/src/openthread/third_party/mbedtls/repo/library/ssl_cli.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * SSLv3/TLSv1 client-side functions |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 |
6 | | * |
7 | | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
8 | | * not use this file except in compliance with the License. |
9 | | * You may obtain a copy of the License at |
10 | | * |
11 | | * http://www.apache.org/licenses/LICENSE-2.0 |
12 | | * |
13 | | * Unless required by applicable law or agreed to in writing, software |
14 | | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
15 | | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
16 | | * See the License for the specific language governing permissions and |
17 | | * limitations under the License. |
18 | | */ |
19 | | |
20 | | #include "common.h" |
21 | | |
22 | | #if defined(MBEDTLS_SSL_CLI_C) |
23 | | |
24 | | #if defined(MBEDTLS_PLATFORM_C) |
25 | | #include "mbedtls/platform.h" |
26 | | #else |
27 | | #include <stdlib.h> |
28 | | #define mbedtls_calloc calloc |
29 | | #define mbedtls_free free |
30 | | #endif |
31 | | |
32 | | #include "mbedtls/ssl.h" |
33 | | #include "mbedtls/ssl_internal.h" |
34 | | #include "mbedtls/debug.h" |
35 | | #include "mbedtls/error.h" |
36 | | #include "mbedtls/constant_time.h" |
37 | | |
38 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
39 | | #include "mbedtls/psa_util.h" |
40 | | #include "psa/crypto.h" |
41 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
42 | | |
43 | | #include <string.h> |
44 | | |
45 | | #include <stdint.h> |
46 | | |
47 | | #if defined(MBEDTLS_HAVE_TIME) |
48 | | #include "mbedtls/platform_time.h" |
49 | | #endif |
50 | | |
51 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
52 | | #include "mbedtls/platform_util.h" |
53 | | #endif |
54 | | |
55 | | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
56 | | static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) |
57 | 0 | { |
58 | 0 | if( conf->psk_identity == NULL || |
59 | 0 | conf->psk_identity_len == 0 ) |
60 | 0 | { |
61 | 0 | return( 0 ); |
62 | 0 | } |
63 | | |
64 | 0 | if( conf->psk != NULL && conf->psk_len != 0 ) |
65 | 0 | return( 1 ); |
66 | | |
67 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
68 | | if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) |
69 | | return( 1 ); |
70 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
71 | | |
72 | 0 | return( 0 ); |
73 | 0 | } |
74 | | |
75 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
76 | | static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf ) |
77 | | { |
78 | | if( conf->psk_identity == NULL || |
79 | | conf->psk_identity_len == 0 ) |
80 | | { |
81 | | return( 0 ); |
82 | | } |
83 | | |
84 | | if( conf->psk != NULL && conf->psk_len != 0 ) |
85 | | return( 1 ); |
86 | | |
87 | | return( 0 ); |
88 | | } |
89 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
90 | | |
91 | | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
92 | | |
93 | | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
94 | | static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, |
95 | | unsigned char *buf, |
96 | | const unsigned char *end, |
97 | | size_t *olen ) |
98 | | { |
99 | | unsigned char *p = buf; |
100 | | size_t hostname_len; |
101 | | |
102 | | *olen = 0; |
103 | | |
104 | | if( ssl->hostname == NULL ) |
105 | | return( 0 ); |
106 | | |
107 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
108 | | ( "client hello, adding server name extension: %s", |
109 | | ssl->hostname ) ); |
110 | | |
111 | | hostname_len = strlen( ssl->hostname ); |
112 | | |
113 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 ); |
114 | | |
115 | | /* |
116 | | * Sect. 3, RFC 6066 (TLS Extensions Definitions) |
117 | | * |
118 | | * In order to provide any of the server names, clients MAY include an |
119 | | * extension of type "server_name" in the (extended) client hello. The |
120 | | * "extension_data" field of this extension SHALL contain |
121 | | * "ServerNameList" where: |
122 | | * |
123 | | * struct { |
124 | | * NameType name_type; |
125 | | * select (name_type) { |
126 | | * case host_name: HostName; |
127 | | * } name; |
128 | | * } ServerName; |
129 | | * |
130 | | * enum { |
131 | | * host_name(0), (255) |
132 | | * } NameType; |
133 | | * |
134 | | * opaque HostName<1..2^16-1>; |
135 | | * |
136 | | * struct { |
137 | | * ServerName server_name_list<1..2^16-1> |
138 | | * } ServerNameList; |
139 | | * |
140 | | */ |
141 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 ); |
142 | | p += 2; |
143 | | |
144 | | MBEDTLS_PUT_UINT16_BE( hostname_len + 5, p, 0 ); |
145 | | p += 2; |
146 | | |
147 | | MBEDTLS_PUT_UINT16_BE( hostname_len + 3, p, 0 ); |
148 | | p += 2; |
149 | | |
150 | | *p++ = MBEDTLS_BYTE_0( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ); |
151 | | |
152 | | MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 ); |
153 | | p += 2; |
154 | | |
155 | | memcpy( p, ssl->hostname, hostname_len ); |
156 | | |
157 | | *olen = hostname_len + 9; |
158 | | |
159 | | return( 0 ); |
160 | | } |
161 | | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
162 | | |
163 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
164 | | static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, |
165 | | unsigned char *buf, |
166 | | const unsigned char *end, |
167 | | size_t *olen ) |
168 | | { |
169 | | unsigned char *p = buf; |
170 | | |
171 | | *olen = 0; |
172 | | |
173 | | /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the |
174 | | * initial ClientHello, in which case also adding the renegotiation |
175 | | * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ |
176 | | if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
177 | | return( 0 ); |
178 | | |
179 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
180 | | ( "client hello, adding renegotiation extension" ) ); |
181 | | |
182 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len ); |
183 | | |
184 | | /* |
185 | | * Secure renegotiation |
186 | | */ |
187 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0 ); |
188 | | p += 2; |
189 | | |
190 | | *p++ = 0x00; |
191 | | *p++ = MBEDTLS_BYTE_0( ssl->verify_data_len + 1 ); |
192 | | *p++ = MBEDTLS_BYTE_0( ssl->verify_data_len ); |
193 | | |
194 | | memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); |
195 | | |
196 | | *olen = 5 + ssl->verify_data_len; |
197 | | |
198 | | return( 0 ); |
199 | | } |
200 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
201 | | |
202 | | /* |
203 | | * Only if we handle at least one key exchange that needs signatures. |
204 | | */ |
205 | | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
206 | | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
207 | | static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, |
208 | | unsigned char *buf, |
209 | | const unsigned char *end, |
210 | | size_t *olen ) |
211 | 0 | { |
212 | 0 | unsigned char *p = buf; |
213 | 0 | size_t sig_alg_len = 0; |
214 | 0 | const int *md; |
215 | |
|
216 | 0 | #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) |
217 | 0 | unsigned char *sig_alg_list = buf + 6; |
218 | 0 | #endif |
219 | |
|
220 | 0 | *olen = 0; |
221 | |
|
222 | 0 | if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) |
223 | 0 | return( 0 ); |
224 | | |
225 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
226 | 0 | ( "client hello, adding signature_algorithms extension" ) ); |
227 | |
|
228 | 0 | if( ssl->conf->sig_hashes == NULL ) |
229 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
230 | | |
231 | 0 | for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) |
232 | 0 | { |
233 | 0 | #if defined(MBEDTLS_ECDSA_C) |
234 | 0 | sig_alg_len += 2; |
235 | 0 | #endif |
236 | | #if defined(MBEDTLS_RSA_C) |
237 | | sig_alg_len += 2; |
238 | | #endif |
239 | 0 | if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN ) |
240 | 0 | { |
241 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
242 | 0 | ( "length in bytes of sig-hash-alg extension too big" ) ); |
243 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
244 | 0 | } |
245 | 0 | } |
246 | | |
247 | | /* Empty signature algorithms list, this is a configuration error. */ |
248 | 0 | if( sig_alg_len == 0 ) |
249 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
250 | | |
251 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 ); |
252 | | |
253 | | /* |
254 | | * Prepare signature_algorithms extension (TLS 1.2) |
255 | | */ |
256 | 0 | sig_alg_len = 0; |
257 | |
|
258 | 0 | for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) |
259 | 0 | { |
260 | 0 | #if defined(MBEDTLS_ECDSA_C) |
261 | 0 | sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); |
262 | 0 | sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; |
263 | 0 | #endif |
264 | | #if defined(MBEDTLS_RSA_C) |
265 | | sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); |
266 | | sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; |
267 | | #endif |
268 | 0 | } |
269 | | |
270 | | /* |
271 | | * enum { |
272 | | * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), |
273 | | * sha512(6), (255) |
274 | | * } HashAlgorithm; |
275 | | * |
276 | | * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } |
277 | | * SignatureAlgorithm; |
278 | | * |
279 | | * struct { |
280 | | * HashAlgorithm hash; |
281 | | * SignatureAlgorithm signature; |
282 | | * } SignatureAndHashAlgorithm; |
283 | | * |
284 | | * SignatureAndHashAlgorithm |
285 | | * supported_signature_algorithms<2..2^16-2>; |
286 | | */ |
287 | 0 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, p, 0 ); |
288 | 0 | p += 2; |
289 | |
|
290 | 0 | MBEDTLS_PUT_UINT16_BE( sig_alg_len + 2, p, 0 ); |
291 | 0 | p += 2; |
292 | |
|
293 | 0 | MBEDTLS_PUT_UINT16_BE( sig_alg_len, p, 0 ); |
294 | 0 | p += 2; |
295 | |
|
296 | 0 | *olen = 6 + sig_alg_len; |
297 | |
|
298 | 0 | return( 0 ); |
299 | 0 | } |
300 | | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
301 | | MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
302 | | |
303 | | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
304 | | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
305 | | static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, |
306 | | unsigned char *buf, |
307 | | const unsigned char *end, |
308 | | size_t *olen ) |
309 | 0 | { |
310 | 0 | unsigned char *p = buf; |
311 | 0 | unsigned char *elliptic_curve_list = p + 6; |
312 | 0 | size_t elliptic_curve_len = 0; |
313 | 0 | const mbedtls_ecp_curve_info *info; |
314 | 0 | const mbedtls_ecp_group_id *grp_id; |
315 | |
|
316 | 0 | *olen = 0; |
317 | |
|
318 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
319 | 0 | ( "client hello, adding supported_elliptic_curves extension" ) ); |
320 | |
|
321 | 0 | if( ssl->conf->curve_list == NULL ) |
322 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
323 | | |
324 | 0 | for( grp_id = ssl->conf->curve_list; |
325 | 0 | *grp_id != MBEDTLS_ECP_DP_NONE; |
326 | 0 | grp_id++ ) |
327 | 0 | { |
328 | 0 | info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); |
329 | 0 | if( info == NULL ) |
330 | 0 | { |
331 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
332 | 0 | ( "invalid curve in ssl configuration" ) ); |
333 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
334 | 0 | } |
335 | 0 | elliptic_curve_len += 2; |
336 | |
|
337 | 0 | if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN ) |
338 | 0 | { |
339 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
340 | 0 | ( "malformed supported_elliptic_curves extension in config" ) ); |
341 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
342 | 0 | } |
343 | 0 | } |
344 | | |
345 | | /* Empty elliptic curve list, this is a configuration error. */ |
346 | 0 | if( elliptic_curve_len == 0 ) |
347 | 0 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
348 | | |
349 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len ); |
350 | | |
351 | 0 | elliptic_curve_len = 0; |
352 | |
|
353 | 0 | for( grp_id = ssl->conf->curve_list; |
354 | 0 | *grp_id != MBEDTLS_ECP_DP_NONE; |
355 | 0 | grp_id++ ) |
356 | 0 | { |
357 | 0 | info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); |
358 | 0 | elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1( info->tls_id ); |
359 | 0 | elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0( info->tls_id ); |
360 | 0 | } |
361 | |
|
362 | 0 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0 ); |
363 | 0 | p += 2; |
364 | |
|
365 | 0 | MBEDTLS_PUT_UINT16_BE( elliptic_curve_len + 2, p, 0 ); |
366 | 0 | p += 2; |
367 | |
|
368 | 0 | MBEDTLS_PUT_UINT16_BE( elliptic_curve_len, p, 0 ); |
369 | 0 | p += 2; |
370 | |
|
371 | 0 | *olen = 6 + elliptic_curve_len; |
372 | |
|
373 | 0 | return( 0 ); |
374 | 0 | } |
375 | | |
376 | | static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, |
377 | | unsigned char *buf, |
378 | | const unsigned char *end, |
379 | | size_t *olen ) |
380 | 0 | { |
381 | 0 | unsigned char *p = buf; |
382 | 0 | (void) ssl; /* ssl used for debugging only */ |
383 | |
|
384 | 0 | *olen = 0; |
385 | |
|
386 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
387 | 0 | ( "client hello, adding supported_point_formats extension" ) ); |
388 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); |
389 | | |
390 | 0 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0 ); |
391 | 0 | p += 2; |
392 | |
|
393 | 0 | *p++ = 0x00; |
394 | 0 | *p++ = 2; |
395 | |
|
396 | 0 | *p++ = 1; |
397 | 0 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
398 | |
|
399 | 0 | *olen = 6; |
400 | |
|
401 | 0 | return( 0 ); |
402 | 0 | } |
403 | | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
404 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
405 | | |
406 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
407 | | static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, |
408 | | unsigned char *buf, |
409 | | const unsigned char *end, |
410 | | size_t *olen ) |
411 | 0 | { |
412 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
413 | 0 | unsigned char *p = buf; |
414 | 0 | size_t kkpp_len; |
415 | |
|
416 | 0 | *olen = 0; |
417 | | |
418 | | /* Skip costly extension if we can't use EC J-PAKE anyway */ |
419 | 0 | if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) |
420 | 0 | return( 0 ); |
421 | | |
422 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
423 | 0 | ( "client hello, adding ecjpake_kkpp extension" ) ); |
424 | |
|
425 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); |
426 | | |
427 | 0 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 ); |
428 | 0 | p += 2; |
429 | | |
430 | | /* |
431 | | * We may need to send ClientHello multiple times for Hello verification. |
432 | | * We don't want to compute fresh values every time (both for performance |
433 | | * and consistency reasons), so cache the extension content. |
434 | | */ |
435 | 0 | if( ssl->handshake->ecjpake_cache == NULL || |
436 | 0 | ssl->handshake->ecjpake_cache_len == 0 ) |
437 | 0 | { |
438 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); |
439 | |
|
440 | 0 | ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, |
441 | 0 | p + 2, end - p - 2, &kkpp_len, |
442 | 0 | ssl->conf->f_rng, ssl->conf->p_rng ); |
443 | 0 | if( ret != 0 ) |
444 | 0 | { |
445 | 0 | MBEDTLS_SSL_DEBUG_RET( 1 , |
446 | 0 | "mbedtls_ecjpake_write_round_one", ret ); |
447 | 0 | return( ret ); |
448 | 0 | } |
449 | | |
450 | 0 | ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); |
451 | 0 | if( ssl->handshake->ecjpake_cache == NULL ) |
452 | 0 | { |
453 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); |
454 | 0 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
455 | 0 | } |
456 | | |
457 | 0 | memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); |
458 | 0 | ssl->handshake->ecjpake_cache_len = kkpp_len; |
459 | 0 | } |
460 | 0 | else |
461 | 0 | { |
462 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); |
463 | |
|
464 | 0 | kkpp_len = ssl->handshake->ecjpake_cache_len; |
465 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len ); |
466 | | |
467 | 0 | memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); |
468 | 0 | } |
469 | | |
470 | 0 | MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 ); |
471 | 0 | p += 2; |
472 | |
|
473 | 0 | *olen = kkpp_len + 4; |
474 | |
|
475 | 0 | return( 0 ); |
476 | 0 | } |
477 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
478 | | |
479 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
480 | | static int ssl_write_cid_ext( mbedtls_ssl_context *ssl, |
481 | | unsigned char *buf, |
482 | | const unsigned char *end, |
483 | | size_t *olen ) |
484 | | { |
485 | | unsigned char *p = buf; |
486 | | size_t ext_len; |
487 | | |
488 | | /* |
489 | | * Quoting draft-ietf-tls-dtls-connection-id-05 |
490 | | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 |
491 | | * |
492 | | * struct { |
493 | | * opaque cid<0..2^8-1>; |
494 | | * } ConnectionId; |
495 | | */ |
496 | | |
497 | | *olen = 0; |
498 | | if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
499 | | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) |
500 | | { |
501 | | return( 0 ); |
502 | | } |
503 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) ); |
504 | | |
505 | | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
506 | | * which is at most 255, so the increment cannot overflow. */ |
507 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, (unsigned)( ssl->own_cid_len + 5 ) ); |
508 | | |
509 | | /* Add extension ID + size */ |
510 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_CID, p, 0 ); |
511 | | p += 2; |
512 | | ext_len = (size_t) ssl->own_cid_len + 1; |
513 | | MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 ); |
514 | | p += 2; |
515 | | |
516 | | *p++ = (uint8_t) ssl->own_cid_len; |
517 | | memcpy( p, ssl->own_cid, ssl->own_cid_len ); |
518 | | |
519 | | *olen = ssl->own_cid_len + 5; |
520 | | |
521 | | return( 0 ); |
522 | | } |
523 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
524 | | |
525 | | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
526 | | static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
527 | | unsigned char *buf, |
528 | | const unsigned char *end, |
529 | | size_t *olen ) |
530 | 0 | { |
531 | 0 | unsigned char *p = buf; |
532 | |
|
533 | 0 | *olen = 0; |
534 | |
|
535 | 0 | if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) |
536 | 0 | return( 0 ); |
537 | | |
538 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
539 | 0 | ( "client hello, adding max_fragment_length extension" ) ); |
540 | |
|
541 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 ); |
542 | | |
543 | 0 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 ); |
544 | 0 | p += 2; |
545 | |
|
546 | 0 | *p++ = 0x00; |
547 | 0 | *p++ = 1; |
548 | |
|
549 | 0 | *p++ = ssl->conf->mfl_code; |
550 | |
|
551 | 0 | *olen = 5; |
552 | |
|
553 | 0 | return( 0 ); |
554 | 0 | } |
555 | | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
556 | | |
557 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
558 | | static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, |
559 | | unsigned char *buf, |
560 | | const unsigned char *end, |
561 | | size_t *olen ) |
562 | | { |
563 | | unsigned char *p = buf; |
564 | | |
565 | | *olen = 0; |
566 | | |
567 | | if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) |
568 | | return( 0 ); |
569 | | |
570 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
571 | | ( "client hello, adding truncated_hmac extension" ) ); |
572 | | |
573 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); |
574 | | |
575 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_TRUNCATED_HMAC, p, 0 ); |
576 | | p += 2; |
577 | | |
578 | | *p++ = 0x00; |
579 | | *p++ = 0x00; |
580 | | |
581 | | *olen = 4; |
582 | | |
583 | | return( 0 ); |
584 | | } |
585 | | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
586 | | |
587 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
588 | | static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
589 | | unsigned char *buf, |
590 | | const unsigned char *end, |
591 | | size_t *olen ) |
592 | | { |
593 | | unsigned char *p = buf; |
594 | | |
595 | | *olen = 0; |
596 | | |
597 | | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
598 | | ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) |
599 | | return( 0 ); |
600 | | |
601 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
602 | | ( "client hello, adding encrypt_then_mac extension" ) ); |
603 | | |
604 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); |
605 | | |
606 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0 ); |
607 | | p += 2; |
608 | | |
609 | | *p++ = 0x00; |
610 | | *p++ = 0x00; |
611 | | |
612 | | *olen = 4; |
613 | | |
614 | | return( 0 ); |
615 | | } |
616 | | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
617 | | |
618 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
619 | | static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, |
620 | | unsigned char *buf, |
621 | | const unsigned char *end, |
622 | | size_t *olen ) |
623 | | { |
624 | | unsigned char *p = buf; |
625 | | |
626 | | *olen = 0; |
627 | | |
628 | | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
629 | | ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) |
630 | | return( 0 ); |
631 | | |
632 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
633 | | ( "client hello, adding extended_master_secret extension" ) ); |
634 | | |
635 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); |
636 | | |
637 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0 ); |
638 | | p += 2; |
639 | | |
640 | | *p++ = 0x00; |
641 | | *p++ = 0x00; |
642 | | |
643 | | *olen = 4; |
644 | | |
645 | | return( 0 ); |
646 | | } |
647 | | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
648 | | |
649 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
650 | | static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, |
651 | | unsigned char *buf, |
652 | | const unsigned char *end, |
653 | | size_t *olen ) |
654 | | { |
655 | | unsigned char *p = buf; |
656 | | size_t tlen = ssl->session_negotiate->ticket_len; |
657 | | |
658 | | *olen = 0; |
659 | | |
660 | | if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) |
661 | | return( 0 ); |
662 | | |
663 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
664 | | ( "client hello, adding session ticket extension" ) ); |
665 | | |
666 | | /* The addition is safe here since the ticket length is 16 bit. */ |
667 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen ); |
668 | | |
669 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0 ); |
670 | | p += 2; |
671 | | |
672 | | MBEDTLS_PUT_UINT16_BE( tlen, p, 0 ); |
673 | | p += 2; |
674 | | |
675 | | *olen = 4; |
676 | | |
677 | | if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) |
678 | | return( 0 ); |
679 | | |
680 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
681 | | ( "sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen ) ); |
682 | | |
683 | | memcpy( p, ssl->session_negotiate->ticket, tlen ); |
684 | | |
685 | | *olen += tlen; |
686 | | |
687 | | return( 0 ); |
688 | | } |
689 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
690 | | |
691 | | #if defined(MBEDTLS_SSL_ALPN) |
692 | | static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, |
693 | | unsigned char *buf, |
694 | | const unsigned char *end, |
695 | | size_t *olen ) |
696 | | { |
697 | | unsigned char *p = buf; |
698 | | size_t alpnlen = 0; |
699 | | const char **cur; |
700 | | |
701 | | *olen = 0; |
702 | | |
703 | | if( ssl->conf->alpn_list == NULL ) |
704 | | return( 0 ); |
705 | | |
706 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); |
707 | | |
708 | | for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) |
709 | | alpnlen += strlen( *cur ) + 1; |
710 | | |
711 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen ); |
712 | | |
713 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, p, 0 ); |
714 | | p += 2; |
715 | | |
716 | | /* |
717 | | * opaque ProtocolName<1..2^8-1>; |
718 | | * |
719 | | * struct { |
720 | | * ProtocolName protocol_name_list<2..2^16-1> |
721 | | * } ProtocolNameList; |
722 | | */ |
723 | | |
724 | | /* Skip writing extension and list length for now */ |
725 | | p += 4; |
726 | | |
727 | | for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) |
728 | | { |
729 | | /* |
730 | | * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of |
731 | | * protocol names is less than 255. |
732 | | */ |
733 | | *p = (unsigned char)strlen( *cur ); |
734 | | memcpy( p + 1, *cur, *p ); |
735 | | p += 1 + *p; |
736 | | } |
737 | | |
738 | | *olen = p - buf; |
739 | | |
740 | | /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ |
741 | | MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 ); |
742 | | |
743 | | /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ |
744 | | MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 ); |
745 | | |
746 | | return( 0 ); |
747 | | } |
748 | | #endif /* MBEDTLS_SSL_ALPN */ |
749 | | |
750 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
751 | | static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl, |
752 | | unsigned char *buf, |
753 | | const unsigned char *end, |
754 | | size_t *olen ) |
755 | | { |
756 | | unsigned char *p = buf; |
757 | | size_t protection_profiles_index = 0, ext_len = 0; |
758 | | uint16_t mki_len = 0, profile_value = 0; |
759 | | |
760 | | *olen = 0; |
761 | | |
762 | | if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) || |
763 | | ( ssl->conf->dtls_srtp_profile_list == NULL ) || |
764 | | ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) |
765 | | { |
766 | | return( 0 ); |
767 | | } |
768 | | |
769 | | /* RFC 5764 section 4.1.1 |
770 | | * uint8 SRTPProtectionProfile[2]; |
771 | | * |
772 | | * struct { |
773 | | * SRTPProtectionProfiles SRTPProtectionProfiles; |
774 | | * opaque srtp_mki<0..255>; |
775 | | * } UseSRTPData; |
776 | | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
777 | | */ |
778 | | if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED ) |
779 | | { |
780 | | mki_len = ssl->dtls_srtp_info.mki_len; |
781 | | } |
782 | | /* Extension length = 2 bytes for profiles length, |
783 | | * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ), |
784 | | * 1 byte for srtp_mki vector length and the mki_len value |
785 | | */ |
786 | | ext_len = 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len; |
787 | | |
788 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding use_srtp extension" ) ); |
789 | | |
790 | | /* Check there is room in the buffer for the extension + 4 bytes |
791 | | * - the extension tag (2 bytes) |
792 | | * - the extension length (2 bytes) |
793 | | */ |
794 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, ext_len + 4 ); |
795 | | |
796 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_USE_SRTP, p, 0 ); |
797 | | p += 2; |
798 | | |
799 | | MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 ); |
800 | | p += 2; |
801 | | |
802 | | /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */ |
803 | | /* micro-optimization: |
804 | | * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH |
805 | | * which is lower than 127, so the upper byte of the length is always 0 |
806 | | * For the documentation, the more generic code is left in comments |
807 | | * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len ) |
808 | | * >> 8 ) & 0xFF ); |
809 | | */ |
810 | | *p++ = 0; |
811 | | *p++ = MBEDTLS_BYTE_0( 2 * ssl->conf->dtls_srtp_profile_list_len ); |
812 | | |
813 | | for( protection_profiles_index=0; |
814 | | protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len; |
815 | | protection_profiles_index++ ) |
816 | | { |
817 | | profile_value = mbedtls_ssl_check_srtp_profile_value |
818 | | ( ssl->conf->dtls_srtp_profile_list[protection_profiles_index] ); |
819 | | if( profile_value != MBEDTLS_TLS_SRTP_UNSET ) |
820 | | { |
821 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x", |
822 | | profile_value ) ); |
823 | | MBEDTLS_PUT_UINT16_BE( profile_value, p, 0 ); |
824 | | p += 2; |
825 | | } |
826 | | else |
827 | | { |
828 | | /* |
829 | | * Note: we shall never arrive here as protection profiles |
830 | | * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function |
831 | | */ |
832 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
833 | | ( "client hello, " |
834 | | "illegal DTLS-SRTP protection profile %d", |
835 | | ssl->conf->dtls_srtp_profile_list[protection_profiles_index] |
836 | | ) ); |
837 | | return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); |
838 | | } |
839 | | } |
840 | | |
841 | | *p++ = mki_len & 0xFF; |
842 | | |
843 | | if( mki_len != 0 ) |
844 | | { |
845 | | memcpy( p, ssl->dtls_srtp_info.mki_value, mki_len ); |
846 | | /* |
847 | | * Increment p to point to the current position. |
848 | | */ |
849 | | p += mki_len; |
850 | | MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value, |
851 | | ssl->dtls_srtp_info.mki_len ); |
852 | | } |
853 | | |
854 | | /* |
855 | | * total extension length: extension type (2 bytes) |
856 | | * + extension length (2 bytes) |
857 | | * + protection profile length (2 bytes) |
858 | | * + 2 * number of protection profiles |
859 | | * + srtp_mki vector length(1 byte) |
860 | | * + mki value |
861 | | */ |
862 | | *olen = p - buf; |
863 | | |
864 | | return( 0 ); |
865 | | } |
866 | | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
867 | | |
868 | | /* |
869 | | * Generate random bytes for ClientHello |
870 | | */ |
871 | | static int ssl_generate_random( mbedtls_ssl_context *ssl ) |
872 | 0 | { |
873 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
874 | 0 | unsigned char *p = ssl->handshake->randbytes; |
875 | | #if defined(MBEDTLS_HAVE_TIME) |
876 | | mbedtls_time_t t; |
877 | | #endif |
878 | | |
879 | | /* |
880 | | * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) |
881 | | */ |
882 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
883 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
884 | 0 | ssl->handshake->verify_cookie != NULL ) |
885 | 0 | { |
886 | 0 | return( 0 ); |
887 | 0 | } |
888 | 0 | #endif |
889 | | |
890 | | #if defined(MBEDTLS_HAVE_TIME) |
891 | | t = mbedtls_time( NULL ); |
892 | | MBEDTLS_PUT_UINT32_BE( t, p, 0 ); |
893 | | p += 4; |
894 | | |
895 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %" MBEDTLS_PRINTF_LONGLONG, |
896 | | (long long) t ) ); |
897 | | #else |
898 | 0 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) |
899 | 0 | return( ret ); |
900 | | |
901 | 0 | p += 4; |
902 | 0 | #endif /* MBEDTLS_HAVE_TIME */ |
903 | |
|
904 | 0 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) |
905 | 0 | return( ret ); |
906 | | |
907 | 0 | return( 0 ); |
908 | 0 | } |
909 | | |
910 | | /** |
911 | | * \brief Validate cipher suite against config in SSL context. |
912 | | * |
913 | | * \param suite_info cipher suite to validate |
914 | | * \param ssl SSL context |
915 | | * \param min_minor_ver Minimal minor version to accept a cipher suite |
916 | | * \param max_minor_ver Maximal minor version to accept a cipher suite |
917 | | * |
918 | | * \return 0 if valid, else 1 |
919 | | */ |
920 | | static int ssl_validate_ciphersuite( |
921 | | const mbedtls_ssl_ciphersuite_t * suite_info, |
922 | | const mbedtls_ssl_context * ssl, |
923 | | int min_minor_ver, int max_minor_ver ) |
924 | 0 | { |
925 | 0 | (void) ssl; |
926 | 0 | if( suite_info == NULL ) |
927 | 0 | return( 1 ); |
928 | | |
929 | 0 | if( suite_info->min_minor_ver > max_minor_ver || |
930 | 0 | suite_info->max_minor_ver < min_minor_ver ) |
931 | 0 | return( 1 ); |
932 | | |
933 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
934 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
935 | 0 | ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) |
936 | 0 | return( 1 ); |
937 | 0 | #endif |
938 | | |
939 | | #if defined(MBEDTLS_ARC4_C) |
940 | | if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && |
941 | | suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) |
942 | | return( 1 ); |
943 | | #endif |
944 | | |
945 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
946 | 0 | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
947 | 0 | mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) |
948 | 0 | return( 1 ); |
949 | 0 | #endif |
950 | | |
951 | | /* Don't suggest PSK-based ciphersuite if no PSK is available. */ |
952 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
953 | 0 | if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && |
954 | 0 | ssl_conf_has_static_psk( ssl->conf ) == 0 ) |
955 | 0 | { |
956 | 0 | return( 1 ); |
957 | 0 | } |
958 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
959 | | |
960 | 0 | return( 0 ); |
961 | 0 | } |
962 | | |
963 | | static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) |
964 | 0 | { |
965 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
966 | 0 | size_t i, n, olen, ext_len = 0; |
967 | |
|
968 | 0 | unsigned char *buf; |
969 | 0 | unsigned char *p, *q; |
970 | 0 | const unsigned char *end; |
971 | |
|
972 | 0 | unsigned char offer_compress; |
973 | 0 | const int *ciphersuites; |
974 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
975 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
976 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
977 | 0 | int uses_ec = 0; |
978 | 0 | #endif |
979 | |
|
980 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); |
981 | |
|
982 | 0 | if( ssl->conf->f_rng == NULL ) |
983 | 0 | { |
984 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); |
985 | 0 | return( MBEDTLS_ERR_SSL_NO_RNG ); |
986 | 0 | } |
987 | | |
988 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
989 | | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
990 | | #endif |
991 | 0 | { |
992 | 0 | ssl->major_ver = ssl->conf->min_major_ver; |
993 | 0 | ssl->minor_ver = ssl->conf->min_minor_ver; |
994 | 0 | } |
995 | |
|
996 | 0 | if( ssl->conf->max_major_ver == 0 ) |
997 | 0 | { |
998 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
999 | 0 | ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) ); |
1000 | 0 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
1001 | 0 | } |
1002 | | |
1003 | 0 | buf = ssl->out_msg; |
1004 | 0 | end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN; |
1005 | | |
1006 | | /* |
1007 | | * Check if there's enough space for the first part of the ClientHello |
1008 | | * consisting of the 38 bytes described below, the session identifier (at |
1009 | | * most 32 bytes) and its length (1 byte). |
1010 | | * |
1011 | | * Use static upper bounds instead of the actual values |
1012 | | * to allow the compiler to optimize this away. |
1013 | | */ |
1014 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 ); |
1015 | | |
1016 | | /* |
1017 | | * The 38 first bytes of the ClientHello: |
1018 | | * 0 . 0 handshake type (written later) |
1019 | | * 1 . 3 handshake length (written later) |
1020 | | * 4 . 5 highest version supported |
1021 | | * 6 . 9 current UNIX time |
1022 | | * 10 . 37 random bytes |
1023 | | * |
1024 | | * The current UNIX time (4 bytes) and following 28 random bytes are written |
1025 | | * by ssl_generate_random() into ssl->handshake->randbytes buffer and then |
1026 | | * copied from there into the output buffer. |
1027 | | */ |
1028 | | |
1029 | 0 | p = buf + 4; |
1030 | 0 | mbedtls_ssl_write_version( ssl->conf->max_major_ver, |
1031 | 0 | ssl->conf->max_minor_ver, |
1032 | 0 | ssl->conf->transport, p ); |
1033 | 0 | p += 2; |
1034 | |
|
1035 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", |
1036 | 0 | buf[4], buf[5] ) ); |
1037 | |
|
1038 | 0 | if( ( ret = ssl_generate_random( ssl ) ) != 0 ) |
1039 | 0 | { |
1040 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); |
1041 | 0 | return( ret ); |
1042 | 0 | } |
1043 | | |
1044 | 0 | memcpy( p, ssl->handshake->randbytes, 32 ); |
1045 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); |
1046 | 0 | p += 32; |
1047 | | |
1048 | | /* |
1049 | | * 38 . 38 session id length |
1050 | | * 39 . 39+n session id |
1051 | | * 39+n . 39+n DTLS only: cookie length (1 byte) |
1052 | | * 40+n . .. DTLS only: cookie |
1053 | | * .. . .. ciphersuitelist length (2 bytes) |
1054 | | * .. . .. ciphersuitelist |
1055 | | * .. . .. compression methods length (1 byte) |
1056 | | * .. . .. compression methods |
1057 | | * .. . .. extensions length (2 bytes) |
1058 | | * .. . .. extensions |
1059 | | */ |
1060 | 0 | n = ssl->session_negotiate->id_len; |
1061 | |
|
1062 | 0 | if( n < 16 || n > 32 || |
1063 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1064 | | ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || |
1065 | | #endif |
1066 | 0 | ssl->handshake->resume == 0 ) |
1067 | 0 | { |
1068 | 0 | n = 0; |
1069 | 0 | } |
1070 | |
|
1071 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
1072 | | /* |
1073 | | * RFC 5077 section 3.4: "When presenting a ticket, the client MAY |
1074 | | * generate and include a Session ID in the TLS ClientHello." |
1075 | | */ |
1076 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1077 | | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
1078 | | #endif |
1079 | | { |
1080 | | if( ssl->session_negotiate->ticket != NULL && |
1081 | | ssl->session_negotiate->ticket_len != 0 ) |
1082 | | { |
1083 | | ret = ssl->conf->f_rng( ssl->conf->p_rng, |
1084 | | ssl->session_negotiate->id, 32 ); |
1085 | | |
1086 | | if( ret != 0 ) |
1087 | | return( ret ); |
1088 | | |
1089 | | ssl->session_negotiate->id_len = n = 32; |
1090 | | } |
1091 | | } |
1092 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
1093 | | |
1094 | | /* |
1095 | | * The first check of the output buffer size above ( |
1096 | | * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );) |
1097 | | * has checked that there is enough space in the output buffer for the |
1098 | | * session identifier length byte and the session identifier (n <= 32). |
1099 | | */ |
1100 | 0 | *p++ = (unsigned char) n; |
1101 | |
|
1102 | 0 | for( i = 0; i < n; i++ ) |
1103 | 0 | *p++ = ssl->session_negotiate->id[i]; |
1104 | |
|
1105 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) ); |
1106 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); |
1107 | | |
1108 | | /* |
1109 | | * With 'n' being the length of the session identifier |
1110 | | * |
1111 | | * 39+n . 39+n DTLS only: cookie length (1 byte) |
1112 | | * 40+n . .. DTLS only: cookie |
1113 | | * .. . .. ciphersuitelist length (2 bytes) |
1114 | | * .. . .. ciphersuitelist |
1115 | | * .. . .. compression methods length (1 byte) |
1116 | | * .. . .. compression methods |
1117 | | * .. . .. extensions length (2 bytes) |
1118 | | * .. . .. extensions |
1119 | | */ |
1120 | | |
1121 | | /* |
1122 | | * DTLS cookie |
1123 | | */ |
1124 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1125 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
1126 | 0 | { |
1127 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); |
1128 | | |
1129 | 0 | if( ssl->handshake->verify_cookie == NULL ) |
1130 | 0 | { |
1131 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); |
1132 | 0 | *p++ = 0; |
1133 | 0 | } |
1134 | 0 | else |
1135 | 0 | { |
1136 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", |
1137 | 0 | ssl->handshake->verify_cookie, |
1138 | 0 | ssl->handshake->verify_cookie_len ); |
1139 | |
|
1140 | 0 | *p++ = ssl->handshake->verify_cookie_len; |
1141 | |
|
1142 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, |
1143 | 0 | ssl->handshake->verify_cookie_len ); |
1144 | 0 | memcpy( p, ssl->handshake->verify_cookie, |
1145 | 0 | ssl->handshake->verify_cookie_len ); |
1146 | 0 | p += ssl->handshake->verify_cookie_len; |
1147 | 0 | } |
1148 | 0 | } |
1149 | 0 | #endif |
1150 | | |
1151 | | /* |
1152 | | * Ciphersuite list |
1153 | | */ |
1154 | 0 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; |
1155 | | |
1156 | | /* Skip writing ciphersuite length for now */ |
1157 | 0 | n = 0; |
1158 | 0 | q = p; |
1159 | |
|
1160 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
1161 | 0 | p += 2; |
1162 | |
|
1163 | 0 | for( i = 0; ciphersuites[i] != 0; i++ ) |
1164 | 0 | { |
1165 | 0 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); |
1166 | |
|
1167 | 0 | if( ssl_validate_ciphersuite( ciphersuite_info, ssl, |
1168 | 0 | ssl->conf->min_minor_ver, |
1169 | 0 | ssl->conf->max_minor_ver ) != 0 ) |
1170 | 0 | continue; |
1171 | | |
1172 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %#04x (%s)", |
1173 | 0 | (unsigned int)ciphersuites[i], ciphersuite_info->name ) ); |
1174 | |
|
1175 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
1176 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1177 | 0 | uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info ); |
1178 | 0 | #endif |
1179 | |
|
1180 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
1181 | | |
1182 | 0 | n++; |
1183 | 0 | MBEDTLS_PUT_UINT16_BE( ciphersuites[i], p, 0 ); |
1184 | 0 | p += 2; |
1185 | 0 | } |
1186 | | |
1187 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
1188 | 0 | ( "client hello, got %" MBEDTLS_PRINTF_SIZET " ciphersuites (excluding SCSVs)", n ) ); |
1189 | | |
1190 | | /* |
1191 | | * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
1192 | | */ |
1193 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1194 | | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
1195 | | #endif |
1196 | 0 | { |
1197 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); |
1198 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
1199 | 0 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0 ); |
1200 | 0 | p += 2; |
1201 | 0 | n++; |
1202 | 0 | } |
1203 | | |
1204 | | /* Some versions of OpenSSL don't handle it correctly if not at end */ |
1205 | | #if defined(MBEDTLS_SSL_FALLBACK_SCSV) |
1206 | | if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) |
1207 | | { |
1208 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); |
1209 | | |
1210 | | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
1211 | | MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_FALLBACK_SCSV_VALUE, p, 0 ); |
1212 | | p += 2; |
1213 | | n++; |
1214 | | } |
1215 | | #endif |
1216 | | |
1217 | 0 | *q++ = (unsigned char)( n >> 7 ); |
1218 | 0 | *q++ = (unsigned char)( n << 1 ); |
1219 | |
|
1220 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
1221 | | offer_compress = 1; |
1222 | | #else |
1223 | 0 | offer_compress = 0; |
1224 | 0 | #endif |
1225 | | |
1226 | | /* |
1227 | | * We don't support compression with DTLS right now: if many records come |
1228 | | * in the same datagram, uncompressing one could overwrite the next one. |
1229 | | * We don't want to add complexity for handling that case unless there is |
1230 | | * an actual need for it. |
1231 | | */ |
1232 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1233 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
1234 | 0 | offer_compress = 0; |
1235 | 0 | #endif |
1236 | |
|
1237 | 0 | if( offer_compress ) |
1238 | 0 | { |
1239 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); |
1240 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", |
1241 | 0 | MBEDTLS_SSL_COMPRESS_DEFLATE, |
1242 | 0 | MBEDTLS_SSL_COMPRESS_NULL ) ); |
1243 | |
|
1244 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 ); |
1245 | 0 | *p++ = 2; |
1246 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; |
1247 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_NULL; |
1248 | 0 | } |
1249 | 0 | else |
1250 | 0 | { |
1251 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); |
1252 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", |
1253 | 0 | MBEDTLS_SSL_COMPRESS_NULL ) ); |
1254 | |
|
1255 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
1256 | 0 | *p++ = 1; |
1257 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_NULL; |
1258 | 0 | } |
1259 | | |
1260 | | /* First write extensions, then the total length */ |
1261 | | |
1262 | 0 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); |
1263 | | |
1264 | | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
1265 | | if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len, |
1266 | | end, &olen ) ) != 0 ) |
1267 | | { |
1268 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret ); |
1269 | | return( ret ); |
1270 | | } |
1271 | | ext_len += olen; |
1272 | | #endif |
1273 | | |
1274 | | /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added |
1275 | | * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ |
1276 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1277 | | if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, |
1278 | | end, &olen ) ) != 0 ) |
1279 | | { |
1280 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret ); |
1281 | | return( ret ); |
1282 | | } |
1283 | | ext_len += olen; |
1284 | | #endif |
1285 | | |
1286 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
1287 | 0 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
1288 | 0 | if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, |
1289 | 0 | end, &olen ) ) != 0 ) |
1290 | 0 | { |
1291 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret ); |
1292 | 0 | return( ret ); |
1293 | 0 | } |
1294 | 0 | ext_len += olen; |
1295 | 0 | #endif |
1296 | |
|
1297 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
1298 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1299 | 0 | if( uses_ec ) |
1300 | 0 | { |
1301 | 0 | if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, |
1302 | 0 | end, &olen ) ) != 0 ) |
1303 | 0 | { |
1304 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret ); |
1305 | 0 | return( ret ); |
1306 | 0 | } |
1307 | 0 | ext_len += olen; |
1308 | |
|
1309 | 0 | if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, |
1310 | 0 | end, &olen ) ) != 0 ) |
1311 | 0 | { |
1312 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret ); |
1313 | 0 | return( ret ); |
1314 | 0 | } |
1315 | 0 | ext_len += olen; |
1316 | 0 | } |
1317 | 0 | #endif |
1318 | | |
1319 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1320 | 0 | if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, |
1321 | 0 | end, &olen ) ) != 0 ) |
1322 | 0 | { |
1323 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret ); |
1324 | 0 | return( ret ); |
1325 | 0 | } |
1326 | 0 | ext_len += olen; |
1327 | 0 | #endif |
1328 | |
|
1329 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
1330 | | if( ( ret = ssl_write_cid_ext( ssl, p + 2 + ext_len, end, &olen ) ) != 0 ) |
1331 | | { |
1332 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_cid_ext", ret ); |
1333 | | return( ret ); |
1334 | | } |
1335 | | ext_len += olen; |
1336 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
1337 | |
|
1338 | 0 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
1339 | 0 | if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, |
1340 | 0 | end, &olen ) ) != 0 ) |
1341 | 0 | { |
1342 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret ); |
1343 | 0 | return( ret ); |
1344 | 0 | } |
1345 | 0 | ext_len += olen; |
1346 | 0 | #endif |
1347 | |
|
1348 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
1349 | | if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, |
1350 | | end, &olen ) ) != 0 ) |
1351 | | { |
1352 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret ); |
1353 | | return( ret ); |
1354 | | } |
1355 | | ext_len += olen; |
1356 | | #endif |
1357 | |
|
1358 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
1359 | | if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, |
1360 | | end, &olen ) ) != 0 ) |
1361 | | { |
1362 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret ); |
1363 | | return( ret ); |
1364 | | } |
1365 | | ext_len += olen; |
1366 | | #endif |
1367 | |
|
1368 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
1369 | | if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, |
1370 | | end, &olen ) ) != 0 ) |
1371 | | { |
1372 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret ); |
1373 | | return( ret ); |
1374 | | } |
1375 | | ext_len += olen; |
1376 | | #endif |
1377 | |
|
1378 | | #if defined(MBEDTLS_SSL_ALPN) |
1379 | | if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len, |
1380 | | end, &olen ) ) != 0 ) |
1381 | | { |
1382 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret ); |
1383 | | return( ret ); |
1384 | | } |
1385 | | ext_len += olen; |
1386 | | #endif |
1387 | |
|
1388 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
1389 | | if( ( ret = ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, |
1390 | | end, &olen ) ) != 0 ) |
1391 | | { |
1392 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_use_srtp_ext", ret ); |
1393 | | return( ret ); |
1394 | | } |
1395 | | ext_len += olen; |
1396 | | #endif |
1397 | |
|
1398 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
1399 | | if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, |
1400 | | end, &olen ) ) != 0 ) |
1401 | | { |
1402 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret ); |
1403 | | return( ret ); |
1404 | | } |
1405 | | ext_len += olen; |
1406 | | #endif |
1407 | | |
1408 | | /* olen unused if all extensions are disabled */ |
1409 | 0 | ((void) olen); |
1410 | |
|
1411 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
1412 | 0 | ext_len ) ); |
1413 | |
|
1414 | 0 | if( ext_len > 0 ) |
1415 | 0 | { |
1416 | | /* No need to check for space here, because the extension |
1417 | | * writing functions already took care of that. */ |
1418 | 0 | MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 ); |
1419 | 0 | p += 2 + ext_len; |
1420 | 0 | } |
1421 | |
|
1422 | 0 | ssl->out_msglen = p - buf; |
1423 | 0 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
1424 | 0 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; |
1425 | |
|
1426 | 0 | ssl->state++; |
1427 | |
|
1428 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1429 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
1430 | 0 | mbedtls_ssl_send_flight_completed( ssl ); |
1431 | 0 | #endif |
1432 | |
|
1433 | 0 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
1434 | 0 | { |
1435 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
1436 | 0 | return( ret ); |
1437 | 0 | } |
1438 | | |
1439 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1440 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
1441 | 0 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
1442 | 0 | { |
1443 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); |
1444 | 0 | return( ret ); |
1445 | 0 | } |
1446 | 0 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
1447 | | |
1448 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); |
1449 | |
|
1450 | 0 | return( 0 ); |
1451 | 0 | } |
1452 | | |
1453 | | static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, |
1454 | | const unsigned char *buf, |
1455 | | size_t len ) |
1456 | 0 | { |
1457 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1458 | | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
1459 | | { |
1460 | | /* Check verify-data in constant-time. The length OTOH is no secret */ |
1461 | | if( len != 1 + ssl->verify_data_len * 2 || |
1462 | | buf[0] != ssl->verify_data_len * 2 || |
1463 | | mbedtls_ct_memcmp( buf + 1, |
1464 | | ssl->own_verify_data, ssl->verify_data_len ) != 0 || |
1465 | | mbedtls_ct_memcmp( buf + 1 + ssl->verify_data_len, |
1466 | | ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) |
1467 | | { |
1468 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); |
1469 | | mbedtls_ssl_send_alert_message( |
1470 | | ssl, |
1471 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1472 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1473 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1474 | | } |
1475 | | } |
1476 | | else |
1477 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
1478 | 0 | { |
1479 | 0 | if( len != 1 || buf[0] != 0x00 ) |
1480 | 0 | { |
1481 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
1482 | 0 | ( "non-zero length renegotiation info" ) ); |
1483 | 0 | mbedtls_ssl_send_alert_message( |
1484 | 0 | ssl, |
1485 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1486 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1487 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1488 | 0 | } |
1489 | | |
1490 | 0 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
1491 | 0 | } |
1492 | | |
1493 | 0 | return( 0 ); |
1494 | 0 | } |
1495 | | |
1496 | | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
1497 | | static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
1498 | | const unsigned char *buf, |
1499 | | size_t len ) |
1500 | 0 | { |
1501 | | /* |
1502 | | * server should use the extension only if we did, |
1503 | | * and if so the server's value should match ours (and len is always 1) |
1504 | | */ |
1505 | 0 | if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || |
1506 | 0 | len != 1 || |
1507 | 0 | buf[0] != ssl->conf->mfl_code ) |
1508 | 0 | { |
1509 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
1510 | 0 | ( "non-matching max fragment length extension" ) ); |
1511 | 0 | mbedtls_ssl_send_alert_message( |
1512 | 0 | ssl, |
1513 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1514 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
1515 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1516 | 0 | } |
1517 | | |
1518 | 0 | return( 0 ); |
1519 | 0 | } |
1520 | | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
1521 | | |
1522 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
1523 | | static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, |
1524 | | const unsigned char *buf, |
1525 | | size_t len ) |
1526 | | { |
1527 | | if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || |
1528 | | len != 0 ) |
1529 | | { |
1530 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
1531 | | ( "non-matching truncated HMAC extension" ) ); |
1532 | | mbedtls_ssl_send_alert_message( |
1533 | | ssl, |
1534 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1535 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1536 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1537 | | } |
1538 | | |
1539 | | ((void) buf); |
1540 | | |
1541 | | ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; |
1542 | | |
1543 | | return( 0 ); |
1544 | | } |
1545 | | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
1546 | | |
1547 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
1548 | | static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, |
1549 | | const unsigned char *buf, |
1550 | | size_t len ) |
1551 | | { |
1552 | | size_t peer_cid_len; |
1553 | | |
1554 | | if( /* CID extension only makes sense in DTLS */ |
1555 | | ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
1556 | | /* The server must only send the CID extension if we have offered it. */ |
1557 | | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) |
1558 | | { |
1559 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) ); |
1560 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1561 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); |
1562 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1563 | | } |
1564 | | |
1565 | | if( len == 0 ) |
1566 | | { |
1567 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) ); |
1568 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1569 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1570 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1571 | | } |
1572 | | |
1573 | | peer_cid_len = *buf++; |
1574 | | len--; |
1575 | | |
1576 | | if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX ) |
1577 | | { |
1578 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) ); |
1579 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1580 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1581 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1582 | | } |
1583 | | |
1584 | | if( len != peer_cid_len ) |
1585 | | { |
1586 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) ); |
1587 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1588 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
1589 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1590 | | } |
1591 | | |
1592 | | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
1593 | | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
1594 | | memcpy( ssl->handshake->peer_cid, buf, peer_cid_len ); |
1595 | | |
1596 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) ); |
1597 | | MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len ); |
1598 | | |
1599 | | return( 0 ); |
1600 | | } |
1601 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
1602 | | |
1603 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
1604 | | static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
1605 | | const unsigned char *buf, |
1606 | | size_t len ) |
1607 | | { |
1608 | | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
1609 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || |
1610 | | len != 0 ) |
1611 | | { |
1612 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
1613 | | ( "non-matching encrypt-then-MAC extension" ) ); |
1614 | | mbedtls_ssl_send_alert_message( |
1615 | | ssl, |
1616 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1617 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); |
1618 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1619 | | } |
1620 | | |
1621 | | ((void) buf); |
1622 | | |
1623 | | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
1624 | | |
1625 | | return( 0 ); |
1626 | | } |
1627 | | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
1628 | | |
1629 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
1630 | | static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, |
1631 | | const unsigned char *buf, |
1632 | | size_t len ) |
1633 | | { |
1634 | | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
1635 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || |
1636 | | len != 0 ) |
1637 | | { |
1638 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
1639 | | ( "non-matching extended master secret extension" ) ); |
1640 | | mbedtls_ssl_send_alert_message( |
1641 | | ssl, |
1642 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1643 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); |
1644 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1645 | | } |
1646 | | |
1647 | | ((void) buf); |
1648 | | |
1649 | | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
1650 | | |
1651 | | return( 0 ); |
1652 | | } |
1653 | | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
1654 | | |
1655 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
1656 | | static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, |
1657 | | const unsigned char *buf, |
1658 | | size_t len ) |
1659 | | { |
1660 | | if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || |
1661 | | len != 0 ) |
1662 | | { |
1663 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
1664 | | ( "non-matching session ticket extension" ) ); |
1665 | | mbedtls_ssl_send_alert_message( |
1666 | | ssl, |
1667 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1668 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); |
1669 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1670 | | } |
1671 | | |
1672 | | ((void) buf); |
1673 | | |
1674 | | ssl->handshake->new_session_ticket = 1; |
1675 | | |
1676 | | return( 0 ); |
1677 | | } |
1678 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
1679 | | |
1680 | | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
1681 | | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1682 | | static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, |
1683 | | const unsigned char *buf, |
1684 | | size_t len ) |
1685 | 0 | { |
1686 | 0 | size_t list_size; |
1687 | 0 | const unsigned char *p; |
1688 | |
|
1689 | 0 | if( len == 0 || (size_t)( buf[0] + 1 ) != len ) |
1690 | 0 | { |
1691 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
1692 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1693 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
1694 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1695 | 0 | } |
1696 | 0 | list_size = buf[0]; |
1697 | |
|
1698 | 0 | p = buf + 1; |
1699 | 0 | while( list_size > 0 ) |
1700 | 0 | { |
1701 | 0 | if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
1702 | 0 | p[0] == MBEDTLS_ECP_PF_COMPRESSED ) |
1703 | 0 | { |
1704 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
1705 | 0 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
1706 | 0 | #endif |
1707 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1708 | 0 | ssl->handshake->ecjpake_ctx.point_format = p[0]; |
1709 | 0 | #endif |
1710 | 0 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); |
1711 | 0 | return( 0 ); |
1712 | 0 | } |
1713 | | |
1714 | 0 | list_size--; |
1715 | 0 | p++; |
1716 | 0 | } |
1717 | | |
1718 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); |
1719 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1720 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1721 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1722 | 0 | } |
1723 | | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
1724 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
1725 | | |
1726 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1727 | | static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, |
1728 | | const unsigned char *buf, |
1729 | | size_t len ) |
1730 | 0 | { |
1731 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1732 | |
|
1733 | 0 | if( ssl->handshake->ciphersuite_info->key_exchange != |
1734 | 0 | MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
1735 | 0 | { |
1736 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); |
1737 | 0 | return( 0 ); |
1738 | 0 | } |
1739 | | |
1740 | | /* If we got here, we no longer need our cached extension */ |
1741 | 0 | mbedtls_free( ssl->handshake->ecjpake_cache ); |
1742 | 0 | ssl->handshake->ecjpake_cache = NULL; |
1743 | 0 | ssl->handshake->ecjpake_cache_len = 0; |
1744 | |
|
1745 | 0 | if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, |
1746 | 0 | buf, len ) ) != 0 ) |
1747 | 0 | { |
1748 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); |
1749 | 0 | mbedtls_ssl_send_alert_message( |
1750 | 0 | ssl, |
1751 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1752 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1753 | 0 | return( ret ); |
1754 | 0 | } |
1755 | | |
1756 | 0 | return( 0 ); |
1757 | 0 | } |
1758 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
1759 | | |
1760 | | #if defined(MBEDTLS_SSL_ALPN) |
1761 | | static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, |
1762 | | const unsigned char *buf, size_t len ) |
1763 | | { |
1764 | | size_t list_len, name_len; |
1765 | | const char **p; |
1766 | | |
1767 | | /* If we didn't send it, the server shouldn't send it */ |
1768 | | if( ssl->conf->alpn_list == NULL ) |
1769 | | { |
1770 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); |
1771 | | mbedtls_ssl_send_alert_message( |
1772 | | ssl, |
1773 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1774 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); |
1775 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1776 | | } |
1777 | | |
1778 | | /* |
1779 | | * opaque ProtocolName<1..2^8-1>; |
1780 | | * |
1781 | | * struct { |
1782 | | * ProtocolName protocol_name_list<2..2^16-1> |
1783 | | * } ProtocolNameList; |
1784 | | * |
1785 | | * the "ProtocolNameList" MUST contain exactly one "ProtocolName" |
1786 | | */ |
1787 | | |
1788 | | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
1789 | | if( len < 4 ) |
1790 | | { |
1791 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1792 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
1793 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1794 | | } |
1795 | | |
1796 | | list_len = ( buf[0] << 8 ) | buf[1]; |
1797 | | if( list_len != len - 2 ) |
1798 | | { |
1799 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1800 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
1801 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1802 | | } |
1803 | | |
1804 | | name_len = buf[2]; |
1805 | | if( name_len != list_len - 1 ) |
1806 | | { |
1807 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1808 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
1809 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1810 | | } |
1811 | | |
1812 | | /* Check that the server chosen protocol was in our list and save it */ |
1813 | | for( p = ssl->conf->alpn_list; *p != NULL; p++ ) |
1814 | | { |
1815 | | if( name_len == strlen( *p ) && |
1816 | | memcmp( buf + 3, *p, name_len ) == 0 ) |
1817 | | { |
1818 | | ssl->alpn_chosen = *p; |
1819 | | return( 0 ); |
1820 | | } |
1821 | | } |
1822 | | |
1823 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); |
1824 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1825 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1826 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1827 | | } |
1828 | | #endif /* MBEDTLS_SSL_ALPN */ |
1829 | | |
1830 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
1831 | | static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, |
1832 | | const unsigned char *buf, |
1833 | | size_t len ) |
1834 | | { |
1835 | | mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET; |
1836 | | size_t i, mki_len = 0; |
1837 | | uint16_t server_protection_profile_value = 0; |
1838 | | |
1839 | | /* If use_srtp is not configured, just ignore the extension */ |
1840 | | if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) || |
1841 | | ( ssl->conf->dtls_srtp_profile_list == NULL ) || |
1842 | | ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) |
1843 | | return( 0 ); |
1844 | | |
1845 | | /* RFC 5764 section 4.1.1 |
1846 | | * uint8 SRTPProtectionProfile[2]; |
1847 | | * |
1848 | | * struct { |
1849 | | * SRTPProtectionProfiles SRTPProtectionProfiles; |
1850 | | * opaque srtp_mki<0..255>; |
1851 | | * } UseSRTPData; |
1852 | | |
1853 | | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
1854 | | * |
1855 | | */ |
1856 | | if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED ) |
1857 | | { |
1858 | | mki_len = ssl->dtls_srtp_info.mki_len; |
1859 | | } |
1860 | | |
1861 | | /* |
1862 | | * Length is 5 + optional mki_value : one protection profile length (2 bytes) |
1863 | | * + protection profile (2 bytes) |
1864 | | * + mki_len(1 byte) |
1865 | | * and optional srtp_mki |
1866 | | */ |
1867 | | if( ( len < 5 ) || ( len != ( buf[4] + 5u ) ) ) |
1868 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1869 | | |
1870 | | /* |
1871 | | * get the server protection profile |
1872 | | */ |
1873 | | |
1874 | | /* |
1875 | | * protection profile length must be 0x0002 as we must have only |
1876 | | * one protection profile in server Hello |
1877 | | */ |
1878 | | if( ( buf[0] != 0 ) || ( buf[1] != 2 ) ) |
1879 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1880 | | |
1881 | | server_protection_profile_value = ( buf[2] << 8 ) | buf[3]; |
1882 | | server_protection = mbedtls_ssl_check_srtp_profile_value( |
1883 | | server_protection_profile_value ); |
1884 | | if( server_protection != MBEDTLS_TLS_SRTP_UNSET ) |
1885 | | { |
1886 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s", |
1887 | | mbedtls_ssl_get_srtp_profile_as_string( |
1888 | | server_protection ) ) ); |
1889 | | } |
1890 | | |
1891 | | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
1892 | | |
1893 | | /* |
1894 | | * Check we have the server profile in our list |
1895 | | */ |
1896 | | for( i=0; i < ssl->conf->dtls_srtp_profile_list_len; i++) |
1897 | | { |
1898 | | if( server_protection == ssl->conf->dtls_srtp_profile_list[i] ) |
1899 | | { |
1900 | | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
1901 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s", |
1902 | | mbedtls_ssl_get_srtp_profile_as_string( |
1903 | | server_protection ) ) ); |
1904 | | break; |
1905 | | } |
1906 | | } |
1907 | | |
1908 | | /* If no match was found : server problem, it shall never answer with incompatible profile */ |
1909 | | if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET ) |
1910 | | { |
1911 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1912 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
1913 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1914 | | } |
1915 | | |
1916 | | /* If server does not use mki in its reply, make sure the client won't keep |
1917 | | * one as negotiated */ |
1918 | | if( len == 5 ) |
1919 | | { |
1920 | | ssl->dtls_srtp_info.mki_len = 0; |
1921 | | } |
1922 | | |
1923 | | /* |
1924 | | * RFC5764: |
1925 | | * If the client detects a nonzero-length MKI in the server's response |
1926 | | * that is different than the one the client offered, then the client |
1927 | | * MUST abort the handshake and SHOULD send an invalid_parameter alert. |
1928 | | */ |
1929 | | if( len > 5 && ( buf[4] != mki_len || |
1930 | | ( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) ) |
1931 | | { |
1932 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1933 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
1934 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1935 | | } |
1936 | | #if defined (MBEDTLS_DEBUG_C) |
1937 | | if( len > 5 ) |
1938 | | { |
1939 | | MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value, |
1940 | | ssl->dtls_srtp_info.mki_len ); |
1941 | | } |
1942 | | #endif |
1943 | | return( 0 ); |
1944 | | } |
1945 | | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
1946 | | |
1947 | | /* |
1948 | | * Parse HelloVerifyRequest. Only called after verifying the HS type. |
1949 | | */ |
1950 | | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1951 | | static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) |
1952 | 0 | { |
1953 | 0 | const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
1954 | 0 | int major_ver, minor_ver; |
1955 | 0 | unsigned char cookie_len; |
1956 | |
|
1957 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); |
1958 | | |
1959 | | /* Check that there is enough room for: |
1960 | | * - 2 bytes of version |
1961 | | * - 1 byte of cookie_len |
1962 | | */ |
1963 | 0 | if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen ) |
1964 | 0 | { |
1965 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
1966 | 0 | ( "incoming HelloVerifyRequest message is too short" ) ); |
1967 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1968 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
1969 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
1970 | 0 | } |
1971 | | |
1972 | | /* |
1973 | | * struct { |
1974 | | * ProtocolVersion server_version; |
1975 | | * opaque cookie<0..2^8-1>; |
1976 | | * } HelloVerifyRequest; |
1977 | | */ |
1978 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); |
1979 | 0 | mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); |
1980 | 0 | p += 2; |
1981 | | |
1982 | | /* |
1983 | | * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) |
1984 | | * even is lower than our min version. |
1985 | | */ |
1986 | 0 | if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || |
1987 | 0 | minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || |
1988 | 0 | major_ver > ssl->conf->max_major_ver || |
1989 | 0 | minor_ver > ssl->conf->max_minor_ver ) |
1990 | 0 | { |
1991 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); |
1992 | |
|
1993 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1994 | 0 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
1995 | |
|
1996 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
1997 | 0 | } |
1998 | | |
1999 | 0 | cookie_len = *p++; |
2000 | 0 | if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) |
2001 | 0 | { |
2002 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2003 | 0 | ( "cookie length does not match incoming message size" ) ); |
2004 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2005 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
2006 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2007 | 0 | } |
2008 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); |
2009 | |
|
2010 | 0 | mbedtls_free( ssl->handshake->verify_cookie ); |
2011 | |
|
2012 | 0 | ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); |
2013 | 0 | if( ssl->handshake->verify_cookie == NULL ) |
2014 | 0 | { |
2015 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); |
2016 | 0 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
2017 | 0 | } |
2018 | | |
2019 | 0 | memcpy( ssl->handshake->verify_cookie, p, cookie_len ); |
2020 | 0 | ssl->handshake->verify_cookie_len = cookie_len; |
2021 | | |
2022 | | /* Start over at ClientHello */ |
2023 | 0 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
2024 | 0 | mbedtls_ssl_reset_checksum( ssl ); |
2025 | |
|
2026 | 0 | mbedtls_ssl_recv_flight_completed( ssl ); |
2027 | |
|
2028 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); |
2029 | |
|
2030 | 0 | return( 0 ); |
2031 | 0 | } |
2032 | | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
2033 | | |
2034 | | static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) |
2035 | 0 | { |
2036 | 0 | int ret, i; |
2037 | 0 | size_t n; |
2038 | 0 | size_t ext_len; |
2039 | 0 | unsigned char *buf, *ext; |
2040 | 0 | unsigned char comp; |
2041 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
2042 | | int accept_comp; |
2043 | | #endif |
2044 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2045 | | int renegotiation_info_seen = 0; |
2046 | | #endif |
2047 | 0 | int handshake_failure = 0; |
2048 | 0 | const mbedtls_ssl_ciphersuite_t *suite_info; |
2049 | |
|
2050 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); |
2051 | |
|
2052 | 0 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
2053 | 0 | { |
2054 | | /* No alert on a read error. */ |
2055 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
2056 | 0 | return( ret ); |
2057 | 0 | } |
2058 | | |
2059 | 0 | buf = ssl->in_msg; |
2060 | |
|
2061 | 0 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
2062 | 0 | { |
2063 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2064 | | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
2065 | | { |
2066 | | ssl->renego_records_seen++; |
2067 | | |
2068 | | if( ssl->conf->renego_max_records >= 0 && |
2069 | | ssl->renego_records_seen > ssl->conf->renego_max_records ) |
2070 | | { |
2071 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
2072 | | ( "renegotiation requested, but not honored by server" ) ); |
2073 | | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
2074 | | } |
2075 | | |
2076 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
2077 | | ( "non-handshake message during renegotiation" ) ); |
2078 | | |
2079 | | ssl->keep_current_message = 1; |
2080 | | return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); |
2081 | | } |
2082 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
2083 | |
|
2084 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2085 | 0 | mbedtls_ssl_send_alert_message( |
2086 | 0 | ssl, |
2087 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2088 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
2089 | 0 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
2090 | 0 | } |
2091 | | |
2092 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
2093 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
2094 | 0 | { |
2095 | 0 | if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) |
2096 | 0 | { |
2097 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); |
2098 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); |
2099 | 0 | return( ssl_parse_hello_verify_request( ssl ) ); |
2100 | 0 | } |
2101 | 0 | else |
2102 | 0 | { |
2103 | | /* We made it through the verification process */ |
2104 | 0 | mbedtls_free( ssl->handshake->verify_cookie ); |
2105 | 0 | ssl->handshake->verify_cookie = NULL; |
2106 | 0 | ssl->handshake->verify_cookie_len = 0; |
2107 | 0 | } |
2108 | 0 | } |
2109 | 0 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
2110 | | |
2111 | 0 | if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || |
2112 | 0 | buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) |
2113 | 0 | { |
2114 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2115 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2116 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
2117 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2118 | 0 | } |
2119 | | |
2120 | | /* |
2121 | | * 0 . 1 server_version |
2122 | | * 2 . 33 random (maybe including 4 bytes of Unix time) |
2123 | | * 34 . 34 session_id length = n |
2124 | | * 35 . 34+n session_id |
2125 | | * 35+n . 36+n cipher_suite |
2126 | | * 37+n . 37+n compression_method |
2127 | | * |
2128 | | * 38+n . 39+n extensions length (optional) |
2129 | | * 40+n . .. extensions |
2130 | | */ |
2131 | 0 | buf += mbedtls_ssl_hs_hdr_len( ssl ); |
2132 | |
|
2133 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); |
2134 | 0 | mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, |
2135 | 0 | ssl->conf->transport, buf + 0 ); |
2136 | |
|
2137 | 0 | if( ssl->major_ver < ssl->conf->min_major_ver || |
2138 | 0 | ssl->minor_ver < ssl->conf->min_minor_ver || |
2139 | 0 | ssl->major_ver > ssl->conf->max_major_ver || |
2140 | 0 | ssl->minor_ver > ssl->conf->max_minor_ver ) |
2141 | 0 | { |
2142 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2143 | 0 | ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]", |
2144 | 0 | ssl->conf->min_major_ver, |
2145 | 0 | ssl->conf->min_minor_ver, |
2146 | 0 | ssl->major_ver, ssl->minor_ver, |
2147 | 0 | ssl->conf->max_major_ver, |
2148 | 0 | ssl->conf->max_minor_ver ) ); |
2149 | |
|
2150 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2151 | 0 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
2152 | |
|
2153 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
2154 | 0 | } |
2155 | | |
2156 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", |
2157 | 0 | ( (unsigned long) buf[2] << 24 ) | |
2158 | 0 | ( (unsigned long) buf[3] << 16 ) | |
2159 | 0 | ( (unsigned long) buf[4] << 8 ) | |
2160 | 0 | ( (unsigned long) buf[5] ) ) ); |
2161 | |
|
2162 | 0 | memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); |
2163 | |
|
2164 | 0 | n = buf[34]; |
2165 | |
|
2166 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); |
2167 | |
|
2168 | 0 | if( n > 32 ) |
2169 | 0 | { |
2170 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2171 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2172 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
2173 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2174 | 0 | } |
2175 | | |
2176 | 0 | if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) |
2177 | 0 | { |
2178 | 0 | ext_len = ( ( buf[38 + n] << 8 ) |
2179 | 0 | | ( buf[39 + n] ) ); |
2180 | |
|
2181 | 0 | if( ( ext_len > 0 && ext_len < 4 ) || |
2182 | 0 | ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) |
2183 | 0 | { |
2184 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2185 | 0 | mbedtls_ssl_send_alert_message( |
2186 | 0 | ssl, |
2187 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2188 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
2189 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2190 | 0 | } |
2191 | 0 | } |
2192 | 0 | else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) |
2193 | 0 | { |
2194 | 0 | ext_len = 0; |
2195 | 0 | } |
2196 | 0 | else |
2197 | 0 | { |
2198 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2199 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2200 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
2201 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2202 | 0 | } |
2203 | | |
2204 | | /* ciphersuite (used later) */ |
2205 | 0 | i = ( buf[35 + n] << 8 ) | buf[36 + n]; |
2206 | | |
2207 | | /* |
2208 | | * Read and check compression |
2209 | | */ |
2210 | 0 | comp = buf[37 + n]; |
2211 | |
|
2212 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
2213 | | /* See comments in ssl_write_client_hello() */ |
2214 | | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
2215 | | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
2216 | | accept_comp = 0; |
2217 | | else |
2218 | | #endif |
2219 | | accept_comp = 1; |
2220 | | |
2221 | | if( comp != MBEDTLS_SSL_COMPRESS_NULL && |
2222 | | ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) |
2223 | | #else /* MBEDTLS_ZLIB_SUPPORT */ |
2224 | 0 | if( comp != MBEDTLS_SSL_COMPRESS_NULL ) |
2225 | 0 | #endif/* MBEDTLS_ZLIB_SUPPORT */ |
2226 | 0 | { |
2227 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2228 | 0 | ( "server hello, bad compression: %d", comp ) ); |
2229 | 0 | mbedtls_ssl_send_alert_message( |
2230 | 0 | ssl, |
2231 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2232 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
2233 | 0 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
2234 | 0 | } |
2235 | | |
2236 | | /* |
2237 | | * Initialize update checksum functions |
2238 | | */ |
2239 | 0 | ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); |
2240 | 0 | if( ssl->handshake->ciphersuite_info == NULL ) |
2241 | 0 | { |
2242 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2243 | 0 | ( "ciphersuite info for %04x not found", (unsigned int)i ) ); |
2244 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2245 | 0 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); |
2246 | 0 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
2247 | 0 | } |
2248 | | |
2249 | 0 | mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info ); |
2250 | |
|
2251 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) ); |
2252 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); |
2253 | | |
2254 | | /* |
2255 | | * Check if the session can be resumed |
2256 | | */ |
2257 | 0 | if( ssl->handshake->resume == 0 || n == 0 || |
2258 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2259 | | ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || |
2260 | | #endif |
2261 | 0 | ssl->session_negotiate->ciphersuite != i || |
2262 | 0 | ssl->session_negotiate->compression != comp || |
2263 | 0 | ssl->session_negotiate->id_len != n || |
2264 | 0 | memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) |
2265 | 0 | { |
2266 | 0 | ssl->state++; |
2267 | 0 | ssl->handshake->resume = 0; |
2268 | | #if defined(MBEDTLS_HAVE_TIME) |
2269 | | ssl->session_negotiate->start = mbedtls_time( NULL ); |
2270 | | #endif |
2271 | 0 | ssl->session_negotiate->ciphersuite = i; |
2272 | 0 | ssl->session_negotiate->compression = comp; |
2273 | 0 | ssl->session_negotiate->id_len = n; |
2274 | 0 | memcpy( ssl->session_negotiate->id, buf + 35, n ); |
2275 | 0 | } |
2276 | 0 | else |
2277 | 0 | { |
2278 | 0 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
2279 | |
|
2280 | 0 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
2281 | 0 | { |
2282 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
2283 | 0 | mbedtls_ssl_send_alert_message( |
2284 | 0 | ssl, |
2285 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2286 | 0 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); |
2287 | 0 | return( ret ); |
2288 | 0 | } |
2289 | 0 | } |
2290 | | |
2291 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", |
2292 | 0 | ssl->handshake->resume ? "a" : "no" ) ); |
2293 | |
|
2294 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", (unsigned) i ) ); |
2295 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", |
2296 | 0 | buf[37 + n] ) ); |
2297 | | |
2298 | | /* |
2299 | | * Perform cipher suite validation in same way as in ssl_write_client_hello. |
2300 | | */ |
2301 | 0 | i = 0; |
2302 | 0 | while( 1 ) |
2303 | 0 | { |
2304 | 0 | if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) |
2305 | 0 | { |
2306 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2307 | 0 | mbedtls_ssl_send_alert_message( |
2308 | 0 | ssl, |
2309 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2310 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
2311 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2312 | 0 | } |
2313 | | |
2314 | 0 | if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == |
2315 | 0 | ssl->session_negotiate->ciphersuite ) |
2316 | 0 | { |
2317 | 0 | break; |
2318 | 0 | } |
2319 | 0 | } |
2320 | | |
2321 | 0 | suite_info = mbedtls_ssl_ciphersuite_from_id( |
2322 | 0 | ssl->session_negotiate->ciphersuite ); |
2323 | 0 | if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, |
2324 | 0 | ssl->minor_ver ) != 0 ) |
2325 | 0 | { |
2326 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2327 | 0 | mbedtls_ssl_send_alert_message( |
2328 | 0 | ssl, |
2329 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2330 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
2331 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2332 | 0 | } |
2333 | | |
2334 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
2335 | 0 | ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); |
2336 | |
|
2337 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
2338 | | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && |
2339 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
2340 | | { |
2341 | | ssl->handshake->ecrs_enabled = 1; |
2342 | | } |
2343 | | #endif |
2344 | |
|
2345 | 0 | if( comp != MBEDTLS_SSL_COMPRESS_NULL |
2346 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
2347 | | && comp != MBEDTLS_SSL_COMPRESS_DEFLATE |
2348 | | #endif |
2349 | 0 | ) |
2350 | 0 | { |
2351 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2352 | 0 | mbedtls_ssl_send_alert_message( |
2353 | 0 | ssl, |
2354 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2355 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
2356 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2357 | 0 | } |
2358 | 0 | ssl->session_negotiate->compression = comp; |
2359 | |
|
2360 | 0 | ext = buf + 40 + n; |
2361 | |
|
2362 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, |
2363 | 0 | ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, ext_len ) ); |
2364 | |
|
2365 | 0 | while( ext_len ) |
2366 | 0 | { |
2367 | 0 | unsigned int ext_id = ( ( ext[0] << 8 ) |
2368 | 0 | | ( ext[1] ) ); |
2369 | 0 | unsigned int ext_size = ( ( ext[2] << 8 ) |
2370 | 0 | | ( ext[3] ) ); |
2371 | |
|
2372 | 0 | if( ext_size + 4 > ext_len ) |
2373 | 0 | { |
2374 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2375 | 0 | mbedtls_ssl_send_alert_message( |
2376 | 0 | ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2377 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
2378 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2379 | 0 | } |
2380 | | |
2381 | 0 | switch( ext_id ) |
2382 | 0 | { |
2383 | 0 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
2384 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); |
2385 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2386 | | renegotiation_info_seen = 1; |
2387 | | #endif |
2388 | |
|
2389 | 0 | if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, |
2390 | 0 | ext_size ) ) != 0 ) |
2391 | 0 | return( ret ); |
2392 | | |
2393 | 0 | break; |
2394 | | |
2395 | 0 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
2396 | 0 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
2397 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
2398 | 0 | ( "found max_fragment_length extension" ) ); |
2399 | |
|
2400 | 0 | if( ( ret = ssl_parse_max_fragment_length_ext( ssl, |
2401 | 0 | ext + 4, ext_size ) ) != 0 ) |
2402 | 0 | { |
2403 | 0 | return( ret ); |
2404 | 0 | } |
2405 | | |
2406 | 0 | break; |
2407 | 0 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
2408 | | |
2409 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
2410 | | case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: |
2411 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); |
2412 | | |
2413 | | if( ( ret = ssl_parse_truncated_hmac_ext( ssl, |
2414 | | ext + 4, ext_size ) ) != 0 ) |
2415 | | { |
2416 | | return( ret ); |
2417 | | } |
2418 | | |
2419 | | break; |
2420 | | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
2421 | | |
2422 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
2423 | | case MBEDTLS_TLS_EXT_CID: |
2424 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); |
2425 | | |
2426 | | if( ( ret = ssl_parse_cid_ext( ssl, |
2427 | | ext + 4, |
2428 | | ext_size ) ) != 0 ) |
2429 | | { |
2430 | | return( ret ); |
2431 | | } |
2432 | | |
2433 | | break; |
2434 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
2435 | | |
2436 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
2437 | | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
2438 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); |
2439 | | |
2440 | | if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, |
2441 | | ext + 4, ext_size ) ) != 0 ) |
2442 | | { |
2443 | | return( ret ); |
2444 | | } |
2445 | | |
2446 | | break; |
2447 | | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
2448 | | |
2449 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
2450 | | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
2451 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
2452 | | ( "found extended_master_secret extension" ) ); |
2453 | | |
2454 | | if( ( ret = ssl_parse_extended_ms_ext( ssl, |
2455 | | ext + 4, ext_size ) ) != 0 ) |
2456 | | { |
2457 | | return( ret ); |
2458 | | } |
2459 | | |
2460 | | break; |
2461 | | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
2462 | | |
2463 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
2464 | | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
2465 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); |
2466 | | |
2467 | | if( ( ret = ssl_parse_session_ticket_ext( ssl, |
2468 | | ext + 4, ext_size ) ) != 0 ) |
2469 | | { |
2470 | | return( ret ); |
2471 | | } |
2472 | | |
2473 | | break; |
2474 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
2475 | | |
2476 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
2477 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
2478 | 0 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
2479 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
2480 | 0 | ( "found supported_point_formats extension" ) ); |
2481 | |
|
2482 | 0 | if( ( ret = ssl_parse_supported_point_formats_ext( ssl, |
2483 | 0 | ext + 4, ext_size ) ) != 0 ) |
2484 | 0 | { |
2485 | 0 | return( ret ); |
2486 | 0 | } |
2487 | | |
2488 | 0 | break; |
2489 | 0 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
2490 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
2491 | | |
2492 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
2493 | 0 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
2494 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); |
2495 | |
|
2496 | 0 | if( ( ret = ssl_parse_ecjpake_kkpp( ssl, |
2497 | 0 | ext + 4, ext_size ) ) != 0 ) |
2498 | 0 | { |
2499 | 0 | return( ret ); |
2500 | 0 | } |
2501 | | |
2502 | 0 | break; |
2503 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
2504 | | |
2505 | | #if defined(MBEDTLS_SSL_ALPN) |
2506 | | case MBEDTLS_TLS_EXT_ALPN: |
2507 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); |
2508 | | |
2509 | | if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) |
2510 | | return( ret ); |
2511 | | |
2512 | | break; |
2513 | | #endif /* MBEDTLS_SSL_ALPN */ |
2514 | | |
2515 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
2516 | | case MBEDTLS_TLS_EXT_USE_SRTP: |
2517 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) ); |
2518 | | |
2519 | | if( ( ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ) ) != 0 ) |
2520 | | return( ret ); |
2521 | | |
2522 | | break; |
2523 | | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
2524 | | |
2525 | 0 | default: |
2526 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, |
2527 | 0 | ( "unknown extension found: %u (ignoring)", ext_id ) ); |
2528 | 0 | } |
2529 | | |
2530 | 0 | ext_len -= 4 + ext_size; |
2531 | 0 | ext += 4 + ext_size; |
2532 | |
|
2533 | 0 | if( ext_len > 0 && ext_len < 4 ) |
2534 | 0 | { |
2535 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); |
2536 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2537 | 0 | } |
2538 | 0 | } |
2539 | | |
2540 | | /* |
2541 | | * Renegotiation security checks |
2542 | | */ |
2543 | 0 | if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
2544 | 0 | ssl->conf->allow_legacy_renegotiation == |
2545 | 0 | MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) |
2546 | 0 | { |
2547 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2548 | 0 | ( "legacy renegotiation, breaking off handshake" ) ); |
2549 | 0 | handshake_failure = 1; |
2550 | 0 | } |
2551 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2552 | | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
2553 | | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
2554 | | renegotiation_info_seen == 0 ) |
2555 | | { |
2556 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
2557 | | ( "renegotiation_info extension missing (secure)" ) ); |
2558 | | handshake_failure = 1; |
2559 | | } |
2560 | | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
2561 | | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
2562 | | ssl->conf->allow_legacy_renegotiation == |
2563 | | MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) |
2564 | | { |
2565 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); |
2566 | | handshake_failure = 1; |
2567 | | } |
2568 | | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
2569 | | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
2570 | | renegotiation_info_seen == 1 ) |
2571 | | { |
2572 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
2573 | | ( "renegotiation_info extension present (legacy)" ) ); |
2574 | | handshake_failure = 1; |
2575 | | } |
2576 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
2577 | |
|
2578 | 0 | if( handshake_failure == 1 ) |
2579 | 0 | { |
2580 | 0 | mbedtls_ssl_send_alert_message( |
2581 | 0 | ssl, |
2582 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2583 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
2584 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); |
2585 | 0 | } |
2586 | | |
2587 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); |
2588 | |
|
2589 | 0 | return( 0 ); |
2590 | 0 | } |
2591 | | |
2592 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
2593 | | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
2594 | | static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, |
2595 | | unsigned char **p, |
2596 | | unsigned char *end ) |
2597 | | { |
2598 | | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2599 | | size_t dhm_actual_bitlen; |
2600 | | |
2601 | | /* |
2602 | | * Ephemeral DH parameters: |
2603 | | * |
2604 | | * struct { |
2605 | | * opaque dh_p<1..2^16-1>; |
2606 | | * opaque dh_g<1..2^16-1>; |
2607 | | * opaque dh_Ys<1..2^16-1>; |
2608 | | * } ServerDHParams; |
2609 | | */ |
2610 | | if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, |
2611 | | p, end ) ) != 0 ) |
2612 | | { |
2613 | | MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); |
2614 | | return( ret ); |
2615 | | } |
2616 | | |
2617 | | dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P ); |
2618 | | if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen ) |
2619 | | { |
2620 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u", |
2621 | | dhm_actual_bitlen, |
2622 | | ssl->conf->dhm_min_bitlen ) ); |
2623 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2624 | | } |
2625 | | |
2626 | | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); |
2627 | | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); |
2628 | | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); |
2629 | | |
2630 | | return( ret ); |
2631 | | } |
2632 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
2633 | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
2634 | | |
2635 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2636 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
2637 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
2638 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
2639 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
2640 | | static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) |
2641 | 0 | { |
2642 | 0 | const mbedtls_ecp_curve_info *curve_info; |
2643 | 0 | mbedtls_ecp_group_id grp_id; |
2644 | | #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) |
2645 | | grp_id = ssl->handshake->ecdh_ctx.grp.id; |
2646 | | #else |
2647 | 0 | grp_id = ssl->handshake->ecdh_ctx.grp_id; |
2648 | 0 | #endif |
2649 | |
|
2650 | 0 | curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id ); |
2651 | 0 | if( curve_info == NULL ) |
2652 | 0 | { |
2653 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
2654 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
2655 | 0 | } |
2656 | | |
2657 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); |
2658 | |
|
2659 | 0 | #if defined(MBEDTLS_ECP_C) |
2660 | 0 | if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 ) |
2661 | | #else |
2662 | | if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || |
2663 | | ssl->handshake->ecdh_ctx.grp.nbits > 521 ) |
2664 | | #endif |
2665 | 0 | return( -1 ); |
2666 | | |
2667 | 0 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
2668 | 0 | MBEDTLS_DEBUG_ECDH_QP ); |
2669 | |
|
2670 | 0 | return( 0 ); |
2671 | 0 | } |
2672 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2673 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
2674 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
2675 | | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
2676 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
2677 | | |
2678 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
2679 | | ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2680 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) |
2681 | | static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl, |
2682 | | unsigned char **p, |
2683 | | unsigned char *end ) |
2684 | | { |
2685 | | uint16_t tls_id; |
2686 | | size_t ecdh_bits = 0; |
2687 | | uint8_t ecpoint_len; |
2688 | | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
2689 | | |
2690 | | /* |
2691 | | * Parse ECC group |
2692 | | */ |
2693 | | |
2694 | | if( end - *p < 4 ) |
2695 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2696 | | |
2697 | | /* First byte is curve_type; only named_curve is handled */ |
2698 | | if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE ) |
2699 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2700 | | |
2701 | | /* Next two bytes are the namedcurve value */ |
2702 | | tls_id = *(*p)++; |
2703 | | tls_id <<= 8; |
2704 | | tls_id |= *(*p)++; |
2705 | | |
2706 | | /* Convert EC group to PSA key type. */ |
2707 | | if( ( handshake->ecdh_psa_type = |
2708 | | mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 ) |
2709 | | { |
2710 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2711 | | } |
2712 | | if( ecdh_bits > 0xffff ) |
2713 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2714 | | handshake->ecdh_bits = (uint16_t) ecdh_bits; |
2715 | | |
2716 | | /* |
2717 | | * Put peer's ECDH public key in the format understood by PSA. |
2718 | | */ |
2719 | | |
2720 | | ecpoint_len = *(*p)++; |
2721 | | if( (size_t)( end - *p ) < ecpoint_len ) |
2722 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2723 | | |
2724 | | if( mbedtls_psa_tls_ecpoint_to_psa_ec( |
2725 | | *p, ecpoint_len, |
2726 | | handshake->ecdh_psa_peerkey, |
2727 | | sizeof( handshake->ecdh_psa_peerkey ), |
2728 | | &handshake->ecdh_psa_peerkey_len ) != 0 ) |
2729 | | { |
2730 | | return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); |
2731 | | } |
2732 | | |
2733 | | *p += ecpoint_len; |
2734 | | return( 0 ); |
2735 | | } |
2736 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
2737 | | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2738 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ |
2739 | | |
2740 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2741 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
2742 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
2743 | | static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, |
2744 | | unsigned char **p, |
2745 | | unsigned char *end ) |
2746 | 0 | { |
2747 | 0 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2748 | | |
2749 | | /* |
2750 | | * Ephemeral ECDH parameters: |
2751 | | * |
2752 | | * struct { |
2753 | | * ECParameters curve_params; |
2754 | | * ECPoint public; |
2755 | | * } ServerECDHParams; |
2756 | | */ |
2757 | 0 | if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, |
2758 | 0 | (const unsigned char **) p, end ) ) != 0 ) |
2759 | 0 | { |
2760 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); |
2761 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
2762 | | if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) |
2763 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
2764 | | #endif |
2765 | 0 | return( ret ); |
2766 | 0 | } |
2767 | | |
2768 | 0 | if( ssl_check_server_ecdh_params( ssl ) != 0 ) |
2769 | 0 | { |
2770 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2771 | 0 | ( "bad server key exchange message (ECDHE curve)" ) ); |
2772 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2773 | 0 | } |
2774 | | |
2775 | 0 | return( ret ); |
2776 | 0 | } |
2777 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2778 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
2779 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
2780 | | |
2781 | | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
2782 | | static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, |
2783 | | unsigned char **p, |
2784 | | unsigned char *end ) |
2785 | 0 | { |
2786 | 0 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2787 | 0 | uint16_t len; |
2788 | 0 | ((void) ssl); |
2789 | | |
2790 | | /* |
2791 | | * PSK parameters: |
2792 | | * |
2793 | | * opaque psk_identity_hint<0..2^16-1>; |
2794 | | */ |
2795 | 0 | if( end - (*p) < 2 ) |
2796 | 0 | { |
2797 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2798 | 0 | ( "bad server key exchange message (psk_identity_hint length)" ) ); |
2799 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2800 | 0 | } |
2801 | 0 | len = (*p)[0] << 8 | (*p)[1]; |
2802 | 0 | *p += 2; |
2803 | |
|
2804 | 0 | if( end - (*p) < len ) |
2805 | 0 | { |
2806 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2807 | 0 | ( "bad server key exchange message (psk_identity_hint length)" ) ); |
2808 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2809 | 0 | } |
2810 | | |
2811 | | /* |
2812 | | * Note: we currently ignore the PKS identity hint, as we only allow one |
2813 | | * PSK to be provisionned on the client. This could be changed later if |
2814 | | * someone needs that feature. |
2815 | | */ |
2816 | 0 | *p += len; |
2817 | 0 | ret = 0; |
2818 | |
|
2819 | 0 | return( ret ); |
2820 | 0 | } |
2821 | | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
2822 | | |
2823 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
2824 | | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
2825 | | /* |
2826 | | * Generate a pre-master secret and encrypt it with the server's RSA key |
2827 | | */ |
2828 | | static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, |
2829 | | size_t offset, size_t *olen, |
2830 | | size_t pms_offset ) |
2831 | | { |
2832 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2833 | | size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; |
2834 | | unsigned char *p = ssl->handshake->premaster + pms_offset; |
2835 | | mbedtls_pk_context * peer_pk; |
2836 | | |
2837 | | if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN ) |
2838 | | { |
2839 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); |
2840 | | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
2841 | | } |
2842 | | |
2843 | | /* |
2844 | | * Generate (part of) the pre-master as |
2845 | | * struct { |
2846 | | * ProtocolVersion client_version; |
2847 | | * opaque random[46]; |
2848 | | * } PreMasterSecret; |
2849 | | */ |
2850 | | mbedtls_ssl_write_version( ssl->conf->max_major_ver, |
2851 | | ssl->conf->max_minor_ver, |
2852 | | ssl->conf->transport, p ); |
2853 | | |
2854 | | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) |
2855 | | { |
2856 | | MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); |
2857 | | return( ret ); |
2858 | | } |
2859 | | |
2860 | | ssl->handshake->pmslen = 48; |
2861 | | |
2862 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2863 | | peer_pk = &ssl->handshake->peer_pubkey; |
2864 | | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2865 | | if( ssl->session_negotiate->peer_cert == NULL ) |
2866 | | { |
2867 | | /* Should never happen */ |
2868 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
2869 | | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
2870 | | } |
2871 | | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
2872 | | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2873 | | |
2874 | | /* |
2875 | | * Now write it out, encrypted |
2876 | | */ |
2877 | | if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) ) |
2878 | | { |
2879 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); |
2880 | | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
2881 | | } |
2882 | | |
2883 | | if( ( ret = mbedtls_pk_encrypt( peer_pk, |
2884 | | p, ssl->handshake->pmslen, |
2885 | | ssl->out_msg + offset + len_bytes, olen, |
2886 | | MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, |
2887 | | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
2888 | | { |
2889 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); |
2890 | | return( ret ); |
2891 | | } |
2892 | | |
2893 | | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
2894 | | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
2895 | | if( len_bytes == 2 ) |
2896 | | { |
2897 | | MBEDTLS_PUT_UINT16_BE( *olen, ssl->out_msg, offset ); |
2898 | | *olen += 2; |
2899 | | } |
2900 | | #endif |
2901 | | |
2902 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2903 | | /* We don't need the peer's public key anymore. Free it. */ |
2904 | | mbedtls_pk_free( peer_pk ); |
2905 | | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2906 | | return( 0 ); |
2907 | | } |
2908 | | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
2909 | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
2910 | | |
2911 | | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
2912 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
2913 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2914 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
2915 | | static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, |
2916 | | unsigned char **p, |
2917 | | unsigned char *end, |
2918 | | mbedtls_md_type_t *md_alg, |
2919 | | mbedtls_pk_type_t *pk_alg ) |
2920 | 0 | { |
2921 | 0 | ((void) ssl); |
2922 | 0 | *md_alg = MBEDTLS_MD_NONE; |
2923 | 0 | *pk_alg = MBEDTLS_PK_NONE; |
2924 | | |
2925 | | /* Only in TLS 1.2 */ |
2926 | 0 | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) |
2927 | 0 | { |
2928 | 0 | return( 0 ); |
2929 | 0 | } |
2930 | | |
2931 | 0 | if( (*p) + 2 > end ) |
2932 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2933 | | |
2934 | | /* |
2935 | | * Get hash algorithm |
2936 | | */ |
2937 | 0 | if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) |
2938 | 0 | == MBEDTLS_MD_NONE ) |
2939 | 0 | { |
2940 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2941 | 0 | ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) ); |
2942 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2943 | 0 | } |
2944 | | |
2945 | | /* |
2946 | | * Get signature algorithm |
2947 | | */ |
2948 | 0 | if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) |
2949 | 0 | == MBEDTLS_PK_NONE ) |
2950 | 0 | { |
2951 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2952 | 0 | ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) ); |
2953 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2954 | 0 | } |
2955 | | |
2956 | | /* |
2957 | | * Check if the hash is acceptable |
2958 | | */ |
2959 | 0 | if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) |
2960 | 0 | { |
2961 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
2962 | 0 | ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) ); |
2963 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
2964 | 0 | } |
2965 | | |
2966 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", |
2967 | 0 | (*p)[1] ) ); |
2968 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", |
2969 | 0 | (*p)[0] ) ); |
2970 | 0 | *p += 2; |
2971 | |
|
2972 | 0 | return( 0 ); |
2973 | 0 | } |
2974 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
2975 | | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2976 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
2977 | | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
2978 | | |
2979 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
2980 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
2981 | | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) |
2982 | | { |
2983 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2984 | | const mbedtls_ecp_keypair *peer_key; |
2985 | | mbedtls_pk_context * peer_pk; |
2986 | | |
2987 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2988 | | peer_pk = &ssl->handshake->peer_pubkey; |
2989 | | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2990 | | if( ssl->session_negotiate->peer_cert == NULL ) |
2991 | | { |
2992 | | /* Should never happen */ |
2993 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
2994 | | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
2995 | | } |
2996 | | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
2997 | | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2998 | | |
2999 | | if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) ) |
3000 | | { |
3001 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); |
3002 | | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
3003 | | } |
3004 | | |
3005 | | peer_key = mbedtls_pk_ec( *peer_pk ); |
3006 | | |
3007 | | if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, |
3008 | | MBEDTLS_ECDH_THEIRS ) ) != 0 ) |
3009 | | { |
3010 | | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); |
3011 | | return( ret ); |
3012 | | } |
3013 | | |
3014 | | if( ssl_check_server_ecdh_params( ssl ) != 0 ) |
3015 | | { |
3016 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); |
3017 | | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); |
3018 | | } |
3019 | | |
3020 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
3021 | | /* We don't need the peer's public key anymore. Free it, |
3022 | | * so that more RAM is available for upcoming expensive |
3023 | | * operations like ECDHE. */ |
3024 | | mbedtls_pk_free( peer_pk ); |
3025 | | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3026 | | |
3027 | | return( ret ); |
3028 | | } |
3029 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
3030 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
3031 | | |
3032 | | static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) |
3033 | 0 | { |
3034 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3035 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3036 | 0 | ssl->handshake->ciphersuite_info; |
3037 | 0 | unsigned char *p = NULL, *end = NULL; |
3038 | |
|
3039 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); |
3040 | |
|
3041 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
3042 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) |
3043 | | { |
3044 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); |
3045 | | ssl->state++; |
3046 | | return( 0 ); |
3047 | | } |
3048 | | ((void) p); |
3049 | | ((void) end); |
3050 | | #endif |
3051 | |
|
3052 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
3053 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
3054 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
3055 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
3056 | | { |
3057 | | if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) |
3058 | | { |
3059 | | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); |
3060 | | mbedtls_ssl_send_alert_message( |
3061 | | ssl, |
3062 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3063 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
3064 | | return( ret ); |
3065 | | } |
3066 | | |
3067 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); |
3068 | | ssl->state++; |
3069 | | return( 0 ); |
3070 | | } |
3071 | | ((void) p); |
3072 | | ((void) end); |
3073 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
3074 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
3075 | |
|
3076 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3077 | | if( ssl->handshake->ecrs_enabled && |
3078 | | ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing ) |
3079 | | { |
3080 | | goto start_processing; |
3081 | | } |
3082 | | #endif |
3083 | |
|
3084 | 0 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
3085 | 0 | { |
3086 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
3087 | 0 | return( ret ); |
3088 | 0 | } |
3089 | | |
3090 | 0 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
3091 | 0 | { |
3092 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3093 | 0 | mbedtls_ssl_send_alert_message( |
3094 | 0 | ssl, |
3095 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3096 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
3097 | 0 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
3098 | 0 | } |
3099 | | |
3100 | | /* |
3101 | | * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server |
3102 | | * doesn't use a psk_identity_hint |
3103 | | */ |
3104 | 0 | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) |
3105 | 0 | { |
3106 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
3107 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
3108 | 0 | { |
3109 | | /* Current message is probably either |
3110 | | * CertificateRequest or ServerHelloDone */ |
3111 | 0 | ssl->keep_current_message = 1; |
3112 | 0 | goto exit; |
3113 | 0 | } |
3114 | | |
3115 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
3116 | 0 | ( "server key exchange message must not be skipped" ) ); |
3117 | 0 | mbedtls_ssl_send_alert_message( |
3118 | 0 | ssl, |
3119 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3120 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
3121 | |
|
3122 | 0 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
3123 | 0 | } |
3124 | | |
3125 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3126 | | if( ssl->handshake->ecrs_enabled ) |
3127 | | ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; |
3128 | | |
3129 | | start_processing: |
3130 | | #endif |
3131 | 0 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
3132 | 0 | end = ssl->in_msg + ssl->in_hslen; |
3133 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); |
3134 | |
|
3135 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
3136 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
3137 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
3138 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
3139 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
3140 | 0 | { |
3141 | 0 | if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) |
3142 | 0 | { |
3143 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3144 | 0 | mbedtls_ssl_send_alert_message( |
3145 | 0 | ssl, |
3146 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3147 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3148 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3149 | 0 | } |
3150 | 0 | } /* FALLTROUGH */ |
3151 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
3152 | | |
3153 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ |
3154 | 0 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
3155 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
3156 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
3157 | 0 | ; /* nothing more to do */ |
3158 | 0 | else |
3159 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || |
3160 | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
3161 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
3162 | | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
3163 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || |
3164 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) |
3165 | | { |
3166 | | if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) |
3167 | | { |
3168 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3169 | | mbedtls_ssl_send_alert_message( |
3170 | | ssl, |
3171 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3172 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3173 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3174 | | } |
3175 | | } |
3176 | | else |
3177 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
3178 | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
3179 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
3180 | | ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3181 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) |
3182 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3183 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) |
3184 | | { |
3185 | | if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 ) |
3186 | | { |
3187 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3188 | | mbedtls_ssl_send_alert_message( |
3189 | | ssl, |
3190 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3191 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3192 | | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3193 | | } |
3194 | | } |
3195 | | else |
3196 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
3197 | | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3198 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ |
3199 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3200 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
3201 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
3202 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3203 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
3204 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) |
3205 | 0 | { |
3206 | 0 | if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) |
3207 | 0 | { |
3208 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3209 | 0 | mbedtls_ssl_send_alert_message( |
3210 | 0 | ssl, |
3211 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3212 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3213 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3214 | 0 | } |
3215 | 0 | } |
3216 | 0 | else |
3217 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3218 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
3219 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
3220 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
3221 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
3222 | 0 | { |
3223 | 0 | ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, |
3224 | 0 | p, end - p ); |
3225 | 0 | if( ret != 0 ) |
3226 | 0 | { |
3227 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); |
3228 | 0 | mbedtls_ssl_send_alert_message( |
3229 | 0 | ssl, |
3230 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3231 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3232 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3233 | 0 | } |
3234 | 0 | } |
3235 | 0 | else |
3236 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
3237 | 0 | { |
3238 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
3239 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3240 | 0 | } |
3241 | | |
3242 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
3243 | 0 | if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) |
3244 | 0 | { |
3245 | 0 | size_t sig_len, hashlen; |
3246 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3247 | | unsigned char hash[PSA_HASH_MAX_SIZE]; |
3248 | | #else |
3249 | 0 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
3250 | 0 | #endif |
3251 | 0 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
3252 | 0 | mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; |
3253 | 0 | unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
3254 | 0 | size_t params_len = p - params; |
3255 | 0 | void *rs_ctx = NULL; |
3256 | |
|
3257 | 0 | mbedtls_pk_context * peer_pk; |
3258 | | |
3259 | | /* |
3260 | | * Handle the digitally-signed structure |
3261 | | */ |
3262 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
3263 | 0 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
3264 | 0 | { |
3265 | 0 | if( ssl_parse_signature_algorithm( ssl, &p, end, |
3266 | 0 | &md_alg, &pk_alg ) != 0 ) |
3267 | 0 | { |
3268 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
3269 | 0 | ( "bad server key exchange message" ) ); |
3270 | 0 | mbedtls_ssl_send_alert_message( |
3271 | 0 | ssl, |
3272 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3273 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3274 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3275 | 0 | } |
3276 | | |
3277 | 0 | if( pk_alg != |
3278 | 0 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) |
3279 | 0 | { |
3280 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
3281 | 0 | ( "bad server key exchange message" ) ); |
3282 | 0 | mbedtls_ssl_send_alert_message( |
3283 | 0 | ssl, |
3284 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3285 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
3286 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3287 | 0 | } |
3288 | 0 | } |
3289 | 0 | else |
3290 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
3291 | | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
3292 | | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
3293 | | if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) |
3294 | | { |
3295 | | pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
3296 | | |
3297 | | /* Default hash for ECDSA is SHA-1 */ |
3298 | | if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) |
3299 | | md_alg = MBEDTLS_MD_SHA1; |
3300 | | } |
3301 | | else |
3302 | | #endif |
3303 | 0 | { |
3304 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
3305 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3306 | 0 | } |
3307 | | |
3308 | | /* |
3309 | | * Read signature |
3310 | | */ |
3311 | | |
3312 | 0 | if( p > end - 2 ) |
3313 | 0 | { |
3314 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3315 | 0 | mbedtls_ssl_send_alert_message( |
3316 | 0 | ssl, |
3317 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3318 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3319 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3320 | 0 | } |
3321 | 0 | sig_len = ( p[0] << 8 ) | p[1]; |
3322 | 0 | p += 2; |
3323 | |
|
3324 | 0 | if( p != end - sig_len ) |
3325 | 0 | { |
3326 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3327 | 0 | mbedtls_ssl_send_alert_message( |
3328 | 0 | ssl, |
3329 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3330 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3331 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); |
3332 | 0 | } |
3333 | | |
3334 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); |
3335 | | |
3336 | | /* |
3337 | | * Compute the hash that has been signed |
3338 | | */ |
3339 | | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
3340 | | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
3341 | | if( md_alg == MBEDTLS_MD_NONE ) |
3342 | | { |
3343 | | hashlen = 36; |
3344 | | ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, |
3345 | | params_len ); |
3346 | | if( ret != 0 ) |
3347 | | return( ret ); |
3348 | | } |
3349 | | else |
3350 | | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
3351 | | MBEDTLS_SSL_PROTO_TLS1_1 */ |
3352 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
3353 | 0 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
3354 | 0 | if( md_alg != MBEDTLS_MD_NONE ) |
3355 | 0 | { |
3356 | 0 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, |
3357 | 0 | params, params_len, |
3358 | 0 | md_alg ); |
3359 | 0 | if( ret != 0 ) |
3360 | 0 | return( ret ); |
3361 | 0 | } |
3362 | 0 | else |
3363 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ |
3364 | | MBEDTLS_SSL_PROTO_TLS1_2 */ |
3365 | 0 | { |
3366 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
3367 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3368 | 0 | } |
3369 | | |
3370 | 0 | MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); |
3371 | |
|
3372 | 0 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
3373 | 0 | peer_pk = &ssl->handshake->peer_pubkey; |
3374 | | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3375 | | if( ssl->session_negotiate->peer_cert == NULL ) |
3376 | | { |
3377 | | /* Should never happen */ |
3378 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
3379 | | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3380 | | } |
3381 | | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
3382 | | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3383 | | |
3384 | | /* |
3385 | | * Verify signature |
3386 | | */ |
3387 | 0 | if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) |
3388 | 0 | { |
3389 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); |
3390 | 0 | mbedtls_ssl_send_alert_message( |
3391 | 0 | ssl, |
3392 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3393 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
3394 | 0 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
3395 | 0 | } |
3396 | | |
3397 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3398 | | if( ssl->handshake->ecrs_enabled ) |
3399 | | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
3400 | | #endif |
3401 | | |
3402 | 0 | if( ( ret = mbedtls_pk_verify_restartable( peer_pk, |
3403 | 0 | md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 ) |
3404 | 0 | { |
3405 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3406 | | if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) |
3407 | | #endif |
3408 | 0 | mbedtls_ssl_send_alert_message( |
3409 | 0 | ssl, |
3410 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3411 | 0 | MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); |
3412 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); |
3413 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3414 | | if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) |
3415 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
3416 | | #endif |
3417 | 0 | return( ret ); |
3418 | 0 | } |
3419 | | |
3420 | 0 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
3421 | | /* We don't need the peer's public key anymore. Free it, |
3422 | | * so that more RAM is available for upcoming expensive |
3423 | | * operations like ECDHE. */ |
3424 | 0 | mbedtls_pk_free( peer_pk ); |
3425 | 0 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3426 | 0 | } |
3427 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
3428 | | |
3429 | 0 | exit: |
3430 | 0 | ssl->state++; |
3431 | |
|
3432 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); |
3433 | |
|
3434 | 0 | return( 0 ); |
3435 | 0 | } |
3436 | | |
3437 | | #if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
3438 | | static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) |
3439 | | { |
3440 | | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3441 | | ssl->handshake->ciphersuite_info; |
3442 | | |
3443 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); |
3444 | | |
3445 | | if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
3446 | | { |
3447 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); |
3448 | | ssl->state++; |
3449 | | return( 0 ); |
3450 | | } |
3451 | | |
3452 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
3453 | | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3454 | | } |
3455 | | #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
3456 | | static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) |
3457 | 0 | { |
3458 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3459 | 0 | unsigned char *buf; |
3460 | 0 | size_t n = 0; |
3461 | 0 | size_t cert_type_len = 0, dn_len = 0; |
3462 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3463 | 0 | ssl->handshake->ciphersuite_info; |
3464 | |
|
3465 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); |
3466 | |
|
3467 | 0 | if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
3468 | 0 | { |
3469 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); |
3470 | 0 | ssl->state++; |
3471 | 0 | return( 0 ); |
3472 | 0 | } |
3473 | | |
3474 | 0 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
3475 | 0 | { |
3476 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
3477 | 0 | return( ret ); |
3478 | 0 | } |
3479 | | |
3480 | 0 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
3481 | 0 | { |
3482 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); |
3483 | 0 | mbedtls_ssl_send_alert_message( |
3484 | 0 | ssl, |
3485 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3486 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
3487 | 0 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
3488 | 0 | } |
3489 | | |
3490 | 0 | ssl->state++; |
3491 | 0 | ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); |
3492 | |
|
3493 | 0 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", |
3494 | 0 | ssl->client_auth ? "a" : "no" ) ); |
3495 | |
|
3496 | 0 | if( ssl->client_auth == 0 ) |
3497 | 0 | { |
3498 | | /* Current message is probably the ServerHelloDone */ |
3499 | 0 | ssl->keep_current_message = 1; |
3500 | 0 | goto exit; |
3501 | 0 | } |
3502 | | |
3503 | | /* |
3504 | | * struct { |
3505 | | * ClientCertificateType certificate_types<1..2^8-1>; |
3506 | | * SignatureAndHashAlgorithm |
3507 | | * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only |
3508 | | * DistinguishedName certificate_authorities<0..2^16-1>; |
3509 | | * } CertificateRequest; |
3510 | | * |
3511 | | * Since we only support a single certificate on clients, let's just |
3512 | | * ignore all the information that's supposed to help us pick a |
3513 | | * certificate. |
3514 | | * |
3515 | | * We could check that our certificate matches the request, and bail out |
3516 | | * if it doesn't, but it's simpler to just send the certificate anyway, |
3517 | | * and give the server the opportunity to decide if it should terminate |
3518 | | * the connection when it doesn't like our certificate. |
3519 | | * |
3520 | | * Same goes for the hash in TLS 1.2's signature_algorithms: at this |
3521 | | * point we only have one hash available (see comments in |
3522 | | * write_certificate_verify), so let's just use what we have. |
3523 | | * |
3524 | | * However, we still minimally parse the message to check it is at least |
3525 | | * superficially sane. |
3526 | | */ |
3527 | 0 | buf = ssl->in_msg; |
3528 | | |
3529 | | /* certificate_types */ |
3530 | 0 | if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) ) |
3531 | 0 | { |
3532 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); |
3533 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3534 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3535 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); |
3536 | 0 | } |
3537 | 0 | cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; |
3538 | 0 | n = cert_type_len; |
3539 | | |
3540 | | /* |
3541 | | * In the subsequent code there are two paths that read from buf: |
3542 | | * * the length of the signature algorithms field (if minor version of |
3543 | | * SSL is 3), |
3544 | | * * distinguished name length otherwise. |
3545 | | * Both reach at most the index: |
3546 | | * ...hdr_len + 2 + n, |
3547 | | * therefore the buffer length at this point must be greater than that |
3548 | | * regardless of the actual code path. |
3549 | | */ |
3550 | 0 | if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) |
3551 | 0 | { |
3552 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); |
3553 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3554 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3555 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); |
3556 | 0 | } |
3557 | | |
3558 | | /* supported_signature_algorithms */ |
3559 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
3560 | 0 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
3561 | 0 | { |
3562 | 0 | size_t sig_alg_len = |
3563 | 0 | ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) |
3564 | 0 | | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); |
3565 | | #if defined(MBEDTLS_DEBUG_C) |
3566 | | unsigned char* sig_alg; |
3567 | | size_t i; |
3568 | | #endif |
3569 | | |
3570 | | /* |
3571 | | * The furthest access in buf is in the loop few lines below: |
3572 | | * sig_alg[i + 1], |
3573 | | * where: |
3574 | | * sig_alg = buf + ...hdr_len + 3 + n, |
3575 | | * max(i) = sig_alg_len - 1. |
3576 | | * Therefore the furthest access is: |
3577 | | * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], |
3578 | | * which reduces to: |
3579 | | * buf[...hdr_len + 3 + n + sig_alg_len], |
3580 | | * which is one less than we need the buf to be. |
3581 | | */ |
3582 | 0 | if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) |
3583 | 0 | + 3 + n + sig_alg_len ) |
3584 | 0 | { |
3585 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); |
3586 | 0 | mbedtls_ssl_send_alert_message( |
3587 | 0 | ssl, |
3588 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3589 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3590 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); |
3591 | 0 | } |
3592 | | |
3593 | | #if defined(MBEDTLS_DEBUG_C) |
3594 | | sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; |
3595 | | for( i = 0; i < sig_alg_len; i += 2 ) |
3596 | | { |
3597 | | MBEDTLS_SSL_DEBUG_MSG( 3, |
3598 | | ( "Supported Signature Algorithm found: %d,%d", |
3599 | | sig_alg[i], sig_alg[i + 1] ) ); |
3600 | | } |
3601 | | #endif |
3602 | | |
3603 | 0 | n += 2 + sig_alg_len; |
3604 | 0 | } |
3605 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
3606 | | |
3607 | | /* certificate_authorities */ |
3608 | 0 | dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) |
3609 | 0 | | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); |
3610 | |
|
3611 | 0 | n += dn_len; |
3612 | 0 | if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) |
3613 | 0 | { |
3614 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); |
3615 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3616 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3617 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); |
3618 | 0 | } |
3619 | | |
3620 | 0 | exit: |
3621 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); |
3622 | |
|
3623 | 0 | return( 0 ); |
3624 | 0 | } |
3625 | | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
3626 | | |
3627 | | static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) |
3628 | 0 | { |
3629 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3630 | |
|
3631 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); |
3632 | |
|
3633 | 0 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
3634 | 0 | { |
3635 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
3636 | 0 | return( ret ); |
3637 | 0 | } |
3638 | | |
3639 | 0 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
3640 | 0 | { |
3641 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); |
3642 | 0 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
3643 | 0 | } |
3644 | | |
3645 | 0 | if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || |
3646 | 0 | ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) |
3647 | 0 | { |
3648 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); |
3649 | 0 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3650 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
3651 | 0 | return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); |
3652 | 0 | } |
3653 | | |
3654 | 0 | ssl->state++; |
3655 | |
|
3656 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
3657 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
3658 | 0 | mbedtls_ssl_recv_flight_completed( ssl ); |
3659 | 0 | #endif |
3660 | |
|
3661 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); |
3662 | |
|
3663 | 0 | return( 0 ); |
3664 | 0 | } |
3665 | | |
3666 | | static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) |
3667 | 0 | { |
3668 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3669 | |
|
3670 | 0 | size_t header_len; |
3671 | 0 | size_t content_len; |
3672 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3673 | 0 | ssl->handshake->ciphersuite_info; |
3674 | |
|
3675 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); |
3676 | |
|
3677 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
3678 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) |
3679 | | { |
3680 | | /* |
3681 | | * DHM key exchange -- send G^X mod P |
3682 | | */ |
3683 | | content_len = ssl->handshake->dhm_ctx.len; |
3684 | | |
3685 | | MBEDTLS_PUT_UINT16_BE( content_len, ssl->out_msg, 4 ); |
3686 | | header_len = 6; |
3687 | | |
3688 | | ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, |
3689 | | (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), |
3690 | | &ssl->out_msg[header_len], content_len, |
3691 | | ssl->conf->f_rng, ssl->conf->p_rng ); |
3692 | | if( ret != 0 ) |
3693 | | { |
3694 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); |
3695 | | return( ret ); |
3696 | | } |
3697 | | |
3698 | | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); |
3699 | | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); |
3700 | | |
3701 | | if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, |
3702 | | ssl->handshake->premaster, |
3703 | | MBEDTLS_PREMASTER_SIZE, |
3704 | | &ssl->handshake->pmslen, |
3705 | | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
3706 | | { |
3707 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); |
3708 | | return( ret ); |
3709 | | } |
3710 | | |
3711 | | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); |
3712 | | } |
3713 | | else |
3714 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
3715 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
3716 | | ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3717 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) |
3718 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3719 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) |
3720 | | { |
3721 | | psa_status_t status; |
3722 | | psa_key_attributes_t key_attributes; |
3723 | | |
3724 | | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
3725 | | |
3726 | | unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; |
3727 | | size_t own_pubkey_len; |
3728 | | unsigned char *own_pubkey_ecpoint; |
3729 | | size_t own_pubkey_ecpoint_len; |
3730 | | |
3731 | | header_len = 4; |
3732 | | |
3733 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); |
3734 | | |
3735 | | /* |
3736 | | * Generate EC private key for ECDHE exchange. |
3737 | | */ |
3738 | | |
3739 | | /* The master secret is obtained from the shared ECDH secret by |
3740 | | * applying the TLS 1.2 PRF with a specific salt and label. While |
3741 | | * the PSA Crypto API encourages combining key agreement schemes |
3742 | | * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not |
3743 | | * yet support the provisioning of salt + label to the KDF. |
3744 | | * For the time being, we therefore need to split the computation |
3745 | | * of the ECDH secret and the application of the TLS 1.2 PRF. */ |
3746 | | key_attributes = psa_key_attributes_init(); |
3747 | | psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); |
3748 | | psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH ); |
3749 | | psa_set_key_type( &key_attributes, handshake->ecdh_psa_type ); |
3750 | | psa_set_key_bits( &key_attributes, handshake->ecdh_bits ); |
3751 | | |
3752 | | /* Generate ECDH private key. */ |
3753 | | status = psa_generate_key( &key_attributes, |
3754 | | &handshake->ecdh_psa_privkey ); |
3755 | | if( status != PSA_SUCCESS ) |
3756 | | return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); |
3757 | | |
3758 | | /* Export the public part of the ECDH private key from PSA |
3759 | | * and convert it to ECPoint format used in ClientKeyExchange. */ |
3760 | | status = psa_export_public_key( handshake->ecdh_psa_privkey, |
3761 | | own_pubkey, sizeof( own_pubkey ), |
3762 | | &own_pubkey_len ); |
3763 | | if( status != PSA_SUCCESS ) |
3764 | | return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); |
3765 | | |
3766 | | if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey, |
3767 | | own_pubkey_len, |
3768 | | &own_pubkey_ecpoint, |
3769 | | &own_pubkey_ecpoint_len ) != 0 ) |
3770 | | { |
3771 | | return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); |
3772 | | } |
3773 | | |
3774 | | /* Copy ECPoint structure to outgoing message buffer. */ |
3775 | | ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len; |
3776 | | memcpy( ssl->out_msg + header_len + 1, |
3777 | | own_pubkey_ecpoint, own_pubkey_ecpoint_len ); |
3778 | | content_len = own_pubkey_ecpoint_len + 1; |
3779 | | |
3780 | | /* The ECDH secret is the premaster secret used for key derivation. */ |
3781 | | |
3782 | | /* Compute ECDH shared secret. */ |
3783 | | status = psa_raw_key_agreement( PSA_ALG_ECDH, |
3784 | | handshake->ecdh_psa_privkey, |
3785 | | handshake->ecdh_psa_peerkey, |
3786 | | handshake->ecdh_psa_peerkey_len, |
3787 | | ssl->handshake->premaster, |
3788 | | sizeof( ssl->handshake->premaster ), |
3789 | | &ssl->handshake->pmslen ); |
3790 | | if( status != PSA_SUCCESS ) |
3791 | | return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); |
3792 | | |
3793 | | status = psa_destroy_key( handshake->ecdh_psa_privkey ); |
3794 | | if( status != PSA_SUCCESS ) |
3795 | | return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); |
3796 | | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
3797 | | } |
3798 | | else |
3799 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
3800 | | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3801 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ |
3802 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3803 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
3804 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
3805 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
3806 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3807 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
3808 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
3809 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
3810 | 0 | { |
3811 | | /* |
3812 | | * ECDH key exchange -- send client public value |
3813 | | */ |
3814 | 0 | header_len = 4; |
3815 | |
|
3816 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3817 | | if( ssl->handshake->ecrs_enabled ) |
3818 | | { |
3819 | | if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret ) |
3820 | | goto ecdh_calc_secret; |
3821 | | |
3822 | | mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx ); |
3823 | | } |
3824 | | #endif |
3825 | |
|
3826 | 0 | ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, |
3827 | 0 | &content_len, |
3828 | 0 | &ssl->out_msg[header_len], 1000, |
3829 | 0 | ssl->conf->f_rng, ssl->conf->p_rng ); |
3830 | 0 | if( ret != 0 ) |
3831 | 0 | { |
3832 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); |
3833 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3834 | | if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) |
3835 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
3836 | | #endif |
3837 | 0 | return( ret ); |
3838 | 0 | } |
3839 | | |
3840 | 0 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
3841 | 0 | MBEDTLS_DEBUG_ECDH_Q ); |
3842 | |
|
3843 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3844 | | if( ssl->handshake->ecrs_enabled ) |
3845 | | { |
3846 | | ssl->handshake->ecrs_n = content_len; |
3847 | | ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; |
3848 | | } |
3849 | | |
3850 | | ecdh_calc_secret: |
3851 | | if( ssl->handshake->ecrs_enabled ) |
3852 | | content_len = ssl->handshake->ecrs_n; |
3853 | | #endif |
3854 | 0 | if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, |
3855 | 0 | &ssl->handshake->pmslen, |
3856 | 0 | ssl->handshake->premaster, |
3857 | 0 | MBEDTLS_MPI_MAX_SIZE, |
3858 | 0 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
3859 | 0 | { |
3860 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); |
3861 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3862 | | if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) |
3863 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
3864 | | #endif |
3865 | 0 | return( ret ); |
3866 | 0 | } |
3867 | | |
3868 | 0 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
3869 | 0 | MBEDTLS_DEBUG_ECDH_Z ); |
3870 | 0 | } |
3871 | 0 | else |
3872 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3873 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
3874 | | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
3875 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
3876 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
3877 | 0 | if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) |
3878 | 0 | { |
3879 | | /* |
3880 | | * opaque psk_identity<0..2^16-1>; |
3881 | | */ |
3882 | 0 | if( ssl_conf_has_static_psk( ssl->conf ) == 0 ) |
3883 | 0 | { |
3884 | | /* We don't offer PSK suites if we don't have a PSK, |
3885 | | * and we check that the server's choice is among the |
3886 | | * ciphersuites we offered, so this should never happen. */ |
3887 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3888 | 0 | } |
3889 | | |
3890 | 0 | header_len = 4; |
3891 | 0 | content_len = ssl->conf->psk_identity_len; |
3892 | |
|
3893 | 0 | if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) |
3894 | 0 | { |
3895 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, |
3896 | 0 | ( "psk identity too long or SSL buffer too short" ) ); |
3897 | 0 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
3898 | 0 | } |
3899 | | |
3900 | 0 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len ); |
3901 | 0 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len ); |
3902 | |
|
3903 | 0 | memcpy( ssl->out_msg + header_len, |
3904 | 0 | ssl->conf->psk_identity, |
3905 | 0 | ssl->conf->psk_identity_len ); |
3906 | 0 | header_len += ssl->conf->psk_identity_len; |
3907 | |
|
3908 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
3909 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) |
3910 | 0 | { |
3911 | 0 | content_len = 0; |
3912 | 0 | } |
3913 | 0 | else |
3914 | 0 | #endif |
3915 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
3916 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
3917 | | { |
3918 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3919 | | /* Opaque PSKs are currently only supported for PSK-only suites. */ |
3920 | | if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) |
3921 | | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
3922 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
3923 | | |
3924 | | if( ( ret = ssl_write_encrypted_pms( ssl, header_len, |
3925 | | &content_len, 2 ) ) != 0 ) |
3926 | | return( ret ); |
3927 | | } |
3928 | | else |
3929 | | #endif |
3930 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
3931 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) |
3932 | | { |
3933 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3934 | | /* Opaque PSKs are currently only supported for PSK-only suites. */ |
3935 | | if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) |
3936 | | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
3937 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
3938 | | |
3939 | | /* |
3940 | | * ClientDiffieHellmanPublic public (DHM send G^X mod P) |
3941 | | */ |
3942 | | content_len = ssl->handshake->dhm_ctx.len; |
3943 | | |
3944 | | if( header_len + 2 + content_len > |
3945 | | MBEDTLS_SSL_OUT_CONTENT_LEN ) |
3946 | | { |
3947 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
3948 | | ( "psk identity or DHM size too long or SSL buffer too short" ) ); |
3949 | | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); |
3950 | | } |
3951 | | |
3952 | | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len ); |
3953 | | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len ); |
3954 | | |
3955 | | ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, |
3956 | | (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), |
3957 | | &ssl->out_msg[header_len], content_len, |
3958 | | ssl->conf->f_rng, ssl->conf->p_rng ); |
3959 | | if( ret != 0 ) |
3960 | | { |
3961 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); |
3962 | | return( ret ); |
3963 | | } |
3964 | | } |
3965 | | else |
3966 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
3967 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
3968 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
3969 | | { |
3970 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3971 | | /* Opaque PSKs are currently only supported for PSK-only suites. */ |
3972 | | if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) |
3973 | | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
3974 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
3975 | | |
3976 | | /* |
3977 | | * ClientECDiffieHellmanPublic public; |
3978 | | */ |
3979 | | ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, |
3980 | | &content_len, |
3981 | | &ssl->out_msg[header_len], |
3982 | | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
3983 | | ssl->conf->f_rng, ssl->conf->p_rng ); |
3984 | | if( ret != 0 ) |
3985 | | { |
3986 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); |
3987 | | return( ret ); |
3988 | | } |
3989 | | |
3990 | | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
3991 | | MBEDTLS_DEBUG_ECDH_Q ); |
3992 | | } |
3993 | | else |
3994 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
3995 | 0 | { |
3996 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
3997 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
3998 | 0 | } |
3999 | | |
4000 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
4001 | | defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
4002 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK && |
4003 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && |
4004 | | ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) |
4005 | | { |
4006 | | MBEDTLS_SSL_DEBUG_MSG( 1, |
4007 | | ( "skip PMS generation for opaque PSK" ) ); |
4008 | | } |
4009 | | else |
4010 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
4011 | | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
4012 | 0 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
4013 | 0 | ciphersuite_info->key_exchange ) ) != 0 ) |
4014 | 0 | { |
4015 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, |
4016 | 0 | "mbedtls_ssl_psk_derive_premaster", ret ); |
4017 | 0 | return( ret ); |
4018 | 0 | } |
4019 | 0 | } |
4020 | 0 | else |
4021 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
4022 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
4023 | | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) |
4024 | | { |
4025 | | header_len = 4; |
4026 | | if( ( ret = ssl_write_encrypted_pms( ssl, header_len, |
4027 | | &content_len, 0 ) ) != 0 ) |
4028 | | return( ret ); |
4029 | | } |
4030 | | else |
4031 | | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
4032 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
4033 | 0 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
4034 | 0 | { |
4035 | 0 | header_len = 4; |
4036 | |
|
4037 | 0 | ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, |
4038 | 0 | ssl->out_msg + header_len, |
4039 | 0 | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
4040 | 0 | &content_len, |
4041 | 0 | ssl->conf->f_rng, ssl->conf->p_rng ); |
4042 | 0 | if( ret != 0 ) |
4043 | 0 | { |
4044 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); |
4045 | 0 | return( ret ); |
4046 | 0 | } |
4047 | | |
4048 | 0 | ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, |
4049 | 0 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
4050 | 0 | ssl->conf->f_rng, ssl->conf->p_rng ); |
4051 | 0 | if( ret != 0 ) |
4052 | 0 | { |
4053 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); |
4054 | 0 | return( ret ); |
4055 | 0 | } |
4056 | 0 | } |
4057 | 0 | else |
4058 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
4059 | 0 | { |
4060 | 0 | ((void) ciphersuite_info); |
4061 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
4062 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
4063 | 0 | } |
4064 | | |
4065 | 0 | ssl->out_msglen = header_len + content_len; |
4066 | 0 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
4067 | 0 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; |
4068 | |
|
4069 | 0 | ssl->state++; |
4070 | |
|
4071 | 0 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
4072 | 0 | { |
4073 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
4074 | 0 | return( ret ); |
4075 | 0 | } |
4076 | | |
4077 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); |
4078 | |
|
4079 | 0 | return( 0 ); |
4080 | 0 | } |
4081 | | |
4082 | | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
4083 | | static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) |
4084 | | { |
4085 | | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
4086 | | ssl->handshake->ciphersuite_info; |
4087 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
4088 | | |
4089 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); |
4090 | | |
4091 | | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
4092 | | { |
4093 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
4094 | | return( ret ); |
4095 | | } |
4096 | | |
4097 | | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
4098 | | { |
4099 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); |
4100 | | ssl->state++; |
4101 | | return( 0 ); |
4102 | | } |
4103 | | |
4104 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
4105 | | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
4106 | | } |
4107 | | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
4108 | | static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) |
4109 | 0 | { |
4110 | 0 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
4111 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
4112 | 0 | ssl->handshake->ciphersuite_info; |
4113 | 0 | size_t n = 0, offset = 0; |
4114 | 0 | unsigned char hash[48]; |
4115 | 0 | unsigned char *hash_start = hash; |
4116 | 0 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
4117 | 0 | size_t hashlen; |
4118 | 0 | void *rs_ctx = NULL; |
4119 | |
|
4120 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); |
4121 | |
|
4122 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4123 | | if( ssl->handshake->ecrs_enabled && |
4124 | | ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign ) |
4125 | | { |
4126 | | goto sign; |
4127 | | } |
4128 | | #endif |
4129 | |
|
4130 | 0 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
4131 | 0 | { |
4132 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
4133 | 0 | return( ret ); |
4134 | 0 | } |
4135 | | |
4136 | 0 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
4137 | 0 | { |
4138 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); |
4139 | 0 | ssl->state++; |
4140 | 0 | return( 0 ); |
4141 | 0 | } |
4142 | | |
4143 | 0 | if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) |
4144 | 0 | { |
4145 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); |
4146 | 0 | ssl->state++; |
4147 | 0 | return( 0 ); |
4148 | 0 | } |
4149 | | |
4150 | 0 | if( mbedtls_ssl_own_key( ssl ) == NULL ) |
4151 | 0 | { |
4152 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); |
4153 | 0 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
4154 | 0 | } |
4155 | | |
4156 | | /* |
4157 | | * Make a signature of the handshake digests |
4158 | | */ |
4159 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4160 | | if( ssl->handshake->ecrs_enabled ) |
4161 | | ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; |
4162 | | |
4163 | | sign: |
4164 | | #endif |
4165 | | |
4166 | 0 | ssl->handshake->calc_verify( ssl, hash, &hashlen ); |
4167 | |
|
4168 | | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
4169 | | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
4170 | | if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) |
4171 | | { |
4172 | | /* |
4173 | | * digitally-signed struct { |
4174 | | * opaque md5_hash[16]; |
4175 | | * opaque sha_hash[20]; |
4176 | | * }; |
4177 | | * |
4178 | | * md5_hash |
4179 | | * MD5(handshake_messages); |
4180 | | * |
4181 | | * sha_hash |
4182 | | * SHA(handshake_messages); |
4183 | | */ |
4184 | | md_alg = MBEDTLS_MD_NONE; |
4185 | | |
4186 | | /* |
4187 | | * For ECDSA, default hash is SHA-1 only |
4188 | | */ |
4189 | | if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) |
4190 | | { |
4191 | | hash_start += 16; |
4192 | | hashlen -= 16; |
4193 | | md_alg = MBEDTLS_MD_SHA1; |
4194 | | } |
4195 | | } |
4196 | | else |
4197 | | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
4198 | | MBEDTLS_SSL_PROTO_TLS1_1 */ |
4199 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
4200 | 0 | if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) |
4201 | 0 | { |
4202 | | /* |
4203 | | * digitally-signed struct { |
4204 | | * opaque handshake_messages[handshake_messages_length]; |
4205 | | * }; |
4206 | | * |
4207 | | * Taking shortcut here. We assume that the server always allows the |
4208 | | * PRF Hash function and has sent it in the allowed signature |
4209 | | * algorithms list received in the Certificate Request message. |
4210 | | * |
4211 | | * Until we encounter a server that does not, we will take this |
4212 | | * shortcut. |
4213 | | * |
4214 | | * Reason: Otherwise we should have running hashes for SHA512 and |
4215 | | * SHA224 in order to satisfy 'weird' needs from the server |
4216 | | * side. |
4217 | | */ |
4218 | 0 | if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) |
4219 | 0 | { |
4220 | 0 | md_alg = MBEDTLS_MD_SHA384; |
4221 | 0 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; |
4222 | 0 | } |
4223 | 0 | else |
4224 | 0 | { |
4225 | 0 | md_alg = MBEDTLS_MD_SHA256; |
4226 | 0 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; |
4227 | 0 | } |
4228 | 0 | ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); |
4229 | | |
4230 | | /* Info from md_alg will be used instead */ |
4231 | 0 | hashlen = 0; |
4232 | 0 | offset = 2; |
4233 | 0 | } |
4234 | 0 | else |
4235 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
4236 | 0 | { |
4237 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
4238 | 0 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
4239 | 0 | } |
4240 | | |
4241 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4242 | | if( ssl->handshake->ecrs_enabled ) |
4243 | | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
4244 | | #endif |
4245 | | |
4246 | 0 | if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ), |
4247 | 0 | md_alg, hash_start, hashlen, |
4248 | 0 | ssl->out_msg + 6 + offset, &n, |
4249 | 0 | ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 ) |
4250 | 0 | { |
4251 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); |
4252 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4253 | | if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) |
4254 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
4255 | | #endif |
4256 | 0 | return( ret ); |
4257 | 0 | } |
4258 | | |
4259 | 0 | MBEDTLS_PUT_UINT16_BE( n, ssl->out_msg, offset + 4 ); |
4260 | |
|
4261 | 0 | ssl->out_msglen = 6 + n + offset; |
4262 | 0 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
4263 | 0 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; |
4264 | |
|
4265 | 0 | ssl->state++; |
4266 | |
|
4267 | 0 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
4268 | 0 | { |
4269 | 0 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
4270 | 0 | return( ret ); |
4271 | 0 | } |
4272 | | |
4273 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); |
4274 | |
|
4275 | 0 | return( ret ); |
4276 | 0 | } |
4277 | | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
4278 | | |
4279 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
4280 | | static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) |
4281 | | { |
4282 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
4283 | | uint32_t lifetime; |
4284 | | size_t ticket_len; |
4285 | | unsigned char *ticket; |
4286 | | const unsigned char *msg; |
4287 | | |
4288 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); |
4289 | | |
4290 | | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
4291 | | { |
4292 | | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
4293 | | return( ret ); |
4294 | | } |
4295 | | |
4296 | | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
4297 | | { |
4298 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); |
4299 | | mbedtls_ssl_send_alert_message( |
4300 | | ssl, |
4301 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4302 | | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); |
4303 | | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
4304 | | } |
4305 | | |
4306 | | /* |
4307 | | * struct { |
4308 | | * uint32 ticket_lifetime_hint; |
4309 | | * opaque ticket<0..2^16-1>; |
4310 | | * } NewSessionTicket; |
4311 | | * |
4312 | | * 0 . 3 ticket_lifetime_hint |
4313 | | * 4 . 5 ticket_len (n) |
4314 | | * 6 . 5+n ticket content |
4315 | | */ |
4316 | | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || |
4317 | | ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) |
4318 | | { |
4319 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); |
4320 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4321 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
4322 | | return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); |
4323 | | } |
4324 | | |
4325 | | msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
4326 | | |
4327 | | lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) | |
4328 | | ( msg[2] << 8 ) | ( msg[3] ); |
4329 | | |
4330 | | ticket_len = ( msg[4] << 8 ) | ( msg[5] ); |
4331 | | |
4332 | | if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) |
4333 | | { |
4334 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); |
4335 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4336 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
4337 | | return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); |
4338 | | } |
4339 | | |
4340 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len ) ); |
4341 | | |
4342 | | /* We're not waiting for a NewSessionTicket message any more */ |
4343 | | ssl->handshake->new_session_ticket = 0; |
4344 | | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
4345 | | |
4346 | | /* |
4347 | | * Zero-length ticket means the server changed his mind and doesn't want |
4348 | | * to send a ticket after all, so just forget it |
4349 | | */ |
4350 | | if( ticket_len == 0 ) |
4351 | | return( 0 ); |
4352 | | |
4353 | | if( ssl->session != NULL && ssl->session->ticket != NULL ) |
4354 | | { |
4355 | | mbedtls_platform_zeroize( ssl->session->ticket, |
4356 | | ssl->session->ticket_len ); |
4357 | | mbedtls_free( ssl->session->ticket ); |
4358 | | ssl->session->ticket = NULL; |
4359 | | ssl->session->ticket_len = 0; |
4360 | | } |
4361 | | |
4362 | | mbedtls_platform_zeroize( ssl->session_negotiate->ticket, |
4363 | | ssl->session_negotiate->ticket_len ); |
4364 | | mbedtls_free( ssl->session_negotiate->ticket ); |
4365 | | ssl->session_negotiate->ticket = NULL; |
4366 | | ssl->session_negotiate->ticket_len = 0; |
4367 | | |
4368 | | if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) |
4369 | | { |
4370 | | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); |
4371 | | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4372 | | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); |
4373 | | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
4374 | | } |
4375 | | |
4376 | | memcpy( ticket, msg + 6, ticket_len ); |
4377 | | |
4378 | | ssl->session_negotiate->ticket = ticket; |
4379 | | ssl->session_negotiate->ticket_len = ticket_len; |
4380 | | ssl->session_negotiate->ticket_lifetime = lifetime; |
4381 | | |
4382 | | /* |
4383 | | * RFC 5077 section 3.4: |
4384 | | * "If the client receives a session ticket from the server, then it |
4385 | | * discards any Session ID that was sent in the ServerHello." |
4386 | | */ |
4387 | | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); |
4388 | | ssl->session_negotiate->id_len = 0; |
4389 | | |
4390 | | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); |
4391 | | |
4392 | | return( 0 ); |
4393 | | } |
4394 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
4395 | | |
4396 | | /* |
4397 | | * SSL handshake -- client side -- single step |
4398 | | */ |
4399 | | int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) |
4400 | 0 | { |
4401 | 0 | int ret = 0; |
4402 | |
|
4403 | 0 | if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) |
4404 | 0 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
4405 | | |
4406 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); |
4407 | |
|
4408 | 0 | if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) |
4409 | 0 | return( ret ); |
4410 | | |
4411 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
4412 | 0 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
4413 | 0 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) |
4414 | 0 | { |
4415 | 0 | if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
4416 | 0 | return( ret ); |
4417 | 0 | } |
4418 | 0 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
4419 | | |
4420 | | /* Change state now, so that it is right in mbedtls_ssl_read_record(), used |
4421 | | * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ |
4422 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
4423 | | if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && |
4424 | | ssl->handshake->new_session_ticket != 0 ) |
4425 | | { |
4426 | | ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; |
4427 | | } |
4428 | | #endif |
4429 | | |
4430 | 0 | switch( ssl->state ) |
4431 | 0 | { |
4432 | 0 | case MBEDTLS_SSL_HELLO_REQUEST: |
4433 | 0 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
4434 | 0 | break; |
4435 | | |
4436 | | /* |
4437 | | * ==> ClientHello |
4438 | | */ |
4439 | 0 | case MBEDTLS_SSL_CLIENT_HELLO: |
4440 | 0 | ret = ssl_write_client_hello( ssl ); |
4441 | 0 | break; |
4442 | | |
4443 | | /* |
4444 | | * <== ServerHello |
4445 | | * Certificate |
4446 | | * ( ServerKeyExchange ) |
4447 | | * ( CertificateRequest ) |
4448 | | * ServerHelloDone |
4449 | | */ |
4450 | 0 | case MBEDTLS_SSL_SERVER_HELLO: |
4451 | 0 | ret = ssl_parse_server_hello( ssl ); |
4452 | 0 | break; |
4453 | | |
4454 | 0 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
4455 | 0 | ret = mbedtls_ssl_parse_certificate( ssl ); |
4456 | 0 | break; |
4457 | | |
4458 | 0 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
4459 | 0 | ret = ssl_parse_server_key_exchange( ssl ); |
4460 | 0 | break; |
4461 | | |
4462 | 0 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
4463 | 0 | ret = ssl_parse_certificate_request( ssl ); |
4464 | 0 | break; |
4465 | | |
4466 | 0 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
4467 | 0 | ret = ssl_parse_server_hello_done( ssl ); |
4468 | 0 | break; |
4469 | | |
4470 | | /* |
4471 | | * ==> ( Certificate/Alert ) |
4472 | | * ClientKeyExchange |
4473 | | * ( CertificateVerify ) |
4474 | | * ChangeCipherSpec |
4475 | | * Finished |
4476 | | */ |
4477 | 0 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
4478 | 0 | ret = mbedtls_ssl_write_certificate( ssl ); |
4479 | 0 | break; |
4480 | | |
4481 | 0 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
4482 | 0 | ret = ssl_write_client_key_exchange( ssl ); |
4483 | 0 | break; |
4484 | | |
4485 | 0 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
4486 | 0 | ret = ssl_write_certificate_verify( ssl ); |
4487 | 0 | break; |
4488 | | |
4489 | 0 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
4490 | 0 | ret = mbedtls_ssl_write_change_cipher_spec( ssl ); |
4491 | 0 | break; |
4492 | | |
4493 | 0 | case MBEDTLS_SSL_CLIENT_FINISHED: |
4494 | 0 | ret = mbedtls_ssl_write_finished( ssl ); |
4495 | 0 | break; |
4496 | | |
4497 | | /* |
4498 | | * <== ( NewSessionTicket ) |
4499 | | * ChangeCipherSpec |
4500 | | * Finished |
4501 | | */ |
4502 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
4503 | | case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: |
4504 | | ret = ssl_parse_new_session_ticket( ssl ); |
4505 | | break; |
4506 | | #endif |
4507 | | |
4508 | 0 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
4509 | 0 | ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); |
4510 | 0 | break; |
4511 | | |
4512 | 0 | case MBEDTLS_SSL_SERVER_FINISHED: |
4513 | 0 | ret = mbedtls_ssl_parse_finished( ssl ); |
4514 | 0 | break; |
4515 | | |
4516 | 0 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
4517 | 0 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); |
4518 | 0 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
4519 | 0 | break; |
4520 | | |
4521 | 0 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
4522 | 0 | mbedtls_ssl_handshake_wrapup( ssl ); |
4523 | 0 | break; |
4524 | | |
4525 | 0 | default: |
4526 | 0 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); |
4527 | 0 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
4528 | 0 | } |
4529 | | |
4530 | 0 | return( ret ); |
4531 | 0 | } |
4532 | | #endif /* MBEDTLS_SSL_CLI_C */ |