signature-hash-algorithm extension
|
---|
| 3110 | * (RFC 5246, Sec. 7.4.1.4.1). */
|
---|
| 3111 | if( sig_alg == MBEDTLS_PK_NONE ||
|
---|
| 3112 | ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
---|
| 3113 | sig_alg ) ) == MBEDTLS_MD_NONE )
|
---|
| 3114 | {
|
---|
| 3115 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 3116 | /* (... because we choose a cipher suite
|
---|
| 3117 | * only if there is a matching hash.) */
|
---|
| 3118 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 3119 | }
|
---|
| 3120 | }
|
---|
| 3121 | else
|
---|
| 3122 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
| 3123 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
---|
| 3124 | defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
---|
| 3125 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
---|
| 3126 | {
|
---|
| 3127 | /* B: Default hash SHA1 */
|
---|
| 3128 | md_alg = MBEDTLS_MD_SHA1;
|
---|
| 3129 | }
|
---|
| 3130 | else
|
---|
| 3131 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
---|
| 3132 | MBEDTLS_SSL_PROTO_TLS1_1 */
|
---|
| 3133 | {
|
---|
| 3134 | /* C: MD5 + SHA1 */
|
---|
| 3135 | md_alg = MBEDTLS_MD_NONE;
|
---|
| 3136 | }
|
---|
| 3137 |
|
---|
| 3138 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
|
---|
| 3139 |
|
---|
| 3140 | /*
|
---|
| 3141 | * 2.2: Compute the hash to be signed
|
---|
| 3142 | */
|
---|
| 3143 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
---|
| 3144 | defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
---|
| 3145 | if( md_alg == MBEDTLS_MD_NONE )
|
---|
| 3146 | {
|
---|
| 3147 | hashlen = 36;
|
---|
| 3148 | ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
|
---|
| 3149 | dig_signed,
|
---|
| 3150 | dig_signed_len );
|
---|
| 3151 | if( ret != 0 )
|
---|
| 3152 | return( ret );
|
---|
| 3153 | }
|
---|
| 3154 | else
|
---|
| 3155 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
---|
| 3156 | MBEDTLS_SSL_PROTO_TLS1_1 */
|
---|
| 3157 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
---|
| 3158 | defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 3159 | if( md_alg != MBEDTLS_MD_NONE )
|
---|
| 3160 | {
|
---|
| 3161 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
|
---|
| 3162 | dig_signed,
|
---|
| 3163 | dig_signed_len,
|
---|
| 3164 | md_alg );
|
---|
| 3165 | if( ret != 0 )
|
---|
| 3166 | return( ret );
|
---|
| 3167 | }
|
---|
| 3168 | else
|
---|
| 3169 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
|
---|
| 3170 | MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
| 3171 | {
|
---|
| 3172 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 3173 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 3174 | }
|
---|
| 3175 |
|
---|
| 3176 | MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
|
---|
| 3177 |
|
---|
| 3178 | /*
|
---|
| 3179 | * 2.3: Compute and add the signature
|
---|
| 3180 | */
|
---|
| 3181 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 3182 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 3183 | {
|
---|
| 3184 | /*
|
---|
| 3185 | * For TLS 1.2, we need to specify signature and hash algorithm
|
---|
| 3186 | * explicitly through a prefix to the signature.
|
---|
| 3187 | *
|
---|
| 3188 | * struct {
|
---|
| 3189 | * HashAlgorithm hash;
|
---|
| 3190 | * SignatureAlgorithm signature;
|
---|
| 3191 | * } SignatureAndHashAlgorithm;
|
---|
| 3192 | *
|
---|
| 3193 | * struct {
|
---|
| 3194 | * SignatureAndHashAlgorithm algorithm;
|
---|
| 3195 | * opaque signature<0..2^16-1>;
|
---|
| 3196 | * } DigitallySigned;
|
---|
| 3197 | *
|
---|
| 3198 | */
|
---|
| 3199 |
|
---|
| 3200 | ssl->out_msg[ssl->out_msglen++] =
|
---|
| 3201 | mbedtls_ssl_hash_from_md_alg( md_alg );
|
---|
| 3202 | ssl->out_msg[ssl->out_msglen++] =
|
---|
| 3203 | mbedtls_ssl_sig_from_pk_alg( sig_alg );
|
---|
| 3204 | }
|
---|
| 3205 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
| 3206 |
|
---|
| 3207 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3208 | if( ssl->conf->f_async_sign_start != NULL )
|
---|
| 3209 | {
|
---|
| 3210 | ret = ssl->conf->f_async_sign_start( ssl,
|
---|
| 3211 | mbedtls_ssl_own_cert( ssl ),
|
---|
| 3212 | md_alg, hash, hashlen );
|
---|
| 3213 | switch( ret )
|
---|
| 3214 | {
|
---|
| 3215 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
|
---|
| 3216 | /* act as if f_async_sign was null */
|
---|
| 3217 | break;
|
---|
| 3218 | case 0:
|
---|
| 3219 | ssl->handshake->async_in_progress = 1;
|
---|
| 3220 | return( ssl_resume_server_key_exchange( ssl, signature_len ) );
|
---|
| 3221 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
|
---|
| 3222 | ssl->handshake->async_in_progress = 1;
|
---|
| 3223 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
|
---|
| 3224 | default:
|
---|
| 3225 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
|
---|
| 3226 | return( ret );
|
---|
| 3227 | }
|
---|
| 3228 | }
|
---|
| 3229 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
| 3230 |
|
---|
| 3231 | if( mbedtls_ssl_own_key( ssl ) == NULL )
|
---|
| 3232 | {
|
---|
| 3233 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
---|
| 3234 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
---|
| 3235 | }
|
---|
| 3236 |
|
---|
| 3237 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the
|
---|
| 3238 | * signature length which will be added in ssl_write_server_key_exchange
|
---|
| 3239 | * after the call to ssl_prepare_server_key_exchange.
|
---|
| 3240 | * ssl_write_server_key_exchange also takes care of incrementing
|
---|
| 3241 | * ssl->out_msglen. */
|
---|
| 3242 | if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
|
---|
| 3243 | md_alg, hash, hashlen,
|
---|
| 3244 | ssl->out_msg + ssl->out_msglen + 2,
|
---|
| 3245 | signature_len,
|
---|
| 3246 | ssl->conf->f_rng,
|
---|
| 3247 | ssl->conf->p_rng ) ) != 0 )
|
---|
| 3248 | {
|
---|
| 3249 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
|
---|
| 3250 | return( ret );
|
---|
| 3251 | }
|
---|
| 3252 | }
|
---|
| 3253 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
| 3254 |
|
---|
| 3255 | return( 0 );
|
---|
| 3256 | }
|
---|
| 3257 |
|
---|
| 3258 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites
|
---|
| 3259 | * that do not include a ServerKeyExchange message, do nothing. Either
|
---|
| 3260 | * way, if successful, move on to the next step in the SSL state
|
---|
| 3261 | * machine. */
|
---|
| 3262 | static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
---|
| 3263 | {
|
---|
| 3264 | int ret;
|
---|
| 3265 | size_t signature_len = 0;
|
---|
| 3266 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
---|
| 3267 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
| 3268 | ssl->transform_negotiate->ciphersuite_info;
|
---|
| 3269 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
---|
| 3270 |
|
---|
| 3271 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
|
---|
| 3272 |
|
---|
| 3273 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
---|
| 3274 | /* Extract static ECDH parameters and abort if ServerKeyExchange
|
---|
| 3275 | * is not needed. */
|
---|
| 3276 | if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
|
---|
| 3277 | {
|
---|
| 3278 | /* For suites involving ECDH, extract DH parameters
|
---|
| 3279 | * from certificate at this point. */
|
---|
| 3280 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
---|
| 3281 | if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
|
---|
| 3282 | {
|
---|
| 3283 | ssl_get_ecdh_params_from_cert( ssl );
|
---|
| 3284 | }
|
---|
| 3285 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
|
---|
| 3286 |
|
---|
| 3287 | /* Key exchanges not involving ephemeral keys don't use
|
---|
| 3288 | * ServerKeyExchange, so end here. */
|
---|
| 3289 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
|
---|
| 3290 | ssl->state++;
|
---|
| 3291 | return( 0 );
|
---|
| 3292 | }
|
---|
| 3293 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
---|
| 3294 |
|
---|
| 3295 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
|
---|
| 3296 | defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3297 | /* If we have already prepared the message and there is an ongoing
|
---|
| 3298 | * signature operation, resume signing. */
|
---|
| 3299 | if( ssl->handshake->async_in_progress != 0 )
|
---|
| 3300 | {
|
---|
| 3301 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
|
---|
| 3302 | ret = ssl_resume_server_key_exchange( ssl, &signature_len );
|
---|
| 3303 | }
|
---|
| 3304 | else
|
---|
| 3305 | #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
|
---|
| 3306 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
|
---|
| 3307 | {
|
---|
| 3308 | /* ServerKeyExchange is needed. Prepare the message. */
|
---|
| 3309 | ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
|
---|
| 3310 | }
|
---|
| 3311 |
|
---|
| 3312 | if( ret != 0 )
|
---|
| 3313 | {
|
---|
| 3314 | /* If we're starting to write a new message, set ssl->out_msglen
|
---|
| 3315 | * to 0. But if we're resuming after an asynchronous message,
|
---|
| 3316 | * out_msglen is the amount of data written so far and mst be
|
---|
| 3317 | * preserved. */
|
---|
| 3318 | if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
| 3319 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
|
---|
| 3320 | else
|
---|
| 3321 | ssl->out_msglen = 0;
|
---|
| 3322 | return( ret );
|
---|
| 3323 | }
|
---|
| 3324 |
|
---|
| 3325 | /* If there is a signature, write its length.
|
---|
| 3326 | * ssl_prepare_server_key_exchange already wrote the signature
|
---|
| 3327 | * itself at its proper place in the output buffer. */
|
---|
| 3328 | #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
---|
| 3329 | if( signature_len != 0 )
|
---|
| 3330 | {
|
---|
| 3331 | ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
|
---|
| 3332 | ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
|
---|
| 3333 |
|
---|
| 3334 | MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
|
---|
| 3335 | ssl->out_msg + ssl->out_msglen,
|
---|
| 3336 | signature_len );
|
---|
| 3337 |
|
---|
| 3338 | /* Skip over the already-written signature */
|
---|
| 3339 | ssl->out_msglen += signature_len;
|
---|
| 3340 | }
|
---|
| 3341 | #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
---|
| 3342 |
|
---|
| 3343 | /* Add header and send. */
|
---|
| 3344 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
| 3345 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
|
---|
| 3346 |
|
---|
| 3347 | ssl->state++;
|
---|
| 3348 |
|
---|
| 3349 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
| 3350 | {
|
---|
| 3351 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
| 3352 | return( ret );
|
---|
| 3353 | }
|
---|
| 3354 |
|
---|
| 3355 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
|
---|
| 3356 | return( 0 );
|
---|
| 3357 | }
|
---|
| 3358 |
|
---|
| 3359 | static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
|
---|
| 3360 | {
|
---|
| 3361 | int ret;
|
---|
| 3362 |
|
---|
| 3363 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
|
---|
| 3364 |
|
---|
| 3365 | ssl->out_msglen = 4;
|
---|
| 3366 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
| 3367 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
|
---|
| 3368 |
|
---|
| 3369 | ssl->state++;
|
---|
| 3370 |
|
---|
| 3371 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 3372 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
---|
| 3373 | mbedtls_ssl_send_flight_completed( ssl );
|
---|
| 3374 | #endif
|
---|
| 3375 |
|
---|
| 3376 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
| 3377 | {
|
---|
| 3378 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
| 3379 | return( ret );
|
---|
| 3380 | }
|
---|
| 3381 |
|
---|
| 3382 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 3383 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
| 3384 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
|
---|
| 3385 | {
|
---|
| 3386 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
|
---|
| 3387 | return( ret );
|
---|
| 3388 | }
|
---|
| 3389 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
| 3390 |
|
---|
| 3391 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
|
---|
| 3392 |
|
---|
| 3393 | return( 0 );
|
---|
| 3394 | }
|
---|
| 3395 |
|
---|
| 3396 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
---|
| 3397 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
---|
| 3398 | static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
|
---|
| 3399 | const unsigned char *end )
|
---|
| 3400 | {
|
---|
| 3401 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
---|
| 3402 | size_t n;
|
---|
| 3403 |
|
---|
| 3404 | /*
|
---|
| 3405 | * Receive G^Y mod P, premaster = (G^Y)^X mod P
|
---|
| 3406 | */
|
---|
| 3407 | if( *p + 2 > end )
|
---|
| 3408 | {
|
---|
| 3409 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3410 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3411 | }
|
---|
| 3412 |
|
---|
| 3413 | n = ( (*p)[0] << 8 ) | (*p)[1];
|
---|
| 3414 | *p += 2;
|
---|
| 3415 |
|
---|
| 3416 | if( *p + n > end )
|
---|
| 3417 | {
|
---|
| 3418 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3419 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3420 | }
|
---|
| 3421 |
|
---|
| 3422 | if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
|
---|
| 3423 | {
|
---|
| 3424 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
|
---|
| 3425 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
---|
| 3426 | }
|
---|
| 3427 |
|
---|
| 3428 | *p += n;
|
---|
| 3429 |
|
---|
| 3430 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
|
---|
| 3431 |
|
---|
| 3432 | return( ret );
|
---|
| 3433 | }
|
---|
| 3434 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
---|
| 3435 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
---|
| 3436 |
|
---|
| 3437 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
---|
| 3438 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
---|
| 3439 |
|
---|
| 3440 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3441 | static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
|
---|
| 3442 | unsigned char *peer_pms,
|
---|
| 3443 | size_t *peer_pmslen,
|
---|
| 3444 | size_t peer_pmssize )
|
---|
| 3445 | {
|
---|
| 3446 | int ret = ssl->conf->f_async_resume( ssl,
|
---|
| 3447 | peer_pms, peer_pmslen, peer_pmssize );
|
---|
| 3448 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
| 3449 | {
|
---|
| 3450 | ssl->handshake->async_in_progress = 0;
|
---|
| 3451 | mbedtls_ssl_set_async_operation_data( ssl, NULL );
|
---|
| 3452 | }
|
---|
| 3453 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
|
---|
| 3454 | return( ret );
|
---|
| 3455 | }
|
---|
| 3456 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
| 3457 |
|
---|
| 3458 | static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
|
---|
| 3459 | const unsigned char *p,
|
---|
| 3460 | const unsigned char *end,
|
---|
| 3461 | unsigned char *peer_pms,
|
---|
| 3462 | size_t *peer_pmslen,
|
---|
| 3463 | size_t peer_pmssize )
|
---|
| 3464 | {
|
---|
| 3465 | int ret;
|
---|
| 3466 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
|
---|
| 3467 | mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
|
---|
| 3468 | size_t len = mbedtls_pk_get_len( public_key );
|
---|
| 3469 |
|
---|
| 3470 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3471 | /* If we have already started decoding the message and there is an ongoing
|
---|
| 3472 | * decryption operation, resume signing. */
|
---|
| 3473 | if( ssl->handshake->async_in_progress != 0 )
|
---|
| 3474 | {
|
---|
| 3475 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
|
---|
| 3476 | return( ssl_resume_decrypt_pms( ssl,
|
---|
| 3477 | peer_pms, peer_pmslen, peer_pmssize ) );
|
---|
| 3478 | }
|
---|
| 3479 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
| 3480 |
|
---|
| 3481 | /*
|
---|
| 3482 | * Prepare to decrypt the premaster using own private RSA key
|
---|
| 3483 | */
|
---|
| 3484 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
---|
| 3485 | defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 3486 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
---|
| 3487 | {
|
---|
| 3488 | if ( p + 2 > end ) {
|
---|
| 3489 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3490 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3491 | }
|
---|
| 3492 | if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
|
---|
| 3493 | *p++ != ( ( len ) & 0xFF ) )
|
---|
| 3494 | {
|
---|
| 3495 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3496 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3497 | }
|
---|
| 3498 | }
|
---|
| 3499 | #endif
|
---|
| 3500 |
|
---|
| 3501 | if( p + len != end )
|
---|
| 3502 | {
|
---|
| 3503 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3504 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3505 | }
|
---|
| 3506 |
|
---|
| 3507 | /*
|
---|
| 3508 | * Decrypt the premaster secret
|
---|
| 3509 | */
|
---|
| 3510 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3511 | if( ssl->conf->f_async_decrypt_start != NULL )
|
---|
| 3512 | {
|
---|
| 3513 | ret = ssl->conf->f_async_decrypt_start( ssl,
|
---|
| 3514 | mbedtls_ssl_own_cert( ssl ),
|
---|
| 3515 | p, len );
|
---|
| 3516 | switch( ret )
|
---|
| 3517 | {
|
---|
| 3518 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
|
---|
| 3519 | /* act as if f_async_decrypt_start was null */
|
---|
| 3520 | break;
|
---|
| 3521 | case 0:
|
---|
| 3522 | ssl->handshake->async_in_progress = 1;
|
---|
| 3523 | return( ssl_resume_decrypt_pms( ssl,
|
---|
| 3524 | peer_pms,
|
---|
| 3525 | peer_pmslen,
|
---|
| 3526 | peer_pmssize ) );
|
---|
| 3527 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
|
---|
| 3528 | ssl->handshake->async_in_progress = 1;
|
---|
| 3529 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
|
---|
| 3530 | default:
|
---|
| 3531 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
|
---|
| 3532 | return( ret );
|
---|
| 3533 | }
|
---|
| 3534 | }
|
---|
| 3535 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
| 3536 |
|
---|
| 3537 | if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
|
---|
| 3538 | {
|
---|
| 3539 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
|
---|
| 3540 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
---|
| 3541 | }
|
---|
| 3542 |
|
---|
| 3543 | ret = mbedtls_pk_decrypt( private_key, p, len,
|
---|
| 3544 | peer_pms, peer_pmslen, peer_pmssize,
|
---|
| 3545 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
| 3546 | return( ret );
|
---|
| 3547 | }
|
---|
| 3548 |
|
---|
| 3549 | static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
---|
| 3550 | const unsigned char *p,
|
---|
| 3551 | const unsigned char *end,
|
---|
| 3552 | size_t pms_offset )
|
---|
| 3553 | {
|
---|
| 3554 | int ret;
|
---|
| 3555 | unsigned char *pms = ssl->handshake->premaster + pms_offset;
|
---|
| 3556 | unsigned char ver[2];
|
---|
| 3557 | unsigned char fake_pms[48], peer_pms[48];
|
---|
| 3558 | unsigned char mask;
|
---|
| 3559 | size_t i, peer_pmslen;
|
---|
| 3560 | unsigned int diff;
|
---|
| 3561 |
|
---|
| 3562 | /* In case of a failure in decryption, the decryption may write less than
|
---|
| 3563 | * 2 bytes of output, but we always read the first two bytes. It doesn't
|
---|
| 3564 | * matter in the end because diff will be nonzero in that case due to
|
---|
| 3565 | * peer_pmslen being less than 48, and we only care whether diff is 0.
|
---|
| 3566 | * But do initialize peer_pms for robustness anyway. This also makes
|
---|
| 3567 | * memory analyzers happy (don't access uninitialized memory, even
|
---|
| 3568 | * if it's an unsigned char). */
|
---|
| 3569 | peer_pms[0] = peer_pms[1] = ~0;
|
---|
| 3570 |
|
---|
| 3571 | ret = ssl_decrypt_encrypted_pms( ssl, p, end,
|
---|
| 3572 | peer_pms,
|
---|
| 3573 | &peer_pmslen,
|
---|
| 3574 | sizeof( peer_pms ) );
|
---|
| 3575 |
|
---|
| 3576 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3577 | if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
|
---|
| 3578 | return( ret );
|
---|
| 3579 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
| 3580 |
|
---|
| 3581 | mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
|
---|
| 3582 | ssl->handshake->max_minor_ver,
|
---|
| 3583 | ssl->conf->transport, ver );
|
---|
| 3584 |
|
---|
| 3585 | /* Avoid data-dependent branches while checking for invalid
|
---|
| 3586 | * padding, to protect against timing-based Bleichenbacher-type
|
---|
| 3587 | * attacks. */
|
---|
| 3588 | diff = (unsigned int) ret;
|
---|
| 3589 | diff |= peer_pmslen ^ 48;
|
---|
| 3590 | diff |= peer_pms[0] ^ ver[0];
|
---|
| 3591 | diff |= peer_pms[1] ^ ver[1];
|
---|
| 3592 |
|
---|
| 3593 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
|
---|
| 3594 | /* MSVC has a warning about unary minus on unsigned, but this is
|
---|
| 3595 | * well-defined and precisely what we want to do here */
|
---|
| 3596 | #if defined(_MSC_VER)
|
---|
| 3597 | #pragma warning( push )
|
---|
| 3598 | #pragma warning( disable : 4146 )
|
---|
| 3599 | #endif
|
---|
| 3600 | mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
|
---|
| 3601 | #if defined(_MSC_VER)
|
---|
| 3602 | #pragma warning( pop )
|
---|
| 3603 | #endif
|
---|
| 3604 |
|
---|
| 3605 | /*
|
---|
| 3606 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
|
---|
| 3607 | * must not cause the connection to end immediately; instead, send a
|
---|
| 3608 | * bad_record_mac later in the handshake.
|
---|
| 3609 | * To protect against timing-based variants of the attack, we must
|
---|
| 3610 | * not have any branch that depends on whether the decryption was
|
---|
| 3611 | * successful. In particular, always generate the fake premaster secret,
|
---|
| 3612 | * regardless of whether it will ultimately influence the output or not.
|
---|
| 3613 | */
|
---|
| 3614 | ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
|
---|
| 3615 | if( ret != 0 )
|
---|
| 3616 | {
|
---|
| 3617 | /* It's ok to abort on an RNG failure, since this does not reveal
|
---|
| 3618 | * anything about the RSA decryption. */
|
---|
| 3619 | return( ret );
|
---|
| 3620 | }
|
---|
| 3621 |
|
---|
| 3622 | #if defined(MBEDTLS_SSL_DEBUG_ALL)
|
---|
| 3623 | if( diff != 0 )
|
---|
| 3624 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3625 | #endif
|
---|
| 3626 |
|
---|
| 3627 | if( sizeof( ssl->handshake->premaster ) < pms_offset ||
|
---|
| 3628 | sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
|
---|
| 3629 | {
|
---|
| 3630 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 3631 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 3632 | }
|
---|
| 3633 | ssl->handshake->pmslen = 48;
|
---|
| 3634 |
|
---|
| 3635 | /* Set pms to either the true or the fake PMS, without
|
---|
| 3636 | * data-dependent branches. */
|
---|
| 3637 | for( i = 0; i < ssl->handshake->pmslen; i++ )
|
---|
| 3638 | pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
|
---|
| 3639 |
|
---|
| 3640 | return( 0 );
|
---|
| 3641 | }
|
---|
| 3642 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
|
---|
| 3643 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
---|
| 3644 |
|
---|
| 3645 | #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
---|
| 3646 | static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
|
---|
| 3647 | const unsigned char *end )
|
---|
| 3648 | {
|
---|
| 3649 | int ret = 0;
|
---|
| 3650 | size_t n;
|
---|
| 3651 |
|
---|
| 3652 | if( ssl->conf->f_psk == NULL &&
|
---|
| 3653 | ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
|
---|
| 3654 | ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
|
---|
| 3655 | {
|
---|
| 3656 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
|
---|
| 3657 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
---|
| 3658 | }
|
---|
| 3659 |
|
---|
| 3660 | /*
|
---|
| 3661 | * Receive client pre-shared key identity name
|
---|
| 3662 | */
|
---|
| 3663 | if( end - *p < 2 )
|
---|
| 3664 | {
|
---|
| 3665 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3666 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3667 | }
|
---|
| 3668 |
|
---|
| 3669 | n = ( (*p)[0] << 8 ) | (*p)[1];
|
---|
| 3670 | *p += 2;
|
---|
| 3671 |
|
---|
| 3672 | if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
|
---|
| 3673 | {
|
---|
| 3674 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3675 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3676 | }
|
---|
| 3677 |
|
---|
| 3678 | if( ssl->conf->f_psk != NULL )
|
---|
| 3679 | {
|
---|
| 3680 | if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
|
---|
| 3681 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
---|
| 3682 | }
|
---|
| 3683 | else
|
---|
| 3684 | {
|
---|
| 3685 | /* Identity is not a big secret since clients send it in the clear,
|
---|
| 3686 | * but treat it carefully anyway, just in case */
|
---|
| 3687 | if( n != ssl->conf->psk_identity_len ||
|
---|
| 3688 | mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
|
---|
| 3689 | {
|
---|
| 3690 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
---|
| 3691 | }
|
---|
| 3692 | }
|
---|
| 3693 |
|
---|
| 3694 | if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
|
---|
| 3695 | {
|
---|
| 3696 | MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
|
---|
| 3697 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
---|
| 3698 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
|
---|
| 3699 | return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
|
---|
| 3700 | }
|
---|
| 3701 |
|
---|
| 3702 | *p += n;
|
---|
| 3703 |
|
---|
| 3704 | return( 0 );
|
---|
| 3705 | }
|
---|
| 3706 | #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
---|
| 3707 |
|
---|
| 3708 | static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
---|
| 3709 | {
|
---|
| 3710 | int ret;
|
---|
| 3711 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
---|
| 3712 | unsigned char *p, *end;
|
---|
| 3713 |
|
---|
| 3714 | ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
|
---|
| 3715 |
|
---|
| 3716 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
|
---|
| 3717 |
|
---|
| 3718 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
---|
| 3719 | ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
---|
| 3720 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
|
---|
| 3721 | if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
| 3722 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
|
---|
| 3723 | ( ssl->handshake->async_in_progress != 0 ) )
|
---|
| 3724 | {
|
---|
| 3725 | /* We've already read a record and there is an asynchronous
|
---|
| 3726 | * operation in progress to decrypt it. So skip reading the
|
---|
| 3727 | * record. */
|
---|
| 3728 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
|
---|
| 3729 | }
|
---|
| 3730 | else
|
---|
| 3731 | #endif
|
---|
| 3732 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
|
---|
| 3733 | {
|
---|
| 3734 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
|
---|
| 3735 | return( ret );
|
---|
| 3736 | }
|
---|
| 3737 |
|
---|
| 3738 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
|
---|
| 3739 | end = ssl->in_msg + ssl->in_hslen;
|
---|
| 3740 |
|
---|
| 3741 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
|
---|
| 3742 | {
|
---|
| 3743 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3744 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3745 | }
|
---|
| 3746 |
|
---|
| 3747 | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
|
---|
| 3748 | {
|
---|
| 3749 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
|
---|
| 3750 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3751 | }
|
---|
| 3752 |
|
---|
| 3753 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
---|
| 3754 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
---|
| 3755 | {
|
---|
| 3756 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
|
---|
| 3757 | {
|
---|
| 3758 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
|
---|
| 3759 | return( ret );
|
---|
| 3760 | }
|
---|
| 3761 |
|
---|
| 3762 | if( p != end )
|
---|
| 3763 | {
|
---|
| 3764 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
|
---|
| 3765 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3766 | }
|
---|
| 3767 |
|
---|
| 3768 | if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
|
---|
| 3769 | ssl->handshake->premaster,
|
---|
| 3770 | MBEDTLS_PREMASTER_SIZE,
|
---|
| 3771 | &ssl->handshake->pmslen,
|
---|
| 3772 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
| 3773 | {
|
---|
| 3774 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
|
---|
| 3775 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
|
---|
| 3776 | }
|
---|
| 3777 |
|
---|
| 3778 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
|
---|
| 3779 | }
|
---|
| 3780 | else
|
---|
| 3781 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
---|
| 3782 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
---|
| 3783 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
---|
| 3784 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
---|
| 3785 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
---|
| 3786 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
---|
| 3787 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
---|
| 3788 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
---|
| 3789 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
---|
| 3790 | {
|
---|
| 3791 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
---|
| 3792 | p, end - p) ) != 0 )
|
---|
| 3793 | {
|
---|
| 3794 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
|
---|
| 3795 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
---|
| 3796 | }
|
---|
| 3797 |
|
---|
| 3798 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
| 3799 | MBEDTLS_DEBUG_ECDH_QP );
|
---|
| 3800 |
|
---|
| 3801 | if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
|
---|
| 3802 | &ssl->handshake->pmslen,
|
---|
| 3803 | ssl->handshake->premaster,
|
---|
| 3804 | MBEDTLS_MPI_MAX_SIZE,
|
---|
| 3805 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
---|
| 3806 | {
|
---|
| 3807 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
|
---|
| 3808 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
|
---|
| 3809 | }
|
---|
| 3810 |
|
---|
| 3811 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
| 3812 | MBEDTLS_DEBUG_ECDH_Z );
|
---|
| 3813 | }
|
---|
| 3814 | else
|
---|
| 3815 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
---|
| 3816 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
|
---|
| 3817 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
|
---|
| 3818 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
|
---|
| 3819 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
---|
| 3820 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
|
---|
| 3821 | {
|
---|
| 3822 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
| 3823 | {
|
---|
| 3824 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
| 3825 | return( ret );
|
---|
| 3826 | }
|
---|
| 3827 |
|
---|
| 3828 | if( p != end )
|
---|
| 3829 | {
|
---|
| 3830 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
|
---|
| 3831 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3832 | }
|
---|
| 3833 |
|
---|
| 3834 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
| 3835 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
| 3836 | {
|
---|
| 3837 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
| 3838 | return( ret );
|
---|
| 3839 | }
|
---|
| 3840 | }
|
---|
| 3841 | else
|
---|
| 3842 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
---|
| 3843 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
---|
| 3844 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
---|
| 3845 | {
|
---|
| 3846 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
---|
| 3847 | if ( ssl->handshake->async_in_progress != 0 )
|
---|
| 3848 | {
|
---|
| 3849 | /* There is an asynchronous operation in progress to
|
---|
| 3850 | * decrypt the encrypted premaster secret, so skip
|
---|
| 3851 | * directly to resuming this operation. */
|
---|
| 3852 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
|
---|
| 3853 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
|
---|
| 3854 | * won't actually use it, but maintain p anyway for robustness. */
|
---|
| 3855 | p += ssl->conf->psk_identity_len + 2;
|
---|
| 3856 | }
|
---|
| 3857 | else
|
---|
| 3858 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
---|
| 3859 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
| 3860 | {
|
---|
| 3861 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
| 3862 | return( ret );
|
---|
| 3863 | }
|
---|
| 3864 |
|
---|
| 3865 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
|
---|
| 3866 | {
|
---|
| 3867 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
|
---|
| 3868 | return( ret );
|
---|
| 3869 | }
|
---|
| 3870 |
|
---|
| 3871 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
| 3872 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
| 3873 | {
|
---|
| 3874 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
| 3875 | return( ret );
|
---|
| 3876 | }
|
---|
| 3877 | }
|
---|
| 3878 | else
|
---|
| 3879 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
---|
| 3880 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
---|
| 3881 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
---|
| 3882 | {
|
---|
| 3883 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
| 3884 | {
|
---|
| 3885 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
| 3886 | return( ret );
|
---|
| 3887 | }
|
---|
| 3888 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
|
---|
| 3889 | {
|
---|
| 3890 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
|
---|
| 3891 | return( ret );
|
---|
| 3892 | }
|
---|
| 3893 |
|
---|
| 3894 | if( p != end )
|
---|
| 3895 | {
|
---|
| 3896 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
|
---|
| 3897 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
---|
| 3898 | }
|
---|
| 3899 |
|
---|
| 3900 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
| 3901 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
| 3902 | {
|
---|
| 3903 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
| 3904 | return( ret );
|
---|
| 3905 | }
|
---|
| 3906 | }
|
---|
| 3907 | else
|
---|
| 3908 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
---|
| 3909 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
---|
| 3910 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
---|
| 3911 | {
|
---|
| 3912 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
---|
| 3913 | {
|
---|
| 3914 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
|
---|
| 3915 | return( ret );
|
---|
| 3916 | }
|
---|
| 3917 |
|
---|
| 3918 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
---|
| 3919 | p, end - p ) ) != 0 )
|
---|
| 3920 | {
|
---|
| 3921 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
|
---|
| 3922 | return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
---|
| 3923 | }
|
---|
| 3924 |
|
---|
| 3925 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
---|
| 3926 | MBEDTLS_DEBUG_ECDH_QP );
|
---|
| 3927 |
|
---|
| 3928 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
---|
| 3929 | ciphersuite_info->key_exchange ) ) != 0 )
|
---|
| 3930 | {
|
---|
| 3931 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
---|
| 3932 | return( ret );
|
---|
| 3933 | }
|
---|
| 3934 | }
|
---|
| 3935 | else
|
---|
| 3936 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
---|
| 3937 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
---|
| 3938 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
---|
| 3939 | {
|
---|
| 3940 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
|
---|
| 3941 | {
|
---|
| 3942 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
|
---|
| 3943 | return( ret );
|
---|
| 3944 | }
|
---|
| 3945 | }
|
---|
| 3946 | else
|
---|
| 3947 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
---|
| 3948 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
---|
| 3949 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
| 3950 | {
|
---|
| 3951 | ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
|
---|
| 3952 | p, end - p );
|
---|
| 3953 | if( ret != 0 )
|
---|
| 3954 | {
|
---|
| 3955 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
|
---|
| 3956 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
|
---|
| 3957 | }
|
---|
| 3958 |
|
---|
| 3959 | ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
|
---|
| 3960 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
|
---|
| 3961 | ssl->conf->f_rng, ssl->conf->p_rng );
|
---|
| 3962 | if( ret != 0 )
|
---|
| 3963 | {
|
---|
| 3964 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
|
---|
| 3965 | return( ret );
|
---|
| 3966 | }
|
---|
| 3967 | }
|
---|
| 3968 | else
|
---|
| 3969 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
---|
| 3970 | {
|
---|
| 3971 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 3972 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 3973 | }
|
---|
| 3974 |
|
---|
| 3975 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
|
---|
| 3976 | {
|
---|
| 3977 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
|
---|
| 3978 | return( ret );
|
---|
| 3979 | }
|
---|
| 3980 |
|
---|
| 3981 | ssl->state++;
|
---|
| 3982 |
|
---|
| 3983 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
|
---|
| 3984 |
|
---|
| 3985 | return( 0 );
|
---|
| 3986 | }
|
---|
| 3987 |
|
---|
| 3988 | #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
|
---|
| 3989 | !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
|
---|
| 3990 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
|
---|
| 3991 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
|
---|
| 3992 | !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
|
---|
| 3993 | !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
---|
| 3994 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
---|
| 3995 | {
|
---|
| 3996 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
| 3997 | ssl->transform_negotiate->ciphersuite_info;
|
---|
| 3998 |
|
---|
| 3999 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
---|
| 4000 |
|
---|
| 4001 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
| 4002 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
| 4003 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
| 4004 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
| 4005 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
---|
| 4006 | {
|
---|
| 4007 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
|
---|
| 4008 | ssl->state++;
|
---|
| 4009 | return( 0 );
|
---|
| 4010 | }
|
---|
| 4011 |
|
---|
| 4012 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 4013 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 4014 | }
|
---|
| 4015 | #else
|
---|
| 4016 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
---|
| 4017 | {
|
---|
| 4018 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
---|
| 4019 | size_t i, sig_len;
|
---|
| 4020 | unsigned char hash[48];
|
---|
| 4021 | unsigned char *hash_start = hash;
|
---|
| 4022 | size_t hashlen;
|
---|
| 4023 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 4024 | mbedtls_pk_type_t pk_alg;
|
---|
| 4025 | #endif
|
---|
| 4026 | mbedtls_md_type_t md_alg;
|
---|
| 4027 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
---|
| 4028 | ssl->transform_negotiate->ciphersuite_info;
|
---|
| 4029 |
|
---|
| 4030 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
---|
| 4031 |
|
---|
| 4032 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
---|
| 4033 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
---|
| 4034 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
---|
| 4035 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
---|
| 4036 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
|
---|
| 4037 | ssl->session_negotiate->peer_cert == NULL )
|
---|
| 4038 | {
|
---|
| 4039 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
|
---|
| 4040 | ssl->state++;
|
---|
| 4041 | return( 0 );
|
---|
| 4042 | }
|
---|
| 4043 |
|
---|
| 4044 | /* Read the message without adding it to the checksum */
|
---|
| 4045 | ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
|
---|
| 4046 | if( 0 != ret )
|
---|
| 4047 | {
|
---|
| 4048 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
|
---|
| 4049 | return( ret );
|
---|
| 4050 | }
|
---|
| 4051 |
|
---|
| 4052 | ssl->state++;
|
---|
| 4053 |
|
---|
| 4054 | /* Process the message contents */
|
---|
| 4055 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
|
---|
| 4056 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
|
---|
| 4057 | {
|
---|
| 4058 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
| 4059 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4060 | }
|
---|
| 4061 |
|
---|
| 4062 | i = mbedtls_ssl_hs_hdr_len( ssl );
|
---|
| 4063 |
|
---|
| 4064 | /*
|
---|
| 4065 | * struct {
|
---|
| 4066 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
|
---|
| 4067 | * opaque signature<0..2^16-1>;
|
---|
| 4068 | * } DigitallySigned;
|
---|
| 4069 | */
|
---|
| 4070 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
---|
| 4071 | defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
---|
| 4072 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 4073 | {
|
---|
| 4074 | md_alg = MBEDTLS_MD_NONE;
|
---|
| 4075 | hashlen = 36;
|
---|
| 4076 |
|
---|
| 4077 | /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
|
---|
| 4078 | if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
|
---|
| 4079 | MBEDTLS_PK_ECDSA ) )
|
---|
| 4080 | {
|
---|
| 4081 | hash_start += 16;
|
---|
| 4082 | hashlen -= 16;
|
---|
| 4083 | md_alg = MBEDTLS_MD_SHA1;
|
---|
| 4084 | }
|
---|
| 4085 | }
|
---|
| 4086 | else
|
---|
| 4087 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
|
---|
| 4088 | MBEDTLS_SSL_PROTO_TLS1_1 */
|
---|
| 4089 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
---|
| 4090 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
---|
| 4091 | {
|
---|
| 4092 | if( i + 2 > ssl->in_hslen )
|
---|
| 4093 | {
|
---|
| 4094 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
| 4095 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4096 | }
|
---|
| 4097 |
|
---|
| 4098 | /*
|
---|
| 4099 | * Hash
|
---|
| 4100 | */
|
---|
| 4101 | md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
|
---|
| 4102 |
|
---|
| 4103 | if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
|
---|
| 4104 | {
|
---|
| 4105 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
|
---|
| 4106 | " for verify message" ) );
|
---|
| 4107 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4108 | }
|
---|
| 4109 |
|
---|
| 4110 | #if !defined(MBEDTLS_MD_SHA1)
|
---|
| 4111 | if( MBEDTLS_MD_SHA1 == md_alg )
|
---|
| 4112 | hash_start += 16;
|
---|
| 4113 | #endif
|
---|
| 4114 |
|
---|
| 4115 | /* Info from md_alg will be used instead */
|
---|
| 4116 | hashlen = 0;
|
---|
| 4117 |
|
---|
| 4118 | i++;
|
---|
| 4119 |
|
---|
| 4120 | /*
|
---|
| 4121 | * Signature
|
---|
| 4122 | */
|
---|
| 4123 | if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
|
---|
| 4124 | == MBEDTLS_PK_NONE )
|
---|
| 4125 | {
|
---|
| 4126 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
|
---|
| 4127 | " for verify message" ) );
|
---|
| 4128 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4129 | }
|
---|
| 4130 |
|
---|
| 4131 | /*
|
---|
| 4132 | * Check the certificate's key type matches the signature alg
|
---|
| 4133 | */
|
---|
| 4134 | if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
|
---|
| 4135 | {
|
---|
| 4136 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
|
---|
| 4137 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4138 | }
|
---|
| 4139 |
|
---|
| 4140 | i++;
|
---|
| 4141 | }
|
---|
| 4142 | else
|
---|
| 4143 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
---|
| 4144 | {
|
---|
| 4145 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
---|
| 4146 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
---|
| 4147 | }
|
---|
| 4148 |
|
---|
| 4149 | if( i + 2 > ssl->in_hslen )
|
---|
| 4150 | {
|
---|
| 4151 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
| 4152 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4153 | }
|
---|
| 4154 |
|
---|
| 4155 | sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
|
---|
| 4156 | i += 2;
|
---|
| 4157 |
|
---|
| 4158 | if( i + sig_len != ssl->in_hslen )
|
---|
| 4159 | {
|
---|
| 4160 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
|
---|
| 4161 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
|
---|
| 4162 | }
|
---|
| 4163 |
|
---|
| 4164 | /* Calculate hash and verify signature */
|
---|
| 4165 | ssl->handshake->calc_verify( ssl, hash );
|
---|
| 4166 |
|
---|
| 4167 | if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
|
---|
| 4168 | md_alg, hash_start, hashlen,
|
---|
| 4169 | ssl->in_msg + i, sig_len ) ) != 0 )
|
---|
| 4170 | {
|
---|
| 4171 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
|
---|
| 4172 | return( ret );
|
---|
| 4173 | }
|
---|
| 4174 |
|
---|
| 4175 | mbedtls_ssl_update_handshake_status( ssl );
|
---|
| 4176 |
|
---|
| 4177 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
|
---|
| 4178 |
|
---|
| 4179 | return( ret );
|
---|
| 4180 | }
|
---|
| 4181 | #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
|
---|
| 4182 | !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
|
---|
| 4183 | !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
|
---|
| 4184 | !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
|
---|
| 4185 | !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
|
---|
| 4186 | !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
---|
| 4187 |
|
---|
| 4188 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 4189 | static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
|
---|
| 4190 | {
|
---|
| 4191 | int ret;
|
---|
| 4192 | size_t tlen;
|
---|
| 4193 | uint32_t lifetime;
|
---|
| 4194 |
|
---|
| 4195 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
|
---|
| 4196 |
|
---|
| 4197 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
---|
| 4198 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
|
---|
| 4199 |
|
---|
| 4200 | /*
|
---|
| 4201 | * struct {
|
---|
| 4202 | * uint32 ticket_lifetime_hint;
|
---|
| 4203 | * opaque ticket<0..2^16-1>;
|
---|
| 4204 | * } NewSessionTicket;
|
---|
| 4205 | *
|
---|
| 4206 | * 4 . 7 ticket_lifetime_hint (0 = unspecified)
|
---|
| 4207 | * 8 . 9 ticket_len (n)
|
---|
| 4208 | * 10 . 9+n ticket content
|
---|
| 4209 | */
|
---|
| 4210 |
|
---|
| 4211 | if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
|
---|
| 4212 | ssl->session_negotiate,
|
---|
| 4213 | ssl->out_msg + 10,
|
---|
| 4214 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
|
---|
| 4215 | &tlen, &lifetime ) ) != 0 )
|
---|
| 4216 | {
|
---|
| 4217 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
|
---|
| 4218 | tlen = 0;
|
---|
| 4219 | }
|
---|
| 4220 |
|
---|
| 4221 | ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
|
---|
| 4222 | ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
|
---|
| 4223 | ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
|
---|
| 4224 | ssl->out_msg[7] = ( lifetime ) & 0xFF;
|
---|
| 4225 |
|
---|
| 4226 | ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
|
---|
| 4227 | ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
|
---|
| 4228 |
|
---|
| 4229 | ssl->out_msglen = 10 + tlen;
|
---|
| 4230 |
|
---|
| 4231 | /*
|
---|
| 4232 | * Morally equivalent to updating ssl->state, but NewSessionTicket and
|
---|
| 4233 | * ChangeCipherSpec share the same state.
|
---|
| 4234 | */
|
---|
| 4235 | ssl->handshake->new_session_ticket = 0;
|
---|
| 4236 |
|
---|
| 4237 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
|
---|
| 4238 | {
|
---|
| 4239 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
|
---|
| 4240 | return( ret );
|
---|
| 4241 | }
|
---|
| 4242 |
|
---|
| 4243 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
|
---|
| 4244 |
|
---|
| 4245 | return( 0 );
|
---|
| 4246 | }
|
---|
| 4247 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
---|
| 4248 |
|
---|
| 4249 | /*
|
---|
| 4250 | * SSL handshake -- server side -- single step
|
---|
| 4251 | */
|
---|
| 4252 | int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
|
---|
| 4253 | {
|
---|
| 4254 | int ret = 0;
|
---|
| 4255 |
|
---|
| 4256 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
|
---|
| 4257 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
| 4258 |
|
---|
| 4259 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
|
---|
| 4260 |
|
---|
| 4261 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
|
---|
| 4262 | return( ret );
|
---|
| 4263 |
|
---|
| 4264 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 4265 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
---|
| 4266 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
|
---|
| 4267 | {
|
---|
| 4268 | if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
|
---|
| 4269 | return( ret );
|
---|
| 4270 | }
|
---|
| 4271 | #endif /* MBEDTLS_SSL_PROTO_DTLS */
|
---|
| 4272 |
|
---|
| 4273 | switch( ssl->state )
|
---|
| 4274 | {
|
---|
| 4275 | case MBEDTLS_SSL_HELLO_REQUEST:
|
---|
| 4276 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
|
---|
| 4277 | break;
|
---|
| 4278 |
|
---|
| 4279 | /*
|
---|
| 4280 | * <== ClientHello
|
---|
| 4281 | */
|
---|
| 4282 | case MBEDTLS_SSL_CLIENT_HELLO:
|
---|
| 4283 | ret = ssl_parse_client_hello( ssl );
|
---|
| 4284 | break;
|
---|
| 4285 |
|
---|
| 4286 | #if defined(MBEDTLS_SSL_PROTO_DTLS)
|
---|
| 4287 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
|
---|
| 4288 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
|
---|
| 4289 | #endif
|
---|
| 4290 |
|
---|
| 4291 | /*
|
---|
| 4292 | * ==> ServerHello
|
---|
| 4293 | * Certificate
|
---|
| 4294 | * ( ServerKeyExchange )
|
---|
| 4295 | * ( CertificateRequest )
|
---|
| 4296 | * ServerHelloDone
|
---|
| 4297 | */
|
---|
| 4298 | case MBEDTLS_SSL_SERVER_HELLO:
|
---|
| 4299 | ret = ssl_write_server_hello( ssl );
|
---|
| 4300 | break;
|
---|
| 4301 |
|
---|
| 4302 | case MBEDTLS_SSL_SERVER_CERTIFICATE:
|
---|
| 4303 | ret = mbedtls_ssl_write_certificate( ssl );
|
---|
| 4304 | break;
|
---|
| 4305 |
|
---|
| 4306 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
|
---|
| 4307 | ret = ssl_write_server_key_exchange( ssl );
|
---|
| 4308 | break;
|
---|
| 4309 |
|
---|
| 4310 | case MBEDTLS_SSL_CERTIFICATE_REQUEST:
|
---|
| 4311 | ret = ssl_write_certificate_request( ssl );
|
---|
| 4312 | break;
|
---|
| 4313 |
|
---|
| 4314 | case MBEDTLS_SSL_SERVER_HELLO_DONE:
|
---|
| 4315 | ret = ssl_write_server_hello_done( ssl );
|
---|
| 4316 | break;
|
---|
| 4317 |
|
---|
| 4318 | /*
|
---|
| 4319 | * <== ( Certificate/Alert )
|
---|
| 4320 | * ClientKeyExchange
|
---|
| 4321 | * ( CertificateVerify )
|
---|
| 4322 | * ChangeCipherSpec
|
---|
| 4323 | * Finished
|
---|
| 4324 | */
|
---|
| 4325 | case MBEDTLS_SSL_CLIENT_CERTIFICATE:
|
---|
| 4326 | ret = mbedtls_ssl_parse_certificate( ssl );
|
---|
| 4327 | break;
|
---|
| 4328 |
|
---|
| 4329 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
|
---|
| 4330 | ret = ssl_parse_client_key_exchange( ssl );
|
---|
| 4331 | break;
|
---|
| 4332 |
|
---|
| 4333 | case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
---|
| 4334 | ret = ssl_parse_certificate_verify( ssl );
|
---|
| 4335 | break;
|
---|
| 4336 |
|
---|
| 4337 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
|
---|
| 4338 | ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
|
---|
| 4339 | break;
|
---|
| 4340 |
|
---|
| 4341 | case MBEDTLS_SSL_CLIENT_FINISHED:
|
---|
| 4342 | ret = mbedtls_ssl_parse_finished( ssl );
|
---|
| 4343 | break;
|
---|
| 4344 |
|
---|
| 4345 | /*
|
---|
| 4346 | * ==> ( NewSessionTicket )
|
---|
| 4347 | * ChangeCipherSpec
|
---|
| 4348 | * Finished
|
---|
| 4349 | */
|
---|
| 4350 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
|
---|
| 4351 | #if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
---|
| 4352 | if( ssl->handshake->new_session_ticket != 0 )
|
---|
| 4353 | ret = ssl_write_new_session_ticket( ssl );
|
---|
| 4354 | else
|
---|
| 4355 | #endif
|
---|
| 4356 | ret = mbedtls_ssl_write_change_cipher_spec( ssl );
|
---|
| 4357 | break;
|
---|
| 4358 |
|
---|
| 4359 | case MBEDTLS_SSL_SERVER_FINISHED:
|
---|
| 4360 | ret = mbedtls_ssl_write_finished( ssl );
|
---|
| 4361 | break;
|
---|
| 4362 |
|
---|
| 4363 | case MBEDTLS_SSL_FLUSH_BUFFERS:
|
---|
| 4364 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
|
---|
| 4365 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
|
---|
| 4366 | break;
|
---|
| 4367 |
|
---|
| 4368 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
|
---|
| 4369 | mbedtls_ssl_handshake_wrapup( ssl );
|
---|
| 4370 | break;
|
---|
| 4371 |
|
---|
| 4372 | default:
|
---|
| 4373 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
|
---|
| 4374 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
---|
| 4375 | }
|
---|
| 4376 |
|
---|
| 4377 | return( ret );
|
---|
| 4378 | }
|
---|
| 4379 | #endif /* MBEDTLS_SSL_SRV_C */
|
---|