2012-09-25 11:05:17 +02:00
/*
* SSL client with options
*
2015-07-27 11:11:48 +02:00
* Copyright ( C ) 2006 - 2015 , ARM Limited , All Rights Reserved
2015-09-04 14:21:07 +02:00
* SPDX - License - Identifier : Apache - 2.0
2012-09-25 11:05:17 +02:00
*
2015-09-04 14:21:07 +02:00
* Licensed under the Apache License , Version 2.0 ( the " License " ) ; you may
* not use this file except in compliance with the License .
* You may obtain a copy of the License at
2012-09-25 11:05:17 +02:00
*
2015-09-04 14:21:07 +02:00
* http : //www.apache.org/licenses/LICENSE-2.0
2012-09-25 11:05:17 +02:00
*
2015-09-04 14:21:07 +02:00
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS , WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
2012-09-25 11:05:17 +02:00
*
2015-09-04 14:21:07 +02:00
* This file is part of mbed TLS ( https : //tls.mbed.org)
2012-09-25 11:05:17 +02:00
*/
2015-04-08 12:49:31 +02:00
# if !defined(MBEDTLS_CONFIG_FILE)
2015-03-09 18:05:11 +01:00
# include "mbedtls/config.h"
2014-04-29 12:39:06 +02:00
# else
2015-04-08 12:49:31 +02:00
# include MBEDTLS_CONFIG_FILE
2014-04-29 12:39:06 +02:00
# endif
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_PLATFORM_C)
2015-03-09 18:05:11 +01:00
# include "mbedtls/platform.h"
2015-01-19 15:26:37 +01:00
# else
2015-02-11 15:06:19 +01:00
# include <stdio.h>
2016-04-27 02:26:50 +02:00
# include <stdlib.h>
2019-03-30 07:27:43 +01:00
# define mbedtls_calloc calloc
2015-04-08 12:49:31 +02:00
# define mbedtls_free free
2016-04-27 02:26:50 +02:00
# define mbedtls_time time
# define mbedtls_time_t time_t
2015-05-26 16:04:06 +02:00
# define mbedtls_calloc calloc
2015-04-08 12:49:31 +02:00
# define mbedtls_fprintf fprintf
# define mbedtls_printf printf
2019-01-31 14:20:20 +01:00
# define mbedtls_exit exit
# define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
# define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
2015-01-19 15:26:37 +01:00
# endif
2015-05-13 10:04:32 +02:00
# if !defined(MBEDTLS_ENTROPY_C) || \
! defined ( MBEDTLS_SSL_TLS_C ) | | ! defined ( MBEDTLS_SSL_SRV_C ) | | \
2015-05-13 13:58:56 +02:00
! defined ( MBEDTLS_NET_C ) | | ! defined ( MBEDTLS_CTR_DRBG_C )
2015-05-13 10:04:32 +02:00
int main ( void )
{
mbedtls_printf ( " MBEDTLS_ENTROPY_C and/or "
" MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
2015-05-13 13:58:56 +02:00
" MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined. \n " ) ;
2015-05-13 10:04:32 +02:00
return ( 0 ) ;
}
# else
2012-09-25 11:05:17 +02:00
2016-09-14 15:32:09 +02:00
# include "mbedtls/net_sockets.h"
2015-03-09 18:05:11 +01:00
# include "mbedtls/ssl.h"
# include "mbedtls/entropy.h"
# include "mbedtls/ctr_drbg.h"
# include "mbedtls/certs.h"
# include "mbedtls/x509.h"
# include "mbedtls/error.h"
# include "mbedtls/debug.h"
2015-05-26 12:19:45 +02:00
# include "mbedtls/timing.h"
2012-09-25 11:05:17 +02:00
2018-11-12 18:47:48 +01:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
# include "psa/crypto.h"
2018-11-15 14:06:09 +01:00
# include "mbedtls/psa_util.h"
2018-11-12 18:47:48 +01:00
# endif
2015-02-11 15:06:19 +01:00
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
2017-01-19 17:30:57 +01:00
# include <stdint.h>
2017-02-08 15:05:57 +01:00
# if !defined(_MSC_VER)
2017-01-19 17:30:57 +01:00
# include <inttypes.h>
2017-02-08 15:05:57 +01:00
# endif
2015-02-11 15:06:19 +01:00
# if !defined(_WIN32)
# include <signal.h>
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_CACHE_C)
2015-03-09 18:05:11 +01:00
# include "mbedtls/ssl_cache.h"
2012-09-25 23:55:46 +02:00
# endif
2015-05-19 15:28:00 +02:00
# if defined(MBEDTLS_SSL_TICKET_C)
# include "mbedtls/ssl_ticket.h"
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_COOKIE_C)
2015-03-09 18:05:11 +01:00
# include "mbedtls/ssl_cookie.h"
2014-07-23 16:56:27 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
2015-03-09 18:05:11 +01:00
# include "mbedtls/memory_buffer_alloc.h"
2013-07-04 11:52:32 +02:00
# endif
2015-05-13 10:04:32 +02:00
# if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_FS_IO)
# define SNI_OPTION
# endif
# if defined(_WIN32)
# include <windows.h>
# endif
2018-07-23 15:26:09 +02:00
/* Size of memory to be allocated for the heap, when using the library's memory
* management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled . */
# define MEMORY_HEAP_SIZE 120000
2013-12-13 16:21:41 +01:00
# define DFL_SERVER_ADDR NULL
2015-06-23 12:30:57 +02:00
# define DFL_SERVER_PORT "4433"
2017-10-12 13:50:29 +02:00
# define DFL_RESPONSE_SIZE -1
2012-09-25 11:05:17 +02:00
# define DFL_DEBUG_LEVEL 0
2014-02-26 13:47:08 +01:00
# define DFL_NBIO 0
2017-10-10 16:56:37 +02:00
# define DFL_EVENT 0
2014-10-01 18:29:03 +02:00
# define DFL_READ_TIMEOUT 0
2012-09-25 11:05:17 +02:00
# define DFL_CA_FILE ""
# define DFL_CA_PATH ""
# define DFL_CRT_FILE ""
# define DFL_KEY_FILE ""
2013-09-23 17:00:18 +02:00
# define DFL_CRT_FILE2 ""
# define DFL_KEY_FILE2 ""
2018-01-12 13:47:48 +01:00
# define DFL_ASYNC_OPERATIONS "-"
2018-01-05 21:15:57 +01:00
# define DFL_ASYNC_PRIVATE_DELAY1 ( -1 )
# define DFL_ASYNC_PRIVATE_DELAY2 ( -1 )
2018-01-05 21:22:12 +01:00
# define DFL_ASYNC_PRIVATE_ERROR ( 0 )
2013-04-17 19:10:21 +02:00
# define DFL_PSK ""
2018-11-15 14:06:09 +01:00
# define DFL_PSK_OPAQUE 0
# define DFL_PSK_LIST_OPAQUE 0
2013-04-17 19:10:21 +02:00
# define DFL_PSK_IDENTITY "Client_identity"
2015-09-16 11:08:34 +02:00
# define DFL_ECJPAKE_PW NULL
2014-06-10 14:01:52 +02:00
# define DFL_PSK_LIST NULL
2012-09-25 11:05:17 +02:00
# define DFL_FORCE_CIPHER 0
2014-06-11 13:50:34 +02:00
# define DFL_VERSION_SUITES NULL
2015-04-08 12:49:31 +02:00
# define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED
2014-11-03 20:10:36 +01:00
# define DFL_ALLOW_LEGACY -2
2014-02-20 17:19:59 +01:00
# define DFL_RENEGOTIATE 0
2014-07-04 14:32:27 +02:00
# define DFL_RENEGO_DELAY -2
2017-01-19 17:30:57 +01:00
# define DFL_RENEGO_PERIOD ( (uint64_t)-1 )
2014-08-15 11:17:27 +02:00
# define DFL_EXCHANGES 1
2015-03-31 14:21:11 +02:00
# define DFL_MIN_VERSION -1
2013-06-29 16:01:32 +02:00
# define DFL_MAX_VERSION -1
2015-03-20 20:44:04 +01:00
# define DFL_ARC4 -1
2017-05-09 15:59:24 +02:00
# define DFL_SHA1 -1
2015-03-27 17:52:25 +01:00
# define DFL_AUTH_MODE -1
2017-04-10 14:44:33 +02:00
# define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
2015-04-08 12:49:31 +02:00
# define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
2015-01-09 12:39:35 +01:00
# define DFL_TRUNC_HMAC -1
2015-04-08 12:49:31 +02:00
# define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
2015-05-19 15:28:00 +02:00
# define DFL_TICKET_TIMEOUT 86400
2014-02-20 21:32:41 +01:00
# define DFL_CACHE_MAX -1
2014-02-20 22:50:56 +01:00
# define DFL_CACHE_TIMEOUT -1
2014-02-21 16:52:06 +01:00
# define DFL_SNI NULL
2014-04-05 14:34:07 +02:00
# define DFL_ALPN_STRING NULL
2017-05-15 17:05:15 +02:00
# define DFL_CURVES NULL
2014-06-09 11:29:50 +02:00
# define DFL_DHM_FILE NULL
2015-04-08 12:49:31 +02:00
# define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
2014-07-23 19:34:59 +02:00
# define DFL_COOKIES 1
2014-09-24 14:41:11 +02:00
# define DFL_ANTI_REPLAY -1
2014-10-01 14:40:56 +02:00
# define DFL_HS_TO_MIN 0
# define DFL_HS_TO_MAX 0
2018-08-12 13:28:53 +02:00
# define DFL_DTLS_MTU -1
2014-10-14 19:36:36 +02:00
# define DFL_BADMAC_LIMIT -1
2018-08-14 14:28:56 +02:00
# define DFL_DGRAM_PACKING 1
2014-10-20 18:40:56 +02:00
# define DFL_EXTENDED_MS -1
2014-10-27 13:57:03 +01:00
# define DFL_ETM -1
2019-03-27 16:55:27 +01:00
# define DFL_CA_CALLBACK 0
2019-05-12 10:03:32 +02:00
# define DFL_EAP_TLS 0
2012-09-25 11:05:17 +02:00
2013-07-18 14:07:36 +02:00
# define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
" 02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah \r \n " \
" 03-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah \r \n " \
" 04-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah \r \n " \
" 05-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah \r \n " \
" 06-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah \r \n " \
" 07-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah</p> \r \n "
2013-07-17 15:34:17 +02:00
2013-07-18 11:05:13 +02:00
/* Uncomment LONG_RESPONSE at the end of HTTP_RESPONSE to test sending longer
* packets ( for fragmentation purposes ) */
2012-09-25 11:05:17 +02:00
# define HTTP_RESPONSE \
" HTTP/1.0 200 OK \r \n Content-Type: text/html \r \n \r \n " \
2015-01-22 17:26:39 +01:00
" <h2>mbed TLS Test Server</h2> \r \n " \
2013-07-17 15:34:17 +02:00
" <p>Successful connection using: %s</p> \r \n " // LONG_RESPONSE
2012-09-25 11:05:17 +02:00
2014-06-11 18:32:36 +02:00
/*
* Size of the basic I / O buffer . Able to hold our default response .
*
2015-04-08 12:49:31 +02:00
* You will need to adapt the mbedtls_ssl_get_bytes_avail ( ) test in ssl - opt . sh
2014-06-11 18:32:36 +02:00
* if you change this value to something outside the range < = 100 or > 500
*/
2017-10-12 13:50:29 +02:00
# define DFL_IO_BUF_LEN 200
2014-06-11 18:21:20 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
# if defined(MBEDTLS_FS_IO)
2012-09-25 11:05:17 +02:00
# define USAGE_IO \
2012-11-20 10:30:55 +01:00
" ca_file=%%s The single file containing the top-level CA(s) you fully trust \n " \
" default: \" \" (pre-loaded) \n " \
" ca_path=%%s The path containing the top-level CA(s) you fully trust \n " \
" default: \" \" (pre-loaded) (overrides ca_file) \n " \
" crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted) \n " \
2013-09-25 11:35:15 +02:00
" default: see note after key_file2 \n " \
" key_file=%%s default: see note after key_file2 \n " \
2013-09-23 17:00:18 +02:00
" crt_file2=%%s Your second cert and chain (in bottom to top order, top may be omitted) \n " \
2013-09-25 11:35:15 +02:00
" default: see note after key_file2 \n " \
" key_file2=%%s default: see note below \n " \
" note: if neither crt_file/key_file nor crt_file2/key_file2 are used, \n " \
2014-06-09 11:29:50 +02:00
" preloaded certificate(s) and key(s) are used if available \n " \
" dhm_file=%%s File containing Diffie-Hellman parameters \n " \
" default: preloaded parameters \n "
2012-09-25 11:05:17 +02:00
# else
# define USAGE_IO \
2013-04-18 22:46:23 +02:00
" \n " \
2015-04-08 12:49:31 +02:00
" No file operations available (MBEDTLS_FS_IO not defined) \n " \
2013-04-18 22:46:23 +02:00
" \n "
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_FS_IO */
2013-04-18 22:46:23 +02:00
# else
# define USAGE_IO ""
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2013-04-18 22:46:23 +02:00
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-05 21:15:57 +01:00
# define USAGE_SSL_ASYNC \
2018-01-12 13:47:48 +01:00
" async_operations=%%c... d=decrypt, s=sign (default: -=off) \n " \
2018-01-05 21:15:57 +01:00
" async_private_delay1=%%d Asynchronous delay for key_file or preloaded key \n " \
2018-04-30 10:30:49 +02:00
" async_private_delay2=%%d Asynchronous delay for key_file2 and sni \n " \
2018-01-05 21:15:57 +01:00
" default: -1 (not asynchronous) \n " \
2018-01-08 11:28:05 +01:00
" async_private_error=%%d Async callback error injection (default=0=none, \n " \
2018-04-26 07:15:40 +02:00
" 1=start, 2=cancel, 3=resume, negative=first time only) "
2018-01-05 21:15:57 +01:00
# else
# define USAGE_SSL_ASYNC ""
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2018-01-05 21:15:57 +01:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2018-10-26 12:28:08 +02:00
# define USAGE_PSK_RAW \
2019-02-05 11:06:35 +01:00
" psk=%%s default: \" \" (in hex, without 0x) \n " \
2018-10-26 12:28:08 +02:00
" psk_list=%%s default: \" \" \n " \
2019-02-05 11:06:35 +01:00
" A list of (PSK identity, PSK value) pairs. \n " \
" The PSK values are in hex, without 0x. \n " \
" id1,psk1[,id2,psk2[,...]] \n " \
" psk_identity=%%s default: \" Client_identity \" \n "
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
# define USAGE_PSK_SLOT \
2018-11-15 14:06:09 +01:00
" psk_opaque=%%d default: 0 (don't use opaque static PSK) \n " \
" Enable this to store the PSK configured through command line \n " \
" parameter `psk` in a PSA-based key slot. \n " \
2018-10-26 12:28:08 +02:00
" Note: Currently only supported in conjunction with \n " \
" the use of min_version to force TLS 1.2 and force_ciphersuite \n " \
" to force a particular PSK-only ciphersuite. \n " \
" Note: This is to test integration of PSA-based opaque PSKs with \n " \
" Mbed TLS only. Production systems are likely to configure Mbed TLS \n " \
" with prepopulated key slots instead of importing raw key material. \n " \
2018-11-15 14:06:09 +01:00
" psk_list_opaque=%%d default: 0 (don't use opaque dynamic PSKs) \n " \
" Enable this to store the list of dynamically chosen PSKs configured \n " \
" through the command line parameter `psk_list` in PSA-based key slots. \n " \
2018-10-26 12:28:08 +02:00
" Note: Currently only supported in conjunction with \n " \
" the use of min_version to force TLS 1.2 and force_ciphersuite \n " \
" to force a particular PSK-only ciphersuite. \n " \
" Note: This is to test integration of PSA-based opaque PSKs with \n " \
" Mbed TLS only. Production systems are likely to configure Mbed TLS \n " \
" with prepopulated key slots instead of importing raw key material. \n "
# else
# define USAGE_PSK_SLOT ""
# endif /* MBEDTLS_USE_PSA_CRYPTO */
# define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
2013-04-18 22:46:23 +02:00
# else
# define USAGE_PSK ""
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2019-03-27 16:55:27 +01:00
# if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
# define USAGE_CA_CALLBACK \
" ca_callback=%%d default: 0 (disabled) \n " \
" Enable this to use the trusted certificate callback function \n "
# else
# define USAGE_CA_CALLBACK ""
# endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_SESSION_TICKETS)
2013-08-14 13:48:06 +02:00
# define USAGE_TICKETS \
2014-02-21 09:18:13 +01:00
" tickets=%%d default: 1 (enabled) \n " \
2015-05-19 15:28:00 +02:00
" ticket_timeout=%%d default: 86400 (one day) \n "
2013-08-14 13:48:06 +02:00
# else
# define USAGE_TICKETS ""
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_SESSION_TICKETS */
2013-08-14 13:48:06 +02:00
2019-05-12 10:03:32 +02:00
# if defined(MBEDTLS_SSL_EXPORT_KEYS)
# define USAGE_EAP_TLS \
" eap_tls=%%d default: 0 (disabled) \n "
# else
# define USAGE_EAP_TLS ""
# endif /* MBEDTLS_SSL_EXPORT_KEYS */
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_CACHE_C)
2014-02-20 21:32:41 +01:00
# define USAGE_CACHE \
2014-02-20 22:50:56 +01:00
" cache_max=%%d default: cache default (50) \n " \
" cache_timeout=%%d default: cache default (1d) \n "
2014-02-20 21:32:41 +01:00
# else
# define USAGE_CACHE ""
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_CACHE_C */
2014-02-20 21:32:41 +01:00
2015-04-03 16:41:52 +02:00
# if defined(SNI_OPTION)
2019-04-04 14:02:01 +02:00
# if defined(MBEDTLS_X509_CRL_PARSE_C)
# define SNI_CRL ",crl"
# else
# define SNI_CRL ""
# endif
2014-02-21 16:52:06 +01:00
# define USAGE_SNI \
2019-04-04 14:02:01 +02:00
" sni=%%s name1,cert1,key1,ca1 " SNI_CRL " ,auth1[,...] \n " \
2015-06-19 14:40:39 +02:00
" default: disabled \n "
2014-02-21 16:52:06 +01:00
# else
# define USAGE_SNI ""
2015-04-03 16:41:52 +02:00
# endif /* SNI_OPTION */
2014-02-21 16:52:06 +01:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2013-08-15 13:33:48 +02:00
# define USAGE_MAX_FRAG_LEN \
" max_frag_len=%%d default: 16384 (tls default) \n " \
" options: 512, 1024, 2048, 4096 \n "
# else
# define USAGE_MAX_FRAG_LEN ""
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2013-08-15 13:33:48 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2015-01-09 12:39:35 +01:00
# define USAGE_TRUNC_HMAC \
" trunc_hmac=%%d default: library default \n "
# else
# define USAGE_TRUNC_HMAC ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ALPN)
2014-04-05 14:34:07 +02:00
# define USAGE_ALPN \
" alpn=%%s default: \" \" (disabled) \n " \
" example: spdy/1,http/1.1 \n "
# else
# define USAGE_ALPN ""
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_ALPN */
2014-04-05 14:34:07 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2014-07-23 19:34:59 +02:00
# define USAGE_COOKIES \
" cookies=0/1/-1 default: 1 (enabled) \n " \
2014-09-24 14:41:11 +02:00
" 0: disabled, -1: library default (broken) \n "
2014-07-23 19:34:59 +02:00
# else
# define USAGE_COOKIES ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2014-09-24 14:41:11 +02:00
# define USAGE_ANTI_REPLAY \
2014-10-14 19:36:36 +02:00
" anti_replay=0/1 default: (library default: enabled) \n "
2014-09-24 14:41:11 +02:00
# else
# define USAGE_ANTI_REPLAY ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
2014-10-14 19:36:36 +02:00
# define USAGE_BADMAC_LIMIT \
" badmac_limit=%%d default: (library default: disabled) \n "
# else
# define USAGE_BADMAC_LIMIT ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_PROTO_DTLS)
2014-10-01 14:40:56 +02:00
# define USAGE_DTLS \
" dtls=%%d default: 0 (TLS) \n " \
" hs_timeout=%%d-%%d default: (library default: 1000-60000) \n " \
2018-08-12 13:28:53 +02:00
" range of DTLS handshake timeouts in millisecs \n " \
2018-08-14 14:28:56 +02:00
" mtu=%%d default: (library default: unlimited) \n " \
" dgram_packing=%%d default: 1 (allowed) \n " \
" allow or forbid packing of multiple \n " \
" records within a single datgram. \n "
2014-10-01 14:40:56 +02:00
# else
# define USAGE_DTLS ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2014-10-20 18:40:56 +02:00
# define USAGE_EMS \
" extended_ms=0/1 default: (library default: on) \n "
# else
# define USAGE_EMS ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2014-10-27 13:57:03 +01:00
# define USAGE_ETM \
" etm=0/1 default: (library default: on) \n "
# else
# define USAGE_ETM ""
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_RENEGOTIATION)
2014-11-03 08:23:14 +01:00
# define USAGE_RENEGO \
" renegotiation=%%d default: 0 (disabled) \n " \
" renegotiate=%%d default: 0 (disabled) \n " \
2014-11-05 14:23:03 +01:00
" renego_delay=%%d default: -2 (library default) \n " \
2017-01-19 17:30:57 +01:00
" renego_period=%%d default: (2^64 - 1 for TLS, 2^48 - 1 for DTLS) \n "
2014-11-03 08:23:14 +01:00
# else
# define USAGE_RENEGO ""
# endif
2015-09-16 11:08:34 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
# define USAGE_ECJPAKE \
" ecjpake_pw=%%s default: none (disabled) \n "
# else
# define USAGE_ECJPAKE ""
# endif
2017-05-15 17:05:15 +02:00
# if defined(MBEDTLS_ECP_C)
# define USAGE_CURVES \
" curves=a,b,c,d default: \" default \" (library default) \n " \
" example: \" secp521r1,brainpoolP512r1 \" \n " \
" - use \" none \" for empty list \n " \
" - see mbedtls_ecp_curve_list() \n " \
" for acceptable curve names \n "
# else
# define USAGE_CURVES ""
# endif
2012-09-25 11:05:17 +02:00
# define USAGE \
" \n usage: ssl_server2 param=<>... \n " \
" \n acceptable parameters: \n " \
2017-09-26 10:29:11 +02:00
" server_addr=%%s default: (all interfaces) \n " \
2012-09-25 11:05:17 +02:00
" server_port=%%d default: 4433 \n " \
" debug_level=%%d default: 0 (disabled) \n " \
2017-10-12 13:50:29 +02:00
" buffer_size=%%d default: 200 \n " \
" (minimum: 1, max: 16385) \n " \
" response_size=%%d default: about 152 (basic response) \n " \
" (minimum: 0, max: 16384) \n " \
" increases buffer_size if bigger \n " \
2014-02-26 13:47:08 +01:00
" nbio=%%d default: 0 (blocking I/O) \n " \
" options: 1 (non-blocking), 2 (added delays) \n " \
2017-10-10 16:56:37 +02:00
" event=%%d default: 0 (loop) \n " \
" options: 1 (level-triggered, implies nbio=1), \n " \
2015-09-09 11:22:58 +02:00
" read_timeout=%%d default: 0 ms (no timeout) \n " \
2014-02-19 18:22:59 +01:00
" \n " \
2014-10-01 14:40:56 +02:00
USAGE_DTLS \
USAGE_COOKIES \
USAGE_ANTI_REPLAY \
2014-10-14 19:36:36 +02:00
USAGE_BADMAC_LIMIT \
2014-10-01 14:40:56 +02:00
" \n " \
2015-05-07 11:18:26 +02:00
" auth_mode=%%s default: (library default: none) \n " \
2014-02-19 18:22:59 +01:00
" options: none, optional, required \n " \
2017-04-10 14:44:33 +02:00
" cert_req_ca_list=%%d default: 1 (send ca list) \n " \
" options: 1 (send ca list), 0 (don't send) \n " \
2012-09-25 11:05:17 +02:00
USAGE_IO \
2018-01-05 21:15:57 +01:00
USAGE_SSL_ASYNC \
2014-02-21 16:52:06 +01:00
USAGE_SNI \
2014-02-19 18:22:59 +01:00
" \n " \
USAGE_PSK \
2019-03-27 16:55:27 +01:00
USAGE_CA_CALLBACK \
2015-09-16 11:08:34 +02:00
USAGE_ECJPAKE \
2014-02-19 18:22:59 +01:00
" \n " \
2014-11-03 20:10:36 +01:00
" allow_legacy=%%d default: (library default: no) \n " \
2014-11-03 08:23:14 +01:00
USAGE_RENEGO \
2014-08-15 11:17:27 +02:00
" exchanges=%%d default: 1 \n " \
2014-10-01 14:40:56 +02:00
" \n " \
2014-02-19 18:22:59 +01:00
USAGE_TICKETS \
2019-05-12 10:03:32 +02:00
USAGE_EAP_TLS \
2014-02-20 22:50:56 +01:00
USAGE_CACHE \
2014-02-19 18:22:59 +01:00
USAGE_MAX_FRAG_LEN \
2015-01-09 12:39:35 +01:00
USAGE_TRUNC_HMAC \
2014-04-05 14:34:07 +02:00
USAGE_ALPN \
2014-10-20 18:40:56 +02:00
USAGE_EMS \
2014-10-27 13:57:03 +01:00
USAGE_ETM \
2017-05-15 17:05:15 +02:00
USAGE_CURVES \
2014-02-19 18:22:59 +01:00
" \n " \
2015-03-27 17:52:25 +01:00
" arc4=%%d default: (library default: 0) \n " \
2017-05-09 15:59:24 +02:00
" allow_sha1=%%d default: 0 \n " \
2015-03-31 14:21:11 +02:00
" min_version=%%s default: (library default: tls1) \n " \
" max_version=%%s default: (library default: tls1_2) \n " \
2013-06-29 16:01:32 +02:00
" force_version=%%s default: \" \" (none) \n " \
2014-02-12 11:11:12 +01:00
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2 \n " \
2014-06-11 13:50:34 +02:00
" \n " \
" version_suites=a,b,c,d per-version ciphersuites \n " \
" in order from ssl3 to tls1_2 \n " \
" default: all enabled \n " \
" force_ciphersuite=<name> default: all enabled \n " \
2018-10-16 22:08:38 +02:00
" query_config=<name> return 0 if the specified \n " \
" configuration macro is defined and 1 \n " \
" otherwise. The expansion of the macro \n " \
" is printed if it is defined \n " \
2012-09-25 11:05:17 +02:00
" acceptable ciphersuite names: \n "
2017-01-19 17:30:57 +01:00
2017-06-09 17:13:22 +02:00
# define ALPN_LIST_SIZE 10
# define CURVE_LIST_SIZE 20
2017-01-19 17:30:57 +01:00
# define PUT_UINT64_BE(out_be,in_le,i) \
{ \
( out_be ) [ ( i ) + 0 ] = ( unsigned char ) ( ( ( in_le ) > > 56 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 1 ] = ( unsigned char ) ( ( ( in_le ) > > 48 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 2 ] = ( unsigned char ) ( ( ( in_le ) > > 40 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 3 ] = ( unsigned char ) ( ( ( in_le ) > > 32 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 4 ] = ( unsigned char ) ( ( ( in_le ) > > 24 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 5 ] = ( unsigned char ) ( ( ( in_le ) > > 16 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 6 ] = ( unsigned char ) ( ( ( in_le ) > > 8 ) & 0xFF ) ; \
( out_be ) [ ( i ) + 7 ] = ( unsigned char ) ( ( ( in_le ) > > 0 ) & 0xFF ) ; \
}
2019-01-31 14:20:20 +01:00
# if defined(MBEDTLS_CHECK_PARAMS)
# include "mbedtls/platform_util.h"
void mbedtls_param_failed ( const char * failure_condition ,
const char * file ,
int line )
{
mbedtls_printf ( " %s:%i: Input param failed - %s \n " ,
file , line , failure_condition ) ;
mbedtls_exit ( MBEDTLS_EXIT_FAILURE ) ;
}
# endif
2015-02-12 12:37:29 +01:00
/*
* global options
*/
struct options
{
const char * server_addr ; /* address on which the ssl service runs */
2015-06-23 12:30:57 +02:00
const char * server_port ; /* port on which the ssl service runs */
2015-02-12 12:37:29 +01:00
int debug_level ; /* level of debugging */
int nbio ; /* should I/O be blocking? */
2017-10-10 16:56:37 +02:00
int event ; /* loop or event-driven IO? level or edge triggered? */
2015-04-08 12:49:31 +02:00
uint32_t read_timeout ; /* timeout on mbedtls_ssl_read() in milliseconds */
2017-10-12 13:50:29 +02:00
int response_size ; /* pad response with header to requested size */
uint16_t buffer_size ; /* IO buffer size */
2015-02-12 12:37:29 +01:00
const char * ca_file ; /* the file with the CA certificate(s) */
const char * ca_path ; /* the path with the CA certificate(s) reside */
const char * crt_file ; /* the file with the server certificate */
const char * key_file ; /* the file with the server key */
const char * crt_file2 ; /* the file with the 2nd server certificate */
const char * key_file2 ; /* the file with the 2nd server key */
2018-01-12 13:47:48 +01:00
const char * async_operations ; /* supported SSL asynchronous operations */
2018-01-05 21:15:57 +01:00
int async_private_delay1 ; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
int async_private_delay2 ; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
int async_private_error ; /* inject error in async private callback */
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
int psk_opaque ;
int psk_list_opaque ;
2019-03-27 16:55:27 +01:00
# endif
# if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2019-03-28 15:14:22 +01:00
int ca_callback ; /* Use callback for trusted certificate list */
2018-10-26 12:28:08 +02:00
# endif
2015-02-12 12:37:29 +01:00
const char * psk ; /* the pre-shared key */
const char * psk_identity ; /* the pre-shared key identity */
char * psk_list ; /* list of PSK id/key pairs for callback */
2015-09-16 11:08:34 +02:00
const char * ecjpake_pw ; /* the EC J-PAKE password */
2015-02-12 12:37:29 +01:00
int force_ciphersuite [ 2 ] ; /* protocol/ciphersuite to use, or all */
const char * version_suites ; /* per-version ciphersuites */
int renegotiation ; /* enable / disable renegotiation */
int allow_legacy ; /* allow legacy renegotiation */
int renegotiate ; /* attempt renegotiation? */
int renego_delay ; /* delay before enforcing renegotiation */
2017-01-19 17:30:57 +01:00
uint64_t renego_period ; /* period for automatic renegotiation */
2015-02-12 12:37:29 +01:00
int exchanges ; /* number of data exchanges */
int min_version ; /* minimum protocol version accepted */
int max_version ; /* maximum protocol version accepted */
int arc4 ; /* flag for arc4 suites support */
2017-05-09 15:59:24 +02:00
int allow_sha1 ; /* flag for SHA-1 support */
2015-02-12 12:37:29 +01:00
int auth_mode ; /* verify mode for connection */
2017-04-10 14:44:33 +02:00
int cert_req_ca_list ; /* should we send the CA list? */
2015-02-12 12:37:29 +01:00
unsigned char mfl_code ; /* code for maximum fragment length */
int trunc_hmac ; /* accept truncated hmac? */
int tickets ; /* enable / disable session tickets */
int ticket_timeout ; /* session ticket lifetime */
int cache_max ; /* max number of session cache entries */
int cache_timeout ; /* expiration delay of session cache entries */
char * sni ; /* string describing sni information */
2017-05-15 17:05:15 +02:00
const char * curves ; /* list of supported elliptic curves */
2015-02-12 12:37:29 +01:00
const char * alpn_string ; /* ALPN supported protocols */
const char * dhm_file ; /* the file with the DH parameters */
int extended_ms ; /* allow negotiation of extended MS? */
int etm ; /* allow negotiation of encrypt-then-MAC? */
2015-02-16 19:37:53 +01:00
int transport ; /* TLS or DTLS? */
int cookies ; /* Use cookies for DTLS? -1 to break them */
int anti_replay ; /* Use anti-replay for DTLS? -1 for default */
uint32_t hs_to_min ; /* Initial value of DTLS handshake timer */
uint32_t hs_to_max ; /* Max value of DTLS handshake timer */
2018-08-12 13:28:53 +02:00
int dtls_mtu ; /* UDP Maximum tranport unit for DTLS */
2018-08-14 14:28:56 +02:00
int dgram_packing ; /* allow/forbid datagram packing */
2015-02-16 19:37:53 +01:00
int badmac_limit ; /* Limit of records with bad MAC */
2019-05-12 10:03:32 +02:00
int eap_tls ; /* derive EAP-TLS keying material? */
2015-02-12 12:37:29 +01:00
} opt ;
2018-10-16 22:08:38 +02:00
int query_config ( const char * config ) ;
2019-05-12 10:03:32 +02:00
# if defined(MBEDTLS_SSL_EXPORT_KEYS)
typedef struct eap_tls_keys
{
unsigned char master_secret [ 48 ] ;
unsigned char randbytes [ 64 ] ;
2019-05-12 13:54:30 +02:00
mbedtls_tls_prf_types tls_prf_type ;
2019-05-12 10:03:32 +02:00
} eap_tls_keys ;
static int eap_tls_key_derivation ( void * p_expkey ,
const unsigned char * ms ,
const unsigned char * kb ,
size_t maclen ,
size_t keylen ,
size_t ivlen ,
unsigned char client_random [ 32 ] ,
2019-05-12 13:54:30 +02:00
unsigned char server_random [ 32 ] ,
mbedtls_tls_prf_types tls_prf_type )
2019-05-12 10:03:32 +02:00
{
eap_tls_keys * keys = ( eap_tls_keys * ) p_expkey ;
( ( void ) kb ) ;
memcpy ( keys - > master_secret , ms , sizeof ( keys - > master_secret ) ) ;
memcpy ( keys - > randbytes , client_random , 32 ) ;
memcpy ( keys - > randbytes + 32 , server_random , 32 ) ;
2019-05-12 13:54:30 +02:00
keys - > tls_prf_type = tls_prf_type ;
2019-05-12 10:03:32 +02:00
2019-05-14 19:38:49 +02:00
if ( opt . debug_level > 2 )
{
mbedtls_printf ( " exported maclen is %zu \n " , maclen ) ;
mbedtls_printf ( " exported keylen is %zu \n " , keylen ) ;
mbedtls_printf ( " exported ivlen is %zu \n " , ivlen ) ;
}
2019-05-12 10:03:32 +02:00
return ( 0 ) ;
}
# endif
2015-06-23 17:35:03 +02:00
static void my_debug ( void * ctx , int level ,
const char * file , int line ,
const char * str )
2015-02-12 12:37:29 +01:00
{
2015-07-01 11:50:23 +02:00
const char * p , * basename ;
2015-02-12 12:37:29 +01:00
2015-07-01 11:50:23 +02:00
/* Extract basename from file */
for ( p = basename = file ; * p ! = ' \0 ' ; p + + )
if ( * p = = ' / ' | | * p = = ' \\ ' )
basename = p + 1 ;
mbedtls_fprintf ( ( FILE * ) ctx , " %s:%04d: |%d| %s " , basename , line , level , str ) ;
2015-02-12 12:37:29 +01:00
fflush ( ( FILE * ) ctx ) ;
}
2019-03-27 16:55:27 +01:00
# if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2019-03-28 15:14:22 +01:00
int ca_callback ( void * data , mbedtls_x509_crt const * child ,
mbedtls_x509_crt * * candidates )
2019-03-27 16:55:27 +01:00
{
2019-03-28 15:14:22 +01:00
int ret = 0 ;
2019-03-27 16:55:27 +01:00
mbedtls_x509_crt * ca = ( mbedtls_x509_crt * ) data ;
2019-03-28 15:14:22 +01:00
mbedtls_x509_crt * first ;
/* This is a test-only implementation of the CA callback
* which always returns the entire list of trusted certificates .
* Production implementations managing a large number of CAs
* should use an efficient presentation and lookup for the
* set of trusted certificates ( such as a hashtable ) and only
* return those trusted certificates which satisfy basic
* parental checks , such as the matching of child ` Issuer `
* and parent ` Subject ` field . */
( ( void ) child ) ;
first = mbedtls_calloc ( 1 , sizeof ( mbedtls_x509_crt ) ) ;
if ( first = = NULL )
{
ret = - 1 ;
goto exit ;
}
mbedtls_x509_crt_init ( first ) ;
if ( mbedtls_x509_crt_parse_der ( first , ca - > raw . p , ca - > raw . len ) ! = 0 )
{
ret = - 1 ;
goto exit ;
}
2019-03-27 16:55:27 +01:00
while ( ca - > next ! = NULL )
{
ca = ca - > next ;
2019-03-28 15:14:22 +01:00
if ( mbedtls_x509_crt_parse_der ( first , ca - > raw . p , ca - > raw . len ) ! = 0 )
{
ret = - 1 ;
goto exit ;
}
2019-03-27 16:55:27 +01:00
}
2019-03-28 15:14:22 +01:00
exit :
if ( ret ! = 0 )
{
mbedtls_x509_crt_free ( first ) ;
mbedtls_free ( first ) ;
first = NULL ;
}
2019-03-27 16:55:27 +01:00
* candidates = first ;
2019-03-28 15:14:22 +01:00
return ( ret ) ;
2019-03-27 16:55:27 +01:00
}
# endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2015-02-12 12:37:29 +01:00
/*
* Test recv / send functions that make sure each try returns
* WANT_READ / WANT_WRITE at least once before sucesseding
*/
static int my_recv ( void * ctx , unsigned char * buf , size_t len )
{
static int first_try = 1 ;
int ret ;
if ( first_try )
{
first_try = 0 ;
2015-05-06 17:19:31 +02:00
return ( MBEDTLS_ERR_SSL_WANT_READ ) ;
2015-02-12 12:37:29 +01:00
}
2015-04-08 12:49:31 +02:00
ret = mbedtls_net_recv ( ctx , buf , len ) ;
2015-05-06 17:19:31 +02:00
if ( ret ! = MBEDTLS_ERR_SSL_WANT_READ )
2015-02-12 12:37:29 +01:00
first_try = 1 ; /* Next call will be a new operation */
return ( ret ) ;
}
static int my_send ( void * ctx , const unsigned char * buf , size_t len )
{
static int first_try = 1 ;
int ret ;
if ( first_try )
{
first_try = 0 ;
2015-05-06 17:19:31 +02:00
return ( MBEDTLS_ERR_SSL_WANT_WRITE ) ;
2015-02-12 12:37:29 +01:00
}
2015-04-08 12:49:31 +02:00
ret = mbedtls_net_send ( ctx , buf , len ) ;
2015-05-06 17:19:31 +02:00
if ( ret ! = MBEDTLS_ERR_SSL_WANT_WRITE )
2015-02-12 12:37:29 +01:00
first_try = 1 ; /* Next call will be a new operation */
return ( ret ) ;
}
2015-06-19 14:40:39 +02:00
/*
* Return authmode from string , or - 1 on error
*/
static int get_auth_mode ( const char * s )
{
if ( strcmp ( s , " none " ) = = 0 )
return ( MBEDTLS_SSL_VERIFY_NONE ) ;
if ( strcmp ( s , " optional " ) = = 0 )
return ( MBEDTLS_SSL_VERIFY_OPTIONAL ) ;
if ( strcmp ( s , " required " ) = = 0 )
return ( MBEDTLS_SSL_VERIFY_REQUIRED ) ;
return ( - 1 ) ;
}
2014-06-10 15:15:06 +02:00
/*
* Used by sni_parse and psk_parse to handle coma - separated lists
*/
# define GET_ITEM( dst ) \
2018-10-15 13:01:35 +02:00
do \
{ \
( dst ) = p ; \
while ( * p ! = ' , ' ) \
if ( + + p > end ) \
goto error ; \
* p + + = ' \0 ' ; \
} while ( 0 )
2014-06-10 15:15:06 +02:00
2015-04-03 16:41:52 +02:00
# if defined(SNI_OPTION)
2014-02-21 16:52:06 +01:00
typedef struct _sni_entry sni_entry ;
struct _sni_entry {
const char * name ;
2015-04-08 12:49:31 +02:00
mbedtls_x509_crt * cert ;
mbedtls_pk_context * key ;
2015-06-19 14:40:39 +02:00
mbedtls_x509_crt * ca ;
mbedtls_x509_crl * crl ;
int authmode ;
2014-02-21 16:52:06 +01:00
sni_entry * next ;
} ;
2015-02-14 14:56:39 +01:00
void sni_free ( sni_entry * head )
{
sni_entry * cur = head , * next ;
while ( cur ! = NULL )
{
2015-04-08 12:49:31 +02:00
mbedtls_x509_crt_free ( cur - > cert ) ;
mbedtls_free ( cur - > cert ) ;
2015-02-14 14:56:39 +01:00
2015-04-08 12:49:31 +02:00
mbedtls_pk_free ( cur - > key ) ;
mbedtls_free ( cur - > key ) ;
2015-02-14 14:56:39 +01:00
2015-06-19 14:40:39 +02:00
mbedtls_x509_crt_free ( cur - > ca ) ;
mbedtls_free ( cur - > ca ) ;
2019-04-04 14:02:01 +02:00
# if defined(MBEDTLS_X509_CRL_PARSE_C)
2015-06-19 14:40:39 +02:00
mbedtls_x509_crl_free ( cur - > crl ) ;
mbedtls_free ( cur - > crl ) ;
2019-04-04 14:02:01 +02:00
# endif
2015-02-14 14:56:39 +01:00
next = cur - > next ;
2015-04-08 12:49:31 +02:00
mbedtls_free ( cur ) ;
2015-02-14 14:56:39 +01:00
cur = next ;
}
}
2014-02-21 16:52:06 +01:00
/*
2015-06-19 14:40:39 +02:00
* Parse a string of sextuples name1 , crt1 , key1 , ca1 , crl1 , auth1 [ , . . . ]
* into a usable sni_entry list . For ca1 , crl1 , auth1 , the special value
* ' - ' means unset . If ca1 is unset , then crl1 is ignored too .
2014-02-21 16:52:06 +01:00
*
2014-06-10 15:15:06 +02:00
* Modifies the input string ! This is not production quality !
2014-02-21 16:52:06 +01:00
*/
sni_entry * sni_parse ( char * sni_string )
{
sni_entry * cur = NULL , * new = NULL ;
char * p = sni_string ;
char * end = p ;
2019-04-04 14:02:01 +02:00
char * crt_file , * key_file , * ca_file , * auth_str ;
# if defined(MBEDTLS_X509_CRL_PARSE_C)
char * crl_file ;
# endif
2014-02-21 16:52:06 +01:00
while ( * end ! = ' \0 ' )
+ + end ;
* end = ' , ' ;
while ( p < = end )
{
2015-05-26 16:04:06 +02:00
if ( ( new = mbedtls_calloc ( 1 , sizeof ( sni_entry ) ) ) = = NULL )
2015-02-14 14:56:39 +01:00
{
sni_free ( cur ) ;
2014-02-21 16:52:06 +01:00
return ( NULL ) ;
2015-02-14 14:56:39 +01:00
}
2014-02-21 16:52:06 +01:00
2015-06-19 14:40:39 +02:00
GET_ITEM ( new - > name ) ;
GET_ITEM ( crt_file ) ;
GET_ITEM ( key_file ) ;
GET_ITEM ( ca_file ) ;
2019-04-04 14:02:01 +02:00
# if defined(MBEDTLS_X509_CRL_PARSE_C)
2015-06-19 14:40:39 +02:00
GET_ITEM ( crl_file ) ;
2019-04-04 14:02:01 +02:00
# endif
2015-06-19 14:40:39 +02:00
GET_ITEM ( auth_str ) ;
2014-02-21 16:52:06 +01:00
2015-05-26 16:04:06 +02:00
if ( ( new - > cert = mbedtls_calloc ( 1 , sizeof ( mbedtls_x509_crt ) ) ) = = NULL | |
( new - > key = mbedtls_calloc ( 1 , sizeof ( mbedtls_pk_context ) ) ) = = NULL )
2015-06-19 14:40:39 +02:00
goto error ;
2014-02-21 16:52:06 +01:00
2015-04-08 12:49:31 +02:00
mbedtls_x509_crt_init ( new - > cert ) ;
mbedtls_pk_init ( new - > key ) ;
2014-02-21 16:52:06 +01:00
2015-04-08 12:49:31 +02:00
if ( mbedtls_x509_crt_parse_file ( new - > cert , crt_file ) ! = 0 | |
mbedtls_pk_parse_keyfile ( new - > key , key_file , " " ) ! = 0 )
2015-02-14 14:56:39 +01:00
goto error ;
2015-06-19 14:40:39 +02:00
if ( strcmp ( ca_file , " - " ) ! = 0 )
{
if ( ( new - > ca = mbedtls_calloc ( 1 , sizeof ( mbedtls_x509_crt ) ) ) = = NULL )
goto error ;
mbedtls_x509_crt_init ( new - > ca ) ;
if ( mbedtls_x509_crt_parse_file ( new - > ca , ca_file ) ! = 0 )
goto error ;
}
2019-04-04 14:02:01 +02:00
# if defined(MBEDTLS_X509_CRL_PARSE_C)
2015-06-19 14:40:39 +02:00
if ( strcmp ( crl_file , " - " ) ! = 0 )
{
if ( ( new - > crl = mbedtls_calloc ( 1 , sizeof ( mbedtls_x509_crl ) ) ) = = NULL )
goto error ;
mbedtls_x509_crl_init ( new - > crl ) ;
if ( mbedtls_x509_crl_parse_file ( new - > crl , crl_file ) ! = 0 )
goto error ;
2015-02-14 14:56:39 +01:00
}
2019-04-04 14:02:01 +02:00
# endif
2014-02-21 16:52:06 +01:00
2015-06-19 14:40:39 +02:00
if ( strcmp ( auth_str , " - " ) ! = 0 )
{
if ( ( new - > authmode = get_auth_mode ( auth_str ) ) < 0 )
goto error ;
}
else
new - > authmode = DFL_AUTH_MODE ;
2014-02-21 16:52:06 +01:00
new - > next = cur ;
cur = new ;
}
return ( cur ) ;
2015-02-14 14:56:39 +01:00
error :
sni_free ( new ) ;
sni_free ( cur ) ;
return ( NULL ) ;
2014-02-21 16:52:06 +01:00
}
/*
* SNI callback .
*/
2015-04-08 12:49:31 +02:00
int sni_callback ( void * p_info , mbedtls_ssl_context * ssl ,
2014-02-21 16:52:06 +01:00
const unsigned char * name , size_t name_len )
{
2015-06-19 14:40:39 +02:00
const sni_entry * cur = ( const sni_entry * ) p_info ;
2014-02-21 16:52:06 +01:00
while ( cur ! = NULL )
{
if ( name_len = = strlen ( cur - > name ) & &
memcmp ( name , cur - > name , name_len ) = = 0 )
{
2015-06-19 14:40:39 +02:00
if ( cur - > ca ! = NULL )
mbedtls_ssl_set_hs_ca_chain ( ssl , cur - > ca , cur - > crl ) ;
if ( cur - > authmode ! = DFL_AUTH_MODE )
mbedtls_ssl_set_hs_authmode ( ssl , cur - > authmode ) ;
2015-05-10 23:10:37 +02:00
return ( mbedtls_ssl_set_hs_own_cert ( ssl , cur - > cert , cur - > key ) ) ;
2014-02-21 16:52:06 +01:00
}
cur = cur - > next ;
}
return ( - 1 ) ;
}
2015-04-03 16:41:52 +02:00
# endif /* SNI_OPTION */
2014-02-21 16:52:06 +01:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2014-06-09 19:06:00 +02:00
2018-10-15 13:01:35 +02:00
# define HEX2NUM( c ) \
do \
{ \
if ( ( c ) > = ' 0 ' & & ( c ) < = ' 9 ' ) \
( c ) - = ' 0 ' ; \
else if ( ( c ) > = ' a ' & & ( c ) < = ' f ' ) \
( c ) - = ' a ' - 10 ; \
else if ( ( c ) > = ' A ' & & ( c ) < = ' F ' ) \
( c ) - = ' A ' - 10 ; \
else \
return ( - 1 ) ; \
} while ( 0 )
2014-06-09 19:06:00 +02:00
/*
* Convert a hex string to bytes .
* Return 0 on success , - 1 on error .
*/
int unhexify ( unsigned char * output , const char * input , size_t * olen )
{
unsigned char c ;
size_t j ;
* olen = strlen ( input ) ;
2015-04-08 12:49:31 +02:00
if ( * olen % 2 ! = 0 | | * olen / 2 > MBEDTLS_PSK_MAX_LEN )
2014-06-09 19:06:00 +02:00
return ( - 1 ) ;
* olen / = 2 ;
for ( j = 0 ; j < * olen * 2 ; j + = 2 )
{
c = input [ j ] ;
HEX2NUM ( c ) ;
output [ j / 2 ] = c < < 4 ;
c = input [ j + 1 ] ;
HEX2NUM ( c ) ;
output [ j / 2 ] | = c ;
}
return ( 0 ) ;
}
2014-06-10 14:01:52 +02:00
typedef struct _psk_entry psk_entry ;
struct _psk_entry
{
const char * name ;
size_t key_len ;
2015-04-08 12:49:31 +02:00
unsigned char key [ MBEDTLS_PSK_MAX_LEN ] ;
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2019-01-08 15:36:01 +01:00
psa_key_handle_t slot ;
2018-10-26 12:28:08 +02:00
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2014-06-10 14:01:52 +02:00
psk_entry * next ;
} ;
2015-02-14 14:56:39 +01:00
/*
* Free a list of psk_entry ' s
*/
2018-11-05 14:48:43 +01:00
int psk_free ( psk_entry * head )
2015-02-14 14:56:39 +01:00
{
psk_entry * next ;
while ( head ! = NULL )
{
2018-11-05 14:48:43 +01:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status ;
2019-01-08 15:36:01 +01:00
psa_key_handle_t const slot = head - > slot ;
2018-11-05 14:48:43 +01:00
if ( slot ! = 0 )
{
status = psa_destroy_key ( slot ) ;
if ( status ! = PSA_SUCCESS )
return ( status ) ;
}
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2015-02-14 14:56:39 +01:00
next = head - > next ;
2015-04-08 12:49:31 +02:00
mbedtls_free ( head ) ;
2015-02-14 14:56:39 +01:00
head = next ;
}
2018-11-05 14:48:43 +01:00
return ( 0 ) ;
2015-02-14 14:56:39 +01:00
}
2014-06-10 14:01:52 +02:00
/*
* Parse a string of pairs name1 , key1 [ , name2 , key2 [ , . . . ] ]
* into a usable psk_entry list .
*
* Modifies the input string ! This is not production quality !
*/
psk_entry * psk_parse ( char * psk_string )
{
psk_entry * cur = NULL , * new = NULL ;
char * p = psk_string ;
char * end = p ;
char * key_hex ;
while ( * end ! = ' \0 ' )
+ + end ;
* end = ' , ' ;
while ( p < = end )
{
2015-05-26 16:04:06 +02:00
if ( ( new = mbedtls_calloc ( 1 , sizeof ( psk_entry ) ) ) = = NULL )
2015-02-18 10:32:06 +01:00
goto error ;
2014-06-10 14:01:52 +02:00
memset ( new , 0 , sizeof ( psk_entry ) ) ;
2014-06-10 15:15:06 +02:00
GET_ITEM ( new - > name ) ;
GET_ITEM ( key_hex ) ;
2014-06-10 14:01:52 +02:00
if ( unhexify ( new - > key , key_hex , & new - > key_len ) ! = 0 )
2015-02-14 14:56:39 +01:00
goto error ;
2014-06-10 14:01:52 +02:00
new - > next = cur ;
cur = new ;
}
return ( cur ) ;
2015-02-14 14:56:39 +01:00
error :
psk_free ( new ) ;
psk_free ( cur ) ;
return ( 0 ) ;
2014-06-10 14:01:52 +02:00
}
/*
* PSK callback
*/
2015-04-08 12:49:31 +02:00
int psk_callback ( void * p_info , mbedtls_ssl_context * ssl ,
2014-06-10 14:01:52 +02:00
const unsigned char * name , size_t name_len )
{
psk_entry * cur = ( psk_entry * ) p_info ;
while ( cur ! = NULL )
{
if ( name_len = = strlen ( cur - > name ) & &
memcmp ( name , cur - > name , name_len ) = = 0 )
{
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
if ( cur - > slot ! = 0 )
return ( mbedtls_ssl_set_hs_psk_opaque ( ssl , cur - > slot ) ) ;
else
# endif
2015-05-07 16:59:54 +02:00
return ( mbedtls_ssl_set_hs_psk ( ssl , cur - > key , cur - > key_len ) ) ;
2014-06-10 14:01:52 +02:00
}
cur = cur - > next ;
}
return ( - 1 ) ;
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2014-06-09 19:06:00 +02:00
2015-06-30 15:40:39 +02:00
static mbedtls_net_context listen_fd , client_fd ;
2014-08-18 14:36:17 +02:00
/* Interruption handler to ensure clean exit (for valgrind testing) */
# if !defined(_WIN32)
2014-08-14 15:36:12 +02:00
static int received_sigterm = 0 ;
void term_handler ( int sig )
{
( ( void ) sig ) ;
received_sigterm = 1 ;
2015-06-30 15:55:03 +02:00
mbedtls_net_free ( & listen_fd ) ; /* causes mbedtls_net_accept() to abort */
mbedtls_net_free ( & client_fd ) ; /* causes net_read() to abort */
2014-08-14 15:36:12 +02:00
}
2014-08-18 11:05:51 +02:00
# endif
2014-08-14 15:36:12 +02:00
2017-05-11 19:01:11 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
static int ssl_sig_hashes_for_test [ ] = {
# if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512 ,
MBEDTLS_MD_SHA384 ,
# endif
# if defined(MBEDTLS_SHA256_C)
MBEDTLS_MD_SHA256 ,
MBEDTLS_MD_SHA224 ,
# endif
# if defined(MBEDTLS_SHA1_C)
/* Allow SHA-1 as we use it extensively in tests. */
MBEDTLS_MD_SHA1 ,
# endif
MBEDTLS_MD_NONE
} ;
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2018-04-26 08:05:02 +02:00
/** Return true if \p ret is a status code indicating that there is an
* operation in progress on an SSL connection , and false if it indicates
* success or a fatal error .
*
* The possible operations in progress are :
*
* - A read , when the SSL input buffer does not contain a full message .
* - A write , when the SSL output buffer contains some data that has not
* been sent over the network yet .
* - An asynchronous callback that has not completed yet . */
static int mbedtls_status_is_ssl_in_progress ( int ret )
{
return ( ret = = MBEDTLS_ERR_SSL_WANT_READ | |
ret = = MBEDTLS_ERR_SSL_WANT_WRITE | |
ret = = MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) ;
}
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-05 21:15:57 +01:00
typedef struct
{
2018-06-13 18:09:28 +02:00
mbedtls_x509_crt * cert ; /*!< Certificate corresponding to the key */
mbedtls_pk_context * pk ; /*!< Private key */
unsigned delay ; /*!< Number of resume steps to go through */
unsigned pk_owned : 1 ; /*!< Whether to free the pk object on exit */
2018-01-05 21:15:57 +01:00
} ssl_async_key_slot_t ;
typedef enum {
2018-04-26 00:19:16 +02:00
SSL_ASYNC_INJECT_ERROR_NONE = 0 , /*!< Let the callbacks succeed */
SSL_ASYNC_INJECT_ERROR_START , /*!< Inject error during start */
SSL_ASYNC_INJECT_ERROR_CANCEL , /*!< Close the connection after async start */
SSL_ASYNC_INJECT_ERROR_RESUME , /*!< Inject error during resume */
2018-04-26 07:15:40 +02:00
# define SSL_ASYNC_INJECT_ERROR_MAX SSL_ASYNC_INJECT_ERROR_RESUME
2018-01-05 21:15:57 +01:00
} ssl_async_inject_error_t ;
typedef struct
{
2018-06-13 18:06:51 +02:00
ssl_async_key_slot_t slots [ 4 ] ; /* key, key2, sni1, sni2 */
2018-01-05 21:15:57 +01:00
size_t slots_used ;
ssl_async_inject_error_t inject_error ;
int ( * f_rng ) ( void * , unsigned char * , size_t ) ;
void * p_rng ;
} ssl_async_key_context_t ;
2018-04-30 10:23:56 +02:00
int ssl_async_set_key ( ssl_async_key_context_t * ctx ,
2018-06-13 18:09:28 +02:00
mbedtls_x509_crt * cert ,
mbedtls_pk_context * pk ,
int pk_take_ownership ,
unsigned delay )
2018-01-05 21:15:57 +01:00
{
2018-04-30 10:23:56 +02:00
if ( ctx - > slots_used > = sizeof ( ctx - > slots ) / sizeof ( * ctx - > slots ) )
return ( - 1 ) ;
2018-01-05 21:15:57 +01:00
ctx - > slots [ ctx - > slots_used ] . cert = cert ;
ctx - > slots [ ctx - > slots_used ] . pk = pk ;
ctx - > slots [ ctx - > slots_used ] . delay = delay ;
2018-06-13 18:09:28 +02:00
ctx - > slots [ ctx - > slots_used ] . pk_owned = pk_take_ownership ;
2018-01-05 21:15:57 +01:00
+ + ctx - > slots_used ;
2018-04-30 10:23:56 +02:00
return ( 0 ) ;
2018-01-05 21:15:57 +01:00
}
2018-01-12 13:47:48 +01:00
# define SSL_ASYNC_INPUT_MAX_SIZE 512
2018-04-26 06:23:59 +02:00
typedef enum
{
ASYNC_OP_SIGN ,
ASYNC_OP_DECRYPT ,
} ssl_async_operation_type_t ;
/* Note that the enum above and the array below need to be kept in sync!
* ` ssl_async_operation_names [ op ] ` is the name of op for each value ` op `
* of type ` ssl_async_operation_type_t ` . */
static const char * const ssl_async_operation_names [ ] =
{
" sign " ,
" decrypt " ,
} ;
2018-01-05 21:15:57 +01:00
typedef struct
{
2018-04-26 13:27:43 +02:00
unsigned slot ;
2018-04-26 06:23:59 +02:00
ssl_async_operation_type_t operation_type ;
2018-01-05 21:15:57 +01:00
mbedtls_md_type_t md_alg ;
2018-01-12 13:47:48 +01:00
unsigned char input [ SSL_ASYNC_INPUT_MAX_SIZE ] ;
size_t input_len ;
2018-04-26 06:30:45 +02:00
unsigned remaining_delay ;
2018-01-05 21:15:57 +01:00
} ssl_async_operation_context_t ;
2018-04-26 11:46:10 +02:00
static int ssl_async_start ( mbedtls_ssl_context * ssl ,
2018-01-12 13:47:48 +01:00
mbedtls_x509_crt * cert ,
2018-04-26 06:23:59 +02:00
ssl_async_operation_type_t op_type ,
2018-01-12 13:47:48 +01:00
mbedtls_md_type_t md_alg ,
const unsigned char * input ,
size_t input_len )
2018-01-05 21:15:57 +01:00
{
2018-04-26 11:46:10 +02:00
ssl_async_key_context_t * config_data =
mbedtls_ssl_conf_get_async_config_data ( ssl - > conf ) ;
2018-04-26 13:27:43 +02:00
unsigned slot ;
2018-01-05 21:15:57 +01:00
ssl_async_operation_context_t * ctx = NULL ;
2018-04-26 06:23:59 +02:00
const char * op_name = ssl_async_operation_names [ op_type ] ;
2018-04-24 13:05:39 +02:00
2018-01-05 21:15:57 +01:00
{
char dn [ 100 ] ;
2018-06-15 14:05:10 +02:00
if ( mbedtls_x509_dn_gets ( dn , sizeof ( dn ) , & cert - > subject ) > 0 )
mbedtls_printf ( " Async %s callback: looking for DN=%s \n " ,
op_name , dn ) ;
2018-01-05 21:15:57 +01:00
}
2018-04-24 13:05:39 +02:00
2018-04-30 12:07:56 +02:00
/* Look for a private key that matches the public key in cert.
* Since this test code has the private key inside Mbed TLS ,
* we call mbedtls_pk_check_pair to match a private key with the
* public key . */
2018-04-25 20:39:48 +02:00
for ( slot = 0 ; slot < config_data - > slots_used ; slot + + )
2018-01-05 21:15:57 +01:00
{
2018-04-30 12:07:56 +02:00
if ( mbedtls_pk_check_pair ( & cert - > pk ,
config_data - > slots [ slot ] . pk ) = = 0 )
2018-01-05 21:15:57 +01:00
break ;
}
2018-04-25 20:39:48 +02:00
if ( slot = = config_data - > slots_used )
2018-01-05 21:15:57 +01:00
{
2018-01-12 13:47:48 +01:00
mbedtls_printf ( " Async %s callback: no key matches this certificate. \n " ,
op_name ) ;
2018-01-05 21:15:57 +01:00
return ( MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) ;
}
2018-04-26 13:27:43 +02:00
mbedtls_printf ( " Async %s callback: using key slot %u, delay=%u. \n " ,
2018-04-25 20:39:48 +02:00
op_name , slot , config_data - > slots [ slot ] . delay ) ;
2018-04-24 13:05:39 +02:00
2018-04-25 20:39:48 +02:00
if ( config_data - > inject_error = = SSL_ASYNC_INJECT_ERROR_START )
2018-01-05 21:15:57 +01:00
{
2018-01-12 13:47:48 +01:00
mbedtls_printf ( " Async %s callback: injected error \n " , op_name ) ;
2018-01-05 21:15:57 +01:00
return ( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ) ;
}
2018-04-24 13:05:39 +02:00
2018-01-12 13:47:48 +01:00
if ( input_len > SSL_ASYNC_INPUT_MAX_SIZE )
2018-01-05 21:15:57 +01:00
return ( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ) ;
2018-04-24 13:05:39 +02:00
2018-01-05 21:15:57 +01:00
ctx = mbedtls_calloc ( 1 , sizeof ( * ctx ) ) ;
if ( ctx = = NULL )
return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ) ;
ctx - > slot = slot ;
2018-04-26 06:23:59 +02:00
ctx - > operation_type = op_type ;
2018-01-05 21:15:57 +01:00
ctx - > md_alg = md_alg ;
2018-01-12 13:47:48 +01:00
memcpy ( ctx - > input , input , input_len ) ;
ctx - > input_len = input_len ;
2018-04-26 06:30:45 +02:00
ctx - > remaining_delay = config_data - > slots [ slot ] . delay ;
2018-04-30 11:54:39 +02:00
mbedtls_ssl_set_async_operation_data ( ssl , ctx ) ;
2018-04-24 13:05:39 +02:00
2018-04-26 06:30:45 +02:00
if ( ctx - > remaining_delay = = 0 )
2018-01-05 21:15:57 +01:00
return ( 0 ) ;
else
return ( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) ;
}
2018-04-26 11:46:10 +02:00
static int ssl_async_sign ( mbedtls_ssl_context * ssl ,
2018-01-12 13:47:48 +01:00
mbedtls_x509_crt * cert ,
mbedtls_md_type_t md_alg ,
const unsigned char * hash ,
size_t hash_len )
{
2018-04-26 11:46:10 +02:00
return ( ssl_async_start ( ssl , cert ,
2018-04-26 06:23:59 +02:00
ASYNC_OP_SIGN , md_alg ,
2018-01-12 13:47:48 +01:00
hash , hash_len ) ) ;
}
2018-04-26 11:46:10 +02:00
static int ssl_async_decrypt ( mbedtls_ssl_context * ssl ,
2018-01-12 13:47:48 +01:00
mbedtls_x509_crt * cert ,
const unsigned char * input ,
size_t input_len )
{
2018-04-26 11:46:10 +02:00
return ( ssl_async_start ( ssl , cert ,
2018-04-26 06:23:59 +02:00
ASYNC_OP_DECRYPT , MBEDTLS_MD_NONE ,
2018-01-12 13:47:48 +01:00
input , input_len ) ) ;
}
2018-04-26 11:46:10 +02:00
static int ssl_async_resume ( mbedtls_ssl_context * ssl ,
2018-01-12 13:47:48 +01:00
unsigned char * output ,
size_t * output_len ,
size_t output_size )
2018-01-05 21:15:57 +01:00
{
2018-04-30 11:54:39 +02:00
ssl_async_operation_context_t * ctx = mbedtls_ssl_get_async_operation_data ( ssl ) ;
2018-04-26 11:46:10 +02:00
ssl_async_key_context_t * config_data =
mbedtls_ssl_conf_get_async_config_data ( ssl - > conf ) ;
2018-04-25 20:39:48 +02:00
ssl_async_key_slot_t * key_slot = & config_data - > slots [ ctx - > slot ] ;
2018-01-05 21:15:57 +01:00
int ret ;
2018-04-30 16:37:23 +02:00
const char * op_name ;
2018-04-24 13:05:39 +02:00
2018-04-26 06:30:45 +02:00
if ( ctx - > remaining_delay > 0 )
2018-01-05 21:15:57 +01:00
{
2018-04-26 06:30:45 +02:00
- - ctx - > remaining_delay ;
2018-04-26 13:27:43 +02:00
mbedtls_printf ( " Async resume (slot %u): call %u more times. \n " ,
2018-04-26 06:30:45 +02:00
ctx - > slot , ctx - > remaining_delay ) ;
2018-01-05 21:15:57 +01:00
return ( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) ;
}
2018-04-24 13:05:39 +02:00
2018-04-26 06:23:59 +02:00
switch ( ctx - > operation_type )
2018-01-12 13:47:48 +01:00
{
2018-04-26 06:23:59 +02:00
case ASYNC_OP_DECRYPT :
ret = mbedtls_pk_decrypt ( key_slot - > pk ,
ctx - > input , ctx - > input_len ,
output , output_len , output_size ,
config_data - > f_rng , config_data - > p_rng ) ;
break ;
case ASYNC_OP_SIGN :
ret = mbedtls_pk_sign ( key_slot - > pk ,
ctx - > md_alg ,
ctx - > input , ctx - > input_len ,
output , output_len ,
config_data - > f_rng , config_data - > p_rng ) ;
break ;
default :
2018-04-26 13:27:43 +02:00
mbedtls_printf ( " Async resume (slot %u): unknown operation type %ld. This shouldn't happen. \n " ,
2018-04-26 06:23:59 +02:00
ctx - > slot , ( long ) ctx - > operation_type ) ;
2018-06-13 18:09:28 +02:00
mbedtls_free ( ctx ) ;
2018-04-26 06:23:59 +02:00
return ( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ) ;
break ;
2018-01-12 13:47:48 +01:00
}
2018-04-24 13:05:39 +02:00
2018-04-30 16:37:23 +02:00
op_name = ssl_async_operation_names [ ctx - > operation_type ] ;
2018-04-26 07:15:40 +02:00
if ( config_data - > inject_error = = SSL_ASYNC_INJECT_ERROR_RESUME )
2018-01-05 21:15:57 +01:00
{
2018-01-12 13:47:48 +01:00
mbedtls_printf ( " Async resume callback: %s done but injected error \n " ,
op_name ) ;
2018-06-12 14:17:39 +02:00
mbedtls_free ( ctx ) ;
2018-01-05 21:15:57 +01:00
return ( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ) ;
}
2018-04-24 13:05:39 +02:00
2018-04-26 13:27:43 +02:00
mbedtls_printf ( " Async resume (slot %u): %s done, status=%d. \n " ,
2018-01-12 13:47:48 +01:00
ctx - > slot , op_name , ret ) ;
2018-01-05 21:15:57 +01:00
mbedtls_free ( ctx ) ;
return ( ret ) ;
}
2018-04-26 11:46:10 +02:00
static void ssl_async_cancel ( mbedtls_ssl_context * ssl )
2018-01-05 21:15:57 +01:00
{
2018-04-30 11:54:39 +02:00
ssl_async_operation_context_t * ctx = mbedtls_ssl_get_async_operation_data ( ssl ) ;
2018-01-05 21:15:57 +01:00
mbedtls_printf ( " Async cancel callback. \n " ) ;
mbedtls_free ( ctx ) ;
}
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2018-01-05 21:15:57 +01:00
2017-10-10 16:56:37 +02:00
/*
* Wait for an event from the underlying transport or the timer
* ( Used in event - driven IO mode ) .
*/
# if !defined(MBEDTLS_TIMING_C)
2018-03-15 12:35:07 +01:00
int idle ( mbedtls_net_context * fd ,
2018-03-15 13:21:15 +01:00
int idle_reason )
2017-10-10 16:56:37 +02:00
# else
2018-03-15 12:35:07 +01:00
int idle ( mbedtls_net_context * fd ,
2018-03-15 13:21:15 +01:00
mbedtls_timing_delay_context * timer ,
int idle_reason )
2017-10-10 16:56:37 +02:00
# endif
2018-03-15 13:21:15 +01:00
{
2018-03-15 12:35:07 +01:00
int ret ;
2017-10-10 16:56:37 +02:00
int poll_type = 0 ;
if ( idle_reason = = MBEDTLS_ERR_SSL_WANT_WRITE )
poll_type = MBEDTLS_NET_POLL_WRITE ;
else if ( idle_reason = = MBEDTLS_ERR_SSL_WANT_READ )
poll_type = MBEDTLS_NET_POLL_READ ;
# if !defined(MBEDTLS_TIMING_C)
else
2018-03-15 16:49:24 +01:00
return ( 0 ) ;
2017-10-10 16:56:37 +02:00
# endif
while ( 1 )
{
2017-10-31 11:58:53 +01:00
/* Check if timer has expired */
2017-10-10 16:56:37 +02:00
# if defined(MBEDTLS_TIMING_C)
2017-10-31 11:58:53 +01:00
if ( timer ! = NULL & &
mbedtls_timing_get_delay ( timer ) = = 2 )
2017-10-10 16:56:37 +02:00
{
break ;
}
2017-10-31 11:58:53 +01:00
# endif /* MBEDTLS_TIMING_C */
2017-10-10 16:56:37 +02:00
2017-10-31 11:58:53 +01:00
/* Check if underlying transport became available */
2018-03-15 12:35:07 +01:00
if ( poll_type ! = 0 )
2017-10-10 16:56:37 +02:00
{
2018-03-15 12:35:07 +01:00
ret = mbedtls_net_poll ( fd , poll_type , 0 ) ;
if ( ret < 0 )
return ( ret ) ;
if ( ret = = poll_type )
break ;
2017-10-10 16:56:37 +02:00
}
}
2018-03-15 12:35:07 +01:00
return ( 0 ) ;
2017-10-10 16:56:37 +02:00
}
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2019-01-08 15:36:01 +01:00
static psa_status_t psa_setup_psk_key_slot ( psa_key_handle_t slot ,
2018-10-26 12:28:08 +02:00
psa_algorithm_t alg ,
unsigned char * psk ,
size_t psk_len )
{
psa_status_t status ;
psa_key_policy_t policy ;
2019-01-25 15:27:01 +01:00
policy = psa_key_policy_init ( ) ;
2018-10-26 12:28:08 +02:00
psa_key_policy_set_usage ( & policy , PSA_KEY_USAGE_DERIVE , alg ) ;
status = psa_set_key_policy ( slot , & policy ) ;
if ( status ! = PSA_SUCCESS )
2018-11-15 14:06:09 +01:00
{
fprintf ( stderr , " POLICY \n " ) ;
2018-10-26 12:28:08 +02:00
return ( status ) ;
2018-11-15 14:06:09 +01:00
}
2018-10-26 12:28:08 +02:00
status = psa_import_key ( slot , PSA_KEY_TYPE_DERIVE , psk , psk_len ) ;
if ( status ! = PSA_SUCCESS )
2018-11-15 14:06:09 +01:00
{
fprintf ( stderr , " IMPORT \n " ) ;
2018-10-26 12:28:08 +02:00
return ( status ) ;
2018-11-15 14:06:09 +01:00
}
2018-10-26 12:28:08 +02:00
return ( PSA_SUCCESS ) ;
}
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2012-09-25 11:05:17 +02:00
int main ( int argc , char * argv [ ] )
{
2015-01-22 11:33:29 +01:00
int ret = 0 , len , written , frags , exchanges_left ;
2014-06-11 13:50:34 +02:00
int version_suites [ 4 ] [ 2 ] ;
2017-10-12 13:50:29 +02:00
unsigned char * buf = 0 ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg = 0 ;
2019-01-08 15:36:01 +01:00
psa_key_handle_t psk_slot = 0 ;
2018-10-26 12:28:08 +02:00
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2015-04-08 12:49:31 +02:00
unsigned char psk [ MBEDTLS_PSK_MAX_LEN ] ;
2013-04-17 19:10:21 +02:00
size_t psk_len = 0 ;
2014-06-12 23:01:43 +02:00
psk_entry * psk_info = NULL ;
2013-04-18 22:46:23 +02:00
# endif
2013-06-24 13:01:08 +02:00
const char * pers = " ssl_server2 " ;
2014-07-22 17:57:43 +02:00
unsigned char client_ip [ 16 ] = { 0 } ;
2015-05-14 21:52:40 +02:00
size_t cliip_len ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_COOKIE_C)
mbedtls_ssl_cookie_ctx cookie_ctx ;
2014-07-23 14:56:15 +02:00
# endif
2012-09-25 11:05:17 +02:00
2017-05-05 18:59:02 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default ;
# endif
2015-04-08 12:49:31 +02:00
mbedtls_entropy_context entropy ;
mbedtls_ctr_drbg_context ctr_drbg ;
mbedtls_ssl_context ssl ;
2015-05-04 14:56:36 +02:00
mbedtls_ssl_config conf ;
2015-05-13 13:58:56 +02:00
# if defined(MBEDTLS_TIMING_C)
2015-05-13 10:04:32 +02:00
mbedtls_timing_delay_context timer ;
2015-05-13 13:58:56 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_RENEGOTIATION)
2014-11-05 14:23:03 +01:00
unsigned char renego_period [ 8 ] = { 0 } ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
2015-05-12 11:27:25 +02:00
uint32_t flags ;
2015-04-08 12:49:31 +02:00
mbedtls_x509_crt cacert ;
mbedtls_x509_crt srvcert ;
mbedtls_pk_context pkey ;
mbedtls_x509_crt srvcert2 ;
mbedtls_pk_context pkey2 ;
2013-09-25 14:05:49 +02:00
int key_cert_init = 0 , key_cert_init2 = 0 ;
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-05 21:15:57 +01:00
ssl_async_key_context_t ssl_async_keys ;
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2018-01-05 21:15:57 +01:00
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_context dhm ;
2014-06-09 11:29:50 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache ;
2012-09-25 23:55:46 +02:00
# endif
2015-05-19 15:28:00 +02:00
# if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_context ticket_ctx ;
# endif
2015-04-03 16:41:52 +02:00
# if defined(SNI_OPTION)
2014-02-21 16:52:06 +01:00
sni_entry * sni_info = NULL ;
# endif
2017-05-15 17:05:15 +02:00
# if defined(MBEDTLS_ECP_C)
2017-06-09 17:13:22 +02:00
mbedtls_ecp_group_id curve_list [ CURVE_LIST_SIZE ] ;
2017-05-15 17:05:15 +02:00
const mbedtls_ecp_curve_info * curve_cur ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ALPN)
2017-06-09 17:13:22 +02:00
const char * alpn_list [ ALPN_LIST_SIZE ] ;
2014-04-05 14:34:07 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
2018-07-23 15:26:09 +02:00
unsigned char alloc_buf [ MEMORY_HEAP_SIZE ] ;
2013-07-04 11:52:32 +02:00
# endif
2012-09-25 11:05:17 +02:00
int i ;
char * p , * q ;
const int * list ;
2018-11-12 18:47:48 +01:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status ;
# endif
2019-05-12 10:03:32 +02:00
# if defined(MBEDTLS_SSL_EXPORT_KEYS)
unsigned char eap_tls_keymaterial [ 16 ] ;
unsigned char eap_tls_iv [ 8 ] ;
const char * eap_tls_label = " client EAP encryption " ;
eap_tls_keys eap_tls_keying ;
# endif
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init ( alloc_buf , sizeof ( alloc_buf ) ) ;
2013-07-04 11:52:32 +02:00
# endif
2012-09-25 11:05:17 +02:00
/*
2013-09-20 13:10:13 +02:00
* Make sure memory references are valid in case we exit early .
2012-09-25 11:05:17 +02:00
*/
2015-06-30 15:40:39 +02:00
mbedtls_net_init ( & client_fd ) ;
mbedtls_net_init ( & listen_fd ) ;
2015-04-29 00:48:22 +02:00
mbedtls_ssl_init ( & ssl ) ;
2015-05-04 14:56:36 +02:00
mbedtls_ssl_config_init ( & conf ) ;
2015-04-28 22:52:30 +02:00
mbedtls_ctr_drbg_init ( & ctr_drbg ) ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init ( & cacert ) ;
mbedtls_x509_crt_init ( & srvcert ) ;
mbedtls_pk_init ( & pkey ) ;
mbedtls_x509_crt_init ( & srvcert2 ) ;
mbedtls_pk_init ( & pkey2 ) ;
2018-04-26 14:33:43 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
memset ( & ssl_async_keys , 0 , sizeof ( ssl_async_keys ) ) ;
# endif
2013-04-18 22:46:23 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_init ( & dhm ) ;
2014-06-09 11:29:50 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_init ( & cache ) ;
2012-09-25 23:55:46 +02:00
# endif
2015-05-19 15:28:00 +02:00
# if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_init ( & ticket_ctx ) ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ALPN)
2014-05-01 10:58:57 +02:00
memset ( ( void * ) alpn_list , 0 , sizeof ( alpn_list ) ) ;
2014-04-05 14:34:07 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_COOKIE_C)
mbedtls_ssl_cookie_init ( & cookie_ctx ) ;
2014-07-23 14:56:15 +02:00
# endif
2012-09-25 11:05:17 +02:00
2018-11-12 18:47:48 +01:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_crypto_init ( ) ;
if ( status ! = PSA_SUCCESS )
{
mbedtls_fprintf ( stderr , " Failed to initialize PSA Crypto implementation: %d \n " ,
( int ) status ) ;
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ;
goto exit ;
}
# endif
2014-08-18 11:05:51 +02:00
# if !defined(_WIN32)
2014-11-17 12:46:49 +01:00
/* Abort cleanly on SIGTERM and SIGINT */
2014-08-14 15:36:12 +02:00
signal ( SIGTERM , term_handler ) ;
2014-11-17 12:46:49 +01:00
signal ( SIGINT , term_handler ) ;
2014-08-18 11:05:51 +02:00
# endif
2014-08-14 15:36:12 +02:00
2012-09-25 11:05:17 +02:00
if ( argc = = 0 )
{
usage :
if ( ret = = 0 )
ret = 1 ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( USAGE ) ;
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
list = mbedtls_ssl_list_ciphersuites ( ) ;
2012-09-25 11:05:17 +02:00
while ( * list )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " %-42s " , mbedtls_ssl_get_ciphersuite_name ( * list ) ) ;
2013-04-18 22:46:23 +02:00
list + + ;
if ( ! * list )
break ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " %s \n " , mbedtls_ssl_get_ciphersuite_name ( * list ) ) ;
2012-09-25 11:05:17 +02:00
list + + ;
}
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " \n " ) ;
2012-09-25 11:05:17 +02:00
goto exit ;
}
2017-10-12 13:50:29 +02:00
opt . buffer_size = DFL_IO_BUF_LEN ;
2013-12-13 16:21:41 +01:00
opt . server_addr = DFL_SERVER_ADDR ;
2012-09-25 11:05:17 +02:00
opt . server_port = DFL_SERVER_PORT ;
opt . debug_level = DFL_DEBUG_LEVEL ;
2017-10-10 16:56:37 +02:00
opt . event = DFL_EVENT ;
2017-10-12 13:50:29 +02:00
opt . response_size = DFL_RESPONSE_SIZE ;
2014-02-26 13:47:08 +01:00
opt . nbio = DFL_NBIO ;
2014-10-01 18:29:03 +02:00
opt . read_timeout = DFL_READ_TIMEOUT ;
2012-09-25 11:05:17 +02:00
opt . ca_file = DFL_CA_FILE ;
opt . ca_path = DFL_CA_PATH ;
opt . crt_file = DFL_CRT_FILE ;
opt . key_file = DFL_KEY_FILE ;
2013-09-23 17:00:18 +02:00
opt . crt_file2 = DFL_CRT_FILE2 ;
opt . key_file2 = DFL_KEY_FILE2 ;
2018-01-12 13:47:48 +01:00
opt . async_operations = DFL_ASYNC_OPERATIONS ;
2018-01-05 21:15:57 +01:00
opt . async_private_delay1 = DFL_ASYNC_PRIVATE_DELAY1 ;
opt . async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2 ;
opt . async_private_error = DFL_ASYNC_PRIVATE_ERROR ;
2013-04-17 19:10:21 +02:00
opt . psk = DFL_PSK ;
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
opt . psk_opaque = DFL_PSK_OPAQUE ;
opt . psk_list_opaque = DFL_PSK_LIST_OPAQUE ;
2019-03-27 16:55:27 +01:00
# endif
# if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt . ca_callback = DFL_CA_CALLBACK ;
2018-10-26 12:28:08 +02:00
# endif
2013-04-17 19:10:21 +02:00
opt . psk_identity = DFL_PSK_IDENTITY ;
2014-06-10 14:01:52 +02:00
opt . psk_list = DFL_PSK_LIST ;
2015-09-16 11:08:34 +02:00
opt . ecjpake_pw = DFL_ECJPAKE_PW ;
2012-09-25 11:05:17 +02:00
opt . force_ciphersuite [ 0 ] = DFL_FORCE_CIPHER ;
2014-06-11 13:50:34 +02:00
opt . version_suites = DFL_VERSION_SUITES ;
2012-09-25 11:05:17 +02:00
opt . renegotiation = DFL_RENEGOTIATION ;
opt . allow_legacy = DFL_ALLOW_LEGACY ;
2014-02-20 17:19:59 +01:00
opt . renegotiate = DFL_RENEGOTIATE ;
2014-07-04 14:32:27 +02:00
opt . renego_delay = DFL_RENEGO_DELAY ;
2014-11-05 14:23:03 +01:00
opt . renego_period = DFL_RENEGO_PERIOD ;
2014-08-15 11:17:27 +02:00
opt . exchanges = DFL_EXCHANGES ;
2012-09-28 15:28:45 +02:00
opt . min_version = DFL_MIN_VERSION ;
2013-06-29 16:01:32 +02:00
opt . max_version = DFL_MAX_VERSION ;
2015-01-12 13:43:29 +01:00
opt . arc4 = DFL_ARC4 ;
2017-05-09 15:59:24 +02:00
opt . allow_sha1 = DFL_SHA1 ;
2012-11-23 14:04:08 +01:00
opt . auth_mode = DFL_AUTH_MODE ;
2017-04-10 14:44:33 +02:00
opt . cert_req_ca_list = DFL_CERT_REQ_CA_LIST ;
2013-07-18 14:07:36 +02:00
opt . mfl_code = DFL_MFL_CODE ;
2015-01-09 12:39:35 +01:00
opt . trunc_hmac = DFL_TRUNC_HMAC ;
2013-08-03 13:02:31 +02:00
opt . tickets = DFL_TICKETS ;
2014-02-21 09:18:13 +01:00
opt . ticket_timeout = DFL_TICKET_TIMEOUT ;
2014-02-20 21:32:41 +01:00
opt . cache_max = DFL_CACHE_MAX ;
2014-02-20 22:50:56 +01:00
opt . cache_timeout = DFL_CACHE_TIMEOUT ;
2014-02-21 16:52:06 +01:00
opt . sni = DFL_SNI ;
2014-04-05 14:34:07 +02:00
opt . alpn_string = DFL_ALPN_STRING ;
2017-05-15 17:05:15 +02:00
opt . curves = DFL_CURVES ;
2014-06-09 11:29:50 +02:00
opt . dhm_file = DFL_DHM_FILE ;
2014-02-06 14:02:55 +01:00
opt . transport = DFL_TRANSPORT ;
2014-07-23 19:34:59 +02:00
opt . cookies = DFL_COOKIES ;
2014-09-24 14:41:11 +02:00
opt . anti_replay = DFL_ANTI_REPLAY ;
2014-10-01 14:40:56 +02:00
opt . hs_to_min = DFL_HS_TO_MIN ;
opt . hs_to_max = DFL_HS_TO_MAX ;
2018-08-12 13:28:53 +02:00
opt . dtls_mtu = DFL_DTLS_MTU ;
2018-08-14 14:28:56 +02:00
opt . dgram_packing = DFL_DGRAM_PACKING ;
2014-10-14 19:36:36 +02:00
opt . badmac_limit = DFL_BADMAC_LIMIT ;
2014-10-20 18:40:56 +02:00
opt . extended_ms = DFL_EXTENDED_MS ;
2014-10-27 13:57:03 +01:00
opt . etm = DFL_ETM ;
2019-05-12 10:03:32 +02:00
opt . eap_tls = DFL_EAP_TLS ;
2012-09-25 11:05:17 +02:00
for ( i = 1 ; i < argc ; i + + )
{
p = argv [ i ] ;
if ( ( q = strchr ( p , ' = ' ) ) = = NULL )
goto usage ;
* q + + = ' \0 ' ;
if ( strcmp ( p , " server_port " ) = = 0 )
2015-06-23 12:30:57 +02:00
opt . server_port = q ;
2013-12-13 16:21:41 +01:00
else if ( strcmp ( p , " server_addr " ) = = 0 )
opt . server_addr = q ;
2014-02-06 14:02:55 +01:00
else if ( strcmp ( p , " dtls " ) = = 0 )
{
int t = atoi ( q ) ;
if ( t = = 0 )
2015-04-08 12:49:31 +02:00
opt . transport = MBEDTLS_SSL_TRANSPORT_STREAM ;
2014-02-06 14:02:55 +01:00
else if ( t = = 1 )
2015-04-08 12:49:31 +02:00
opt . transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM ;
2014-02-06 14:02:55 +01:00
else
goto usage ;
}
2012-09-25 11:05:17 +02:00
else if ( strcmp ( p , " debug_level " ) = = 0 )
{
opt . debug_level = atoi ( q ) ;
if ( opt . debug_level < 0 | | opt . debug_level > 65535 )
goto usage ;
}
2014-02-26 13:47:08 +01:00
else if ( strcmp ( p , " nbio " ) = = 0 )
{
opt . nbio = atoi ( q ) ;
if ( opt . nbio < 0 | | opt . nbio > 2 )
goto usage ;
}
2017-10-10 16:56:37 +02:00
else if ( strcmp ( p , " event " ) = = 0 )
{
opt . event = atoi ( q ) ;
if ( opt . event < 0 | | opt . event > 2 )
goto usage ;
}
2014-10-01 18:29:03 +02:00
else if ( strcmp ( p , " read_timeout " ) = = 0 )
opt . read_timeout = atoi ( q ) ;
2017-10-12 13:50:29 +02:00
else if ( strcmp ( p , " buffer_size " ) = = 0 )
{
opt . buffer_size = atoi ( q ) ;
if ( opt . buffer_size < 1 | | opt . buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 )
goto usage ;
}
else if ( strcmp ( p , " response_size " ) = = 0 )
{
opt . response_size = atoi ( q ) ;
if ( opt . response_size < 0 | | opt . response_size > MBEDTLS_SSL_MAX_CONTENT_LEN )
goto usage ;
if ( opt . buffer_size < opt . response_size )
opt . buffer_size = opt . response_size ;
}
2012-09-25 11:05:17 +02:00
else if ( strcmp ( p , " ca_file " ) = = 0 )
opt . ca_file = q ;
else if ( strcmp ( p , " ca_path " ) = = 0 )
opt . ca_path = q ;
else if ( strcmp ( p , " crt_file " ) = = 0 )
opt . crt_file = q ;
else if ( strcmp ( p , " key_file " ) = = 0 )
opt . key_file = q ;
2013-09-23 17:00:18 +02:00
else if ( strcmp ( p , " crt_file2 " ) = = 0 )
opt . crt_file2 = q ;
else if ( strcmp ( p , " key_file2 " ) = = 0 )
opt . key_file2 = q ;
2014-06-09 11:29:50 +02:00
else if ( strcmp ( p , " dhm_file " ) = = 0 )
opt . dhm_file = q ;
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-12 13:47:48 +01:00
else if ( strcmp ( p , " async_operations " ) = = 0 )
opt . async_operations = q ;
2018-01-05 21:15:57 +01:00
else if ( strcmp ( p , " async_private_delay1 " ) = = 0 )
opt . async_private_delay1 = atoi ( q ) ;
else if ( strcmp ( p , " async_private_delay2 " ) = = 0 )
opt . async_private_delay2 = atoi ( q ) ;
else if ( strcmp ( p , " async_private_error " ) = = 0 )
{
int n = atoi ( q ) ;
2018-01-08 11:28:05 +01:00
if ( n < - SSL_ASYNC_INJECT_ERROR_MAX | |
n > SSL_ASYNC_INJECT_ERROR_MAX )
2018-01-05 21:15:57 +01:00
{
ret = 2 ;
goto usage ;
}
opt . async_private_error = n ;
}
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2013-04-17 19:10:21 +02:00
else if ( strcmp ( p , " psk " ) = = 0 )
opt . psk = q ;
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
else if ( strcmp ( p , " psk_opaque " ) = = 0 )
opt . psk_opaque = atoi ( q ) ;
else if ( strcmp ( p , " psk_list_opaque " ) = = 0 )
opt . psk_list_opaque = atoi ( q ) ;
2019-03-27 16:55:27 +01:00
# endif
# if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if ( strcmp ( p , " ca_callback " ) = = 0 )
opt . ca_callback = atoi ( q ) ;
2018-10-26 12:28:08 +02:00
# endif
2013-04-17 19:10:21 +02:00
else if ( strcmp ( p , " psk_identity " ) = = 0 )
opt . psk_identity = q ;
2014-06-10 14:01:52 +02:00
else if ( strcmp ( p , " psk_list " ) = = 0 )
opt . psk_list = q ;
2015-09-16 11:08:34 +02:00
else if ( strcmp ( p , " ecjpake_pw " ) = = 0 )
opt . ecjpake_pw = q ;
2012-09-25 11:05:17 +02:00
else if ( strcmp ( p , " force_ciphersuite " ) = = 0 )
{
2015-04-08 12:49:31 +02:00
opt . force_ciphersuite [ 0 ] = mbedtls_ssl_get_ciphersuite_id ( q ) ;
2012-09-25 11:05:17 +02:00
2014-06-11 14:19:06 +02:00
if ( opt . force_ciphersuite [ 0 ] = = 0 )
2012-09-25 11:05:17 +02:00
{
ret = 2 ;
goto usage ;
}
opt . force_ciphersuite [ 1 ] = 0 ;
}
2017-05-15 17:05:15 +02:00
else if ( strcmp ( p , " curves " ) = = 0 )
opt . curves = q ;
2014-06-11 13:50:34 +02:00
else if ( strcmp ( p , " version_suites " ) = = 0 )
opt . version_suites = q ;
2012-09-25 11:05:17 +02:00
else if ( strcmp ( p , " renegotiation " ) = = 0 )
{
2017-10-10 16:59:57 +02:00
opt . renegotiation = ( atoi ( q ) ) ?
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED ;
2012-09-25 11:05:17 +02:00
}
else if ( strcmp ( p , " allow_legacy " ) = = 0 )
{
2014-11-03 20:10:36 +01:00
switch ( atoi ( q ) )
{
2017-10-10 16:59:57 +02:00
case - 1 :
opt . allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ;
break ;
case 0 :
opt . allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ;
break ;
case 1 :
opt . allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION ;
break ;
2014-11-03 20:10:36 +01:00
default : goto usage ;
}
2012-09-25 11:05:17 +02:00
}
2014-02-20 17:19:59 +01:00
else if ( strcmp ( p , " renegotiate " ) = = 0 )
{
opt . renegotiate = atoi ( q ) ;
if ( opt . renegotiate < 0 | | opt . renegotiate > 1 )
goto usage ;
}
2014-07-04 14:32:27 +02:00
else if ( strcmp ( p , " renego_delay " ) = = 0 )
{
opt . renego_delay = atoi ( q ) ;
}
2014-11-05 14:23:03 +01:00
else if ( strcmp ( p , " renego_period " ) = = 0 )
{
2017-02-08 15:05:57 +01:00
# if defined(_MSC_VER)
opt . renego_period = _strtoui64 ( q , NULL , 10 ) ;
# else
if ( sscanf ( q , " % " SCNu64 , & opt . renego_period ) ! = 1 )
goto usage ;
# endif /* _MSC_VER */
if ( opt . renego_period < 2 )
2014-11-05 14:23:03 +01:00
goto usage ;
}
2014-08-15 11:17:27 +02:00
else if ( strcmp ( p , " exchanges " ) = = 0 )
{
opt . exchanges = atoi ( q ) ;
2014-10-09 15:33:13 +02:00
if ( opt . exchanges < 0 )
2014-08-15 11:17:27 +02:00
goto usage ;
}
2012-09-28 15:28:45 +02:00
else if ( strcmp ( p , " min_version " ) = = 0 )
{
if ( strcmp ( q , " ssl3 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_0 ;
2012-09-28 15:28:45 +02:00
else if ( strcmp ( q , " tls1 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_1 ;
2014-02-12 11:11:12 +01:00
else if ( strcmp ( q , " tls1_1 " ) = = 0 | |
strcmp ( q , " dtls1 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
2014-02-12 11:11:12 +01:00
else if ( strcmp ( q , " tls1_2 " ) = = 0 | |
strcmp ( q , " dtls1_2 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_3 ;
2012-09-28 15:28:45 +02:00
else
goto usage ;
}
2013-06-29 16:01:32 +02:00
else if ( strcmp ( p , " max_version " ) = = 0 )
{
if ( strcmp ( q , " ssl3 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_0 ;
2013-06-29 16:01:32 +02:00
else if ( strcmp ( q , " tls1 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_1 ;
2014-02-12 11:11:12 +01:00
else if ( strcmp ( q , " tls1_1 " ) = = 0 | |
strcmp ( q , " dtls1 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
2014-02-12 11:11:12 +01:00
else if ( strcmp ( q , " tls1_2 " ) = = 0 | |
strcmp ( q , " dtls1_2 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_3 ;
2013-06-29 16:01:32 +02:00
else
goto usage ;
}
2015-01-12 13:43:29 +01:00
else if ( strcmp ( p , " arc4 " ) = = 0 )
{
switch ( atoi ( q ) )
{
2015-04-08 12:49:31 +02:00
case 0 : opt . arc4 = MBEDTLS_SSL_ARC4_DISABLED ; break ;
case 1 : opt . arc4 = MBEDTLS_SSL_ARC4_ENABLED ; break ;
2015-01-12 13:43:29 +01:00
default : goto usage ;
}
}
2017-05-09 15:59:24 +02:00
else if ( strcmp ( p , " allow_sha1 " ) = = 0 )
{
switch ( atoi ( q ) )
{
case 0 : opt . allow_sha1 = 0 ; break ;
case 1 : opt . allow_sha1 = 1 ; break ;
default : goto usage ;
}
}
2013-06-29 16:01:32 +02:00
else if ( strcmp ( p , " force_version " ) = = 0 )
{
if ( strcmp ( q , " ssl3 " ) = = 0 )
{
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_0 ;
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_0 ;
2013-06-29 16:01:32 +02:00
}
else if ( strcmp ( q , " tls1 " ) = = 0 )
{
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_1 ;
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_1 ;
2013-06-29 16:01:32 +02:00
}
2014-03-26 12:16:44 +01:00
else if ( strcmp ( q , " tls1_1 " ) = = 0 )
2013-06-29 16:01:32 +02:00
{
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
2013-06-29 16:01:32 +02:00
}
2014-03-26 12:16:44 +01:00
else if ( strcmp ( q , " tls1_2 " ) = = 0 )
{
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_3 ;
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_3 ;
2014-03-26 12:16:44 +01:00
}
else if ( strcmp ( q , " dtls1 " ) = = 0 )
{
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
opt . transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM ;
2014-03-26 12:16:44 +01:00
}
else if ( strcmp ( q , " dtls1_2 " ) = = 0 )
2013-06-29 16:01:32 +02:00
{
2015-04-08 12:49:31 +02:00
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_3 ;
opt . max_version = MBEDTLS_SSL_MINOR_VERSION_3 ;
opt . transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM ;
2013-06-29 16:01:32 +02:00
}
else
goto usage ;
}
2012-11-23 14:04:08 +01:00
else if ( strcmp ( p , " auth_mode " ) = = 0 )
{
2015-06-19 14:40:39 +02:00
if ( ( opt . auth_mode = get_auth_mode ( q ) ) < 0 )
2012-11-23 14:04:08 +01:00
goto usage ;
}
2017-04-10 14:44:33 +02:00
else if ( strcmp ( p , " cert_req_ca_list " ) = = 0 )
{
opt . cert_req_ca_list = atoi ( q ) ;
if ( opt . cert_req_ca_list < 0 | | opt . cert_req_ca_list > 1 )
goto usage ;
}
2013-07-18 14:07:36 +02:00
else if ( strcmp ( p , " max_frag_len " ) = = 0 )
{
if ( strcmp ( q , " 512 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_512 ;
2013-07-18 14:07:36 +02:00
else if ( strcmp ( q , " 1024 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_1024 ;
2013-07-18 14:07:36 +02:00
else if ( strcmp ( q , " 2048 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_2048 ;
2013-07-18 14:07:36 +02:00
else if ( strcmp ( q , " 4096 " ) = = 0 )
2015-04-08 12:49:31 +02:00
opt . mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_4096 ;
2013-07-18 14:07:36 +02:00
else
goto usage ;
}
2014-04-05 14:34:07 +02:00
else if ( strcmp ( p , " alpn " ) = = 0 )
{
opt . alpn_string = q ;
}
2015-01-09 12:39:35 +01:00
else if ( strcmp ( p , " trunc_hmac " ) = = 0 )
{
switch ( atoi ( q ) )
{
2015-04-08 12:49:31 +02:00
case 0 : opt . trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_DISABLED ; break ;
case 1 : opt . trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED ; break ;
2015-01-09 12:39:35 +01:00
default : goto usage ;
}
}
2014-10-20 18:40:56 +02:00
else if ( strcmp ( p , " extended_ms " ) = = 0 )
{
switch ( atoi ( q ) )
{
2017-10-10 16:59:57 +02:00
case 0 :
opt . extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED ;
break ;
case 1 :
opt . extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED ;
break ;
2014-10-20 18:40:56 +02:00
default : goto usage ;
}
}
2014-10-27 13:57:03 +01:00
else if ( strcmp ( p , " etm " ) = = 0 )
{
switch ( atoi ( q ) )
{
2015-04-08 12:49:31 +02:00
case 0 : opt . etm = MBEDTLS_SSL_ETM_DISABLED ; break ;
case 1 : opt . etm = MBEDTLS_SSL_ETM_ENABLED ; break ;
2014-10-27 13:57:03 +01:00
default : goto usage ;
}
}
2013-08-03 13:02:31 +02:00
else if ( strcmp ( p , " tickets " ) = = 0 )
{
opt . tickets = atoi ( q ) ;
if ( opt . tickets < 0 | | opt . tickets > 1 )
goto usage ;
}
2014-02-21 09:18:13 +01:00
else if ( strcmp ( p , " ticket_timeout " ) = = 0 )
{
opt . ticket_timeout = atoi ( q ) ;
if ( opt . ticket_timeout < 0 )
goto usage ;
}
2014-02-20 21:32:41 +01:00
else if ( strcmp ( p , " cache_max " ) = = 0 )
{
opt . cache_max = atoi ( q ) ;
if ( opt . cache_max < 0 )
goto usage ;
}
2014-02-20 22:50:56 +01:00
else if ( strcmp ( p , " cache_timeout " ) = = 0 )
{
opt . cache_timeout = atoi ( q ) ;
if ( opt . cache_timeout < 0 )
goto usage ;
}
2014-07-23 19:34:59 +02:00
else if ( strcmp ( p , " cookies " ) = = 0 )
{
opt . cookies = atoi ( q ) ;
if ( opt . cookies < - 1 | | opt . cookies > 1 )
goto usage ;
}
2014-09-24 14:41:11 +02:00
else if ( strcmp ( p , " anti_replay " ) = = 0 )
{
opt . anti_replay = atoi ( q ) ;
if ( opt . anti_replay < 0 | | opt . anti_replay > 1 )
goto usage ;
}
2014-10-14 19:36:36 +02:00
else if ( strcmp ( p , " badmac_limit " ) = = 0 )
{
opt . badmac_limit = atoi ( q ) ;
if ( opt . badmac_limit < 0 )
goto usage ;
}
2014-10-01 14:40:56 +02:00
else if ( strcmp ( p , " hs_timeout " ) = = 0 )
{
if ( ( p = strchr ( q , ' - ' ) ) = = NULL )
goto usage ;
* p + + = ' \0 ' ;
opt . hs_to_min = atoi ( q ) ;
opt . hs_to_max = atoi ( p ) ;
if ( opt . hs_to_min = = 0 | | opt . hs_to_max < opt . hs_to_min )
goto usage ;
}
2018-08-12 13:28:53 +02:00
else if ( strcmp ( p , " mtu " ) = = 0 )
{
opt . dtls_mtu = atoi ( q ) ;
if ( opt . dtls_mtu < 0 )
goto usage ;
}
2018-08-14 14:28:56 +02:00
else if ( strcmp ( p , " dgram_packing " ) = = 0 )
{
opt . dgram_packing = atoi ( q ) ;
if ( opt . dgram_packing ! = 0 & &
opt . dgram_packing ! = 1 )
{
goto usage ;
}
}
2014-02-21 16:52:06 +01:00
else if ( strcmp ( p , " sni " ) = = 0 )
{
opt . sni = q ;
}
2018-10-16 22:08:38 +02:00
else if ( strcmp ( p , " query_config " ) = = 0 )
{
return query_config ( q ) ;
}
2019-05-12 10:03:32 +02:00
else if ( strcmp ( p , " eap_tls " ) = = 0 )
{
opt . eap_tls = atoi ( q ) ;
if ( opt . eap_tls < 0 | | opt . eap_tls > 1 )
goto usage ;
}
2012-09-25 11:05:17 +02:00
else
goto usage ;
}
2017-10-10 16:56:37 +02:00
/* Event-driven IO is incompatible with the above custom
* receive and send functions , as the polling builds on
* refers to the underlying net_context . */
if ( opt . event = = 1 & & opt . nbio ! = 1 )
{
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " Warning: event-driven IO mandates nbio=1 - overwrite \n " ) ;
2017-10-10 16:56:37 +02:00
opt . nbio = 1 ;
}
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold ( opt . debug_level ) ;
2014-04-25 16:34:30 +02:00
# endif
2018-06-20 13:07:55 +02:00
buf = mbedtls_calloc ( 1 , opt . buffer_size + 1 ) ;
2017-10-12 13:50:29 +02:00
if ( buf = = NULL )
{
2018-06-20 14:17:04 +02:00
mbedtls_printf ( " Could not allocate %u bytes \n " , opt . buffer_size ) ;
2017-10-12 13:50:29 +02:00
ret = 3 ;
goto exit ;
}
2014-04-25 16:34:30 +02:00
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
if ( opt . psk_opaque ! = 0 )
2018-10-26 12:28:08 +02:00
{
if ( strlen ( opt . psk ) = = 0 )
{
2018-11-15 14:06:09 +01:00
mbedtls_printf ( " psk_opaque set but no psk to be imported specified. \n " ) ;
2018-10-26 12:28:08 +02:00
ret = 2 ;
goto usage ;
}
if ( opt . force_ciphersuite [ 0 ] < = 0 )
{
mbedtls_printf ( " opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option. \n " ) ;
ret = 2 ;
goto usage ;
}
}
2018-11-15 14:06:09 +01:00
if ( opt . psk_list_opaque ! = 0 )
2018-10-26 12:28:08 +02:00
{
if ( opt . psk_list = = NULL )
{
mbedtls_printf ( " psk_slot set but no psk to be imported specified. \n " ) ;
ret = 2 ;
goto usage ;
}
if ( opt . force_ciphersuite [ 0 ] < = 0 )
{
mbedtls_printf ( " opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option. \n " ) ;
ret = 2 ;
goto usage ;
}
}
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2013-06-29 16:01:32 +02:00
if ( opt . force_ciphersuite [ 0 ] > 0 )
{
2015-04-08 12:49:31 +02:00
const mbedtls_ssl_ciphersuite_t * ciphersuite_info ;
2017-10-10 16:59:57 +02:00
ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id ( opt . force_ciphersuite [ 0 ] ) ;
2013-06-29 16:01:32 +02:00
2013-07-19 13:43:43 +02:00
if ( opt . max_version ! = - 1 & &
ciphersuite_info - > min_minor_ver > opt . max_version )
{
2017-10-10 16:59:57 +02:00
mbedtls_printf ( " forced ciphersuite not allowed with this protocol version \n " ) ;
2013-07-19 13:43:43 +02:00
ret = 2 ;
goto usage ;
}
if ( opt . min_version ! = - 1 & &
2013-06-29 16:01:32 +02:00
ciphersuite_info - > max_minor_ver < opt . min_version )
{
2017-10-10 16:59:57 +02:00
mbedtls_printf ( " forced ciphersuite not allowed with this protocol version \n " ) ;
2013-06-29 16:01:32 +02:00
ret = 2 ;
goto usage ;
}
2014-03-26 18:12:04 +01:00
/* If we select a version that's not supported by
* this suite , then there will be no common ciphersuite . . . */
if ( opt . max_version = = - 1 | |
opt . max_version > ciphersuite_info - > max_minor_ver )
{
2013-07-19 13:43:43 +02:00
opt . max_version = ciphersuite_info - > max_minor_ver ;
2014-03-26 18:12:04 +01:00
}
2013-07-19 13:43:43 +02:00
if ( opt . min_version < ciphersuite_info - > min_minor_ver )
2014-03-26 18:12:04 +01:00
{
2013-07-19 13:43:43 +02:00
opt . min_version = ciphersuite_info - > min_minor_ver ;
2014-03-26 18:12:04 +01:00
/* DTLS starts with TLS 1.1 */
2015-04-08 12:49:31 +02:00
if ( opt . transport = = MBEDTLS_SSL_TRANSPORT_DATAGRAM & &
opt . min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
opt . min_version = MBEDTLS_SSL_MINOR_VERSION_2 ;
2014-03-26 18:12:04 +01:00
}
2015-03-20 20:44:04 +01:00
/* Enable RC4 if needed and not explicitly disabled */
2015-04-08 12:49:31 +02:00
if ( ciphersuite_info - > cipher = = MBEDTLS_CIPHER_ARC4_128 )
2015-03-20 20:44:04 +01:00
{
2015-04-08 12:49:31 +02:00
if ( opt . arc4 = = MBEDTLS_SSL_ARC4_DISABLED )
2015-03-20 20:44:04 +01:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " forced RC4 ciphersuite with RC4 disabled \n " ) ;
2015-03-20 20:44:04 +01:00
ret = 2 ;
goto usage ;
}
2015-04-08 12:49:31 +02:00
opt . arc4 = MBEDTLS_SSL_ARC4_ENABLED ;
2015-03-20 20:44:04 +01:00
}
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
if ( opt . psk_opaque ! = 0 | | opt . psk_list_opaque ! = 0 )
2018-10-26 12:28:08 +02:00
{
/* Ensure that the chosen ciphersuite is PSK-only; we must know
* the ciphersuite in advance to set the correct policy for the
* PSK key slot . This limitation might go away in the future . */
if ( ciphersuite_info - > key_exchange ! = MBEDTLS_KEY_EXCHANGE_PSK | |
opt . min_version ! = MBEDTLS_SSL_MINOR_VERSION_3 )
{
mbedtls_printf ( " opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option. \n " ) ;
ret = 2 ;
goto usage ;
}
/* Determine KDF algorithm the opaque PSK will be used in. */
# if defined(MBEDTLS_SHA512_C)
if ( ciphersuite_info - > mac = = MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PSK_TO_MS ( PSA_ALG_SHA_384 ) ;
else
# endif /* MBEDTLS_SHA512_C */
alg = PSA_ALG_TLS12_PSK_TO_MS ( PSA_ALG_SHA_256 ) ;
}
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2013-06-29 16:01:32 +02:00
}
2014-06-11 13:50:34 +02:00
if ( opt . version_suites ! = NULL )
{
const char * name [ 4 ] = { 0 } ;
/* Parse 4-element coma-separated list */
for ( i = 0 , p = ( char * ) opt . version_suites ;
i < 4 & & * p ! = ' \0 ' ;
i + + )
{
name [ i ] = p ;
/* Terminate the current string and move on to next one */
while ( * p ! = ' , ' & & * p ! = ' \0 ' )
p + + ;
if ( * p = = ' , ' )
* p + + = ' \0 ' ;
}
if ( i ! = 4 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " too few values for version_suites \n " ) ;
2014-06-11 13:50:34 +02:00
ret = 1 ;
goto exit ;
}
memset ( version_suites , 0 , sizeof ( version_suites ) ) ;
/* Get the suites identifiers from their name */
for ( i = 0 ; i < 4 ; i + + )
{
2015-04-08 12:49:31 +02:00
version_suites [ i ] [ 0 ] = mbedtls_ssl_get_ciphersuite_id ( name [ i ] ) ;
2014-06-11 13:50:34 +02:00
if ( version_suites [ i ] [ 0 ] = = 0 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " unknown ciphersuite: '%s' \n " , name [ i ] ) ;
2014-06-11 13:50:34 +02:00
ret = 2 ;
goto usage ;
}
}
}
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2013-04-17 19:10:21 +02:00
/*
2014-06-10 14:01:52 +02:00
* Unhexify the pre - shared key and parse the list if any given
2013-04-17 19:10:21 +02:00
*/
2014-06-10 14:01:52 +02:00
if ( unhexify ( psk , opt . psk , & psk_len ) ! = 0 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " pre-shared key not valid hex \n " ) ;
2014-06-10 14:01:52 +02:00
goto exit ;
}
if ( opt . psk_list ! = NULL )
2013-04-17 19:10:21 +02:00
{
2014-06-10 14:01:52 +02:00
if ( ( psk_info = psk_parse ( opt . psk_list ) ) = = NULL )
2013-04-17 19:10:21 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " psk_list invalid " ) ;
2013-04-17 19:10:21 +02:00
goto exit ;
}
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2013-04-17 19:10:21 +02:00
2017-05-15 17:05:15 +02:00
# if defined(MBEDTLS_ECP_C)
if ( opt . curves ! = NULL )
{
p = ( char * ) opt . curves ;
i = 0 ;
if ( strcmp ( p , " none " ) = = 0 )
{
curve_list [ 0 ] = MBEDTLS_ECP_DP_NONE ;
}
else if ( strcmp ( p , " default " ) ! = 0 )
{
/* Leave room for a final NULL in curve list */
2017-06-09 17:13:22 +02:00
while ( i < CURVE_LIST_SIZE - 1 & & * p ! = ' \0 ' )
2017-05-15 17:05:15 +02:00
{
q = p ;
/* Terminate the current string */
while ( * p ! = ' , ' & & * p ! = ' \0 ' )
p + + ;
if ( * p = = ' , ' )
* p + + = ' \0 ' ;
if ( ( curve_cur = mbedtls_ecp_curve_info_from_name ( q ) ) ! = NULL )
{
curve_list [ i + + ] = curve_cur - > grp_id ;
}
else
{
mbedtls_printf ( " unknown curve %s \n " , q ) ;
mbedtls_printf ( " supported curves: " ) ;
for ( curve_cur = mbedtls_ecp_curve_list ( ) ;
curve_cur - > grp_id ! = MBEDTLS_ECP_DP_NONE ;
curve_cur + + )
{
mbedtls_printf ( " %s " , curve_cur - > name ) ;
}
mbedtls_printf ( " \n " ) ;
goto exit ;
}
}
mbedtls_printf ( " Number of curves: %d \n " , i ) ;
2017-06-09 17:13:22 +02:00
if ( i = = CURVE_LIST_SIZE - 1 & & * p ! = ' \0 ' )
2017-05-15 17:05:15 +02:00
{
2017-06-09 17:13:22 +02:00
mbedtls_printf ( " curves list too long, maximum %d " ,
CURVE_LIST_SIZE - 1 ) ;
2017-05-15 17:05:15 +02:00
goto exit ;
}
curve_list [ i ] = MBEDTLS_ECP_DP_NONE ;
}
}
# endif /* MBEDTLS_ECP_C */
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ALPN)
2014-04-05 14:34:07 +02:00
if ( opt . alpn_string ! = NULL )
{
p = ( char * ) opt . alpn_string ;
i = 0 ;
/* Leave room for a final NULL in alpn_list */
2017-06-09 17:13:22 +02:00
while ( i < ALPN_LIST_SIZE - 1 & & * p ! = ' \0 ' )
2014-04-05 14:34:07 +02:00
{
alpn_list [ i + + ] = p ;
/* Terminate the current string and move on to next one */
while ( * p ! = ' , ' & & * p ! = ' \0 ' )
p + + ;
if ( * p = = ' , ' )
* p + + = ' \0 ' ;
}
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_ALPN */
2014-04-05 14:34:07 +02:00
2012-09-25 11:05:17 +02:00
/*
* 0. Initialize the RNG and the session data
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " \n . Seeding the random number generator... " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2015-04-08 12:49:31 +02:00
mbedtls_entropy_init ( & entropy ) ;
2017-10-10 16:59:57 +02:00
if ( ( ret = mbedtls_ctr_drbg_seed ( & ctr_drbg , mbedtls_entropy_func ,
& entropy , ( const unsigned char * ) pers ,
strlen ( pers ) ) ) ! = 0 )
2012-09-25 11:05:17 +02:00
{
2017-10-10 16:59:57 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ctr_drbg_seed returned -0x%x \n " ,
- ret ) ;
2012-09-25 11:05:17 +02:00
goto exit ;
}
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
2012-09-25 11:05:17 +02:00
/*
* 1.1 . Load the trusted CA
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Loading the CA root certificate ... " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_FS_IO)
2012-09-25 11:05:17 +02:00
if ( strlen ( opt . ca_path ) )
2014-02-27 13:35:00 +01:00
if ( strcmp ( opt . ca_path , " none " ) = = 0 )
ret = 0 ;
else
2015-04-08 12:49:31 +02:00
ret = mbedtls_x509_crt_parse_path ( & cacert , opt . ca_path ) ;
2012-09-25 11:05:17 +02:00
else if ( strlen ( opt . ca_file ) )
2014-02-27 13:35:00 +01:00
if ( strcmp ( opt . ca_file , " none " ) = = 0 )
ret = 0 ;
else
2015-04-08 12:49:31 +02:00
ret = mbedtls_x509_crt_parse_file ( & cacert , opt . ca_file ) ;
2013-09-18 13:46:23 +02:00
else
2012-09-25 11:05:17 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_CERTS_C)
for ( i = 0 ; mbedtls_test_cas [ i ] ! = NULL ; i + + )
2015-03-27 10:20:26 +01:00
{
2015-04-08 12:49:31 +02:00
ret = mbedtls_x509_crt_parse ( & cacert ,
( const unsigned char * ) mbedtls_test_cas [ i ] ,
mbedtls_test_cas_len [ i ] ) ;
2015-03-27 10:20:26 +01:00
if ( ret ! = 0 )
break ;
}
2012-09-25 11:05:17 +02:00
# else
{
ret = 1 ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " MBEDTLS_CERTS_C not defined. " ) ;
2012-09-25 11:05:17 +02:00
}
# endif
if ( ret < 0 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_x509_crt_parse returned -0x%x \n \n " , - ret ) ;
2012-09-25 11:05:17 +02:00
goto exit ;
}
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok (%d skipped) \n " , ret ) ;
2012-09-25 11:05:17 +02:00
/*
* 1.2 . Load own certificate and private key
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Loading the server cert. and key... " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_FS_IO)
2014-02-27 13:35:00 +01:00
if ( strlen ( opt . crt_file ) & & strcmp ( opt . crt_file , " none " ) ! = 0 )
2013-09-24 21:14:51 +02:00
{
2013-09-25 14:05:49 +02:00
key_cert_init + + ;
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_x509_crt_parse_file ( & srvcert , opt . crt_file ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_x509_crt_parse_file returned -0x%x \n \n " ,
2013-09-25 11:35:15 +02:00
- ret ) ;
goto exit ;
}
2013-09-24 21:14:51 +02:00
}
2014-02-27 13:35:00 +01:00
if ( strlen ( opt . key_file ) & & strcmp ( opt . key_file , " none " ) ! = 0 )
2013-09-24 21:14:51 +02:00
{
2013-09-25 14:05:49 +02:00
key_cert_init + + ;
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_pk_parse_keyfile ( & pkey , opt . key_file , " " ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_pk_parse_keyfile returned -0x%x \n \n " , - ret ) ;
2013-09-25 11:35:15 +02:00
goto exit ;
}
2013-09-24 21:14:51 +02:00
}
2013-09-25 14:05:49 +02:00
if ( key_cert_init = = 1 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! crt_file without key_file or vice-versa \n \n " ) ;
2013-09-25 14:05:49 +02:00
goto exit ;
}
2014-02-27 13:35:00 +01:00
if ( strlen ( opt . crt_file2 ) & & strcmp ( opt . crt_file2 , " none " ) ! = 0 )
2013-09-24 21:14:51 +02:00
{
2013-09-25 14:05:49 +02:00
key_cert_init2 + + ;
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_x509_crt_parse_file ( & srvcert2 , opt . crt_file2 ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_x509_crt_parse_file(2) returned -0x%x \n \n " ,
2013-09-25 11:35:15 +02:00
- ret ) ;
goto exit ;
}
2013-09-24 21:14:51 +02:00
}
2014-02-27 13:35:00 +01:00
if ( strlen ( opt . key_file2 ) & & strcmp ( opt . key_file2 , " none " ) ! = 0 )
2013-09-24 21:14:51 +02:00
{
2013-09-25 14:05:49 +02:00
key_cert_init2 + + ;
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_pk_parse_keyfile ( & pkey2 , opt . key_file2 , " " ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_pk_parse_keyfile(2) returned -0x%x \n \n " ,
2017-10-27 14:43:58 +02:00
- ret ) ;
2013-09-25 11:35:15 +02:00
goto exit ;
}
2013-09-24 21:14:51 +02:00
}
2013-09-25 14:05:49 +02:00
if ( key_cert_init2 = = 1 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! crt_file2 without key_file2 or vice-versa \n \n " ) ;
2013-09-25 14:05:49 +02:00
goto exit ;
}
2013-09-24 21:14:51 +02:00
# endif
2014-02-27 13:35:00 +01:00
if ( key_cert_init = = 0 & &
strcmp ( opt . crt_file , " none " ) ! = 0 & &
strcmp ( opt . key_file , " none " ) ! = 0 & &
key_cert_init2 = = 0 & &
strcmp ( opt . crt_file2 , " none " ) ! = 0 & &
strcmp ( opt . key_file2 , " none " ) ! = 0 )
2013-09-24 21:14:51 +02:00
{
2015-04-08 12:49:31 +02:00
# if !defined(MBEDTLS_CERTS_C)
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " Not certificated or key provided, and \n MBEDTLS_CERTS_C not defined! \n " ) ;
2013-09-24 21:14:51 +02:00
goto exit ;
2013-09-25 11:35:15 +02:00
# else
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_RSA_C)
if ( ( ret = mbedtls_x509_crt_parse ( & srvcert ,
( const unsigned char * ) mbedtls_test_srv_crt_rsa ,
mbedtls_test_srv_crt_rsa_len ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " failed \n ! mbedtls_x509_crt_parse returned -0x%x \n \n " ,
- ret ) ;
2013-09-25 11:35:15 +02:00
goto exit ;
}
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_pk_parse_key ( & pkey ,
( const unsigned char * ) mbedtls_test_srv_key_rsa ,
mbedtls_test_srv_key_rsa_len , NULL , 0 ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " failed \n ! mbedtls_pk_parse_key returned -0x%x \n \n " ,
- ret ) ;
2013-09-25 11:35:15 +02:00
goto exit ;
}
2013-09-25 14:05:49 +02:00
key_cert_init = 2 ;
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_RSA_C */
# if defined(MBEDTLS_ECDSA_C)
if ( ( ret = mbedtls_x509_crt_parse ( & srvcert2 ,
( const unsigned char * ) mbedtls_test_srv_crt_ec ,
mbedtls_test_srv_crt_ec_len ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " failed \n ! x509_crt_parse2 returned -0x%x \n \n " ,
- ret ) ;
2013-09-25 11:35:15 +02:00
goto exit ;
}
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_pk_parse_key ( & pkey2 ,
( const unsigned char * ) mbedtls_test_srv_key_ec ,
mbedtls_test_srv_key_ec_len , NULL , 0 ) ) ! = 0 )
2013-09-25 11:35:15 +02:00
{
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " failed \n ! pk_parse_key2 returned -0x%x \n \n " ,
- ret ) ;
2013-09-25 11:35:15 +02:00
goto exit ;
}
2013-09-25 14:05:49 +02:00
key_cert_init2 = 2 ;
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_ECDSA_C */
# endif /* MBEDTLS_CERTS_C */
2013-09-25 11:35:15 +02:00
}
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
2014-06-09 11:29:50 +02:00
if ( opt . dhm_file ! = NULL )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Loading DHM parameters... " ) ;
2014-06-09 11:29:50 +02:00
fflush ( stdout ) ;
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_dhm_parse_dhmfile ( & dhm , opt . dhm_file ) ) ! = 0 )
2014-06-09 11:29:50 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_dhm_parse_dhmfile returned -0x%04X \n \n " ,
2014-06-09 11:29:50 +02:00
- ret ) ;
goto exit ;
}
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2014-06-09 11:29:50 +02:00
}
# endif
2015-04-03 16:41:52 +02:00
# if defined(SNI_OPTION)
2014-02-21 16:52:06 +01:00
if ( opt . sni ! = NULL )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Setting up SNI information... " ) ;
2014-02-21 16:52:06 +01:00
fflush ( stdout ) ;
if ( ( sni_info = sni_parse ( opt . sni ) ) = = NULL )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n " ) ;
2014-02-21 16:52:06 +01:00
goto exit ;
}
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2014-02-21 16:52:06 +01:00
}
2015-04-03 16:41:52 +02:00
# endif /* SNI_OPTION */
2014-02-21 16:52:06 +01:00
2012-09-25 11:05:17 +02:00
/*
* 2. Setup the listening TCP socket
*/
2015-06-23 12:30:57 +02:00
mbedtls_printf ( " . Bind on %s://%s:%s/ ... " ,
2015-04-08 12:49:31 +02:00
opt . transport = = MBEDTLS_SSL_TRANSPORT_STREAM ? " tcp " : " udp " ,
2014-03-23 18:23:41 +01:00
opt . server_addr ? opt . server_addr : " * " ,
opt . server_port ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_net_bind ( & listen_fd , opt . server_addr , opt . server_port ,
opt . transport = = MBEDTLS_SSL_TRANSPORT_STREAM ?
MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) ! = 0 )
2012-09-25 11:05:17 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_net_bind returned -0x%x \n \n " , - ret ) ;
2012-09-25 11:05:17 +02:00
goto exit ;
}
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2012-09-25 11:05:17 +02:00
/*
* 3. Setup stuff
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Setting up the SSL/TLS structure... " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2015-05-04 19:32:36 +02:00
if ( ( ret = mbedtls_ssl_config_defaults ( & conf ,
MBEDTLS_SSL_IS_SERVER ,
2015-06-17 13:53:47 +02:00
opt . transport ,
MBEDTLS_SSL_PRESET_DEFAULT ) ) ! = 0 )
2015-05-04 14:56:36 +02:00
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_config_defaults returned -0x%x \n \n " , - ret ) ;
goto exit ;
}
2017-05-05 18:59:02 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
/* The default algorithms profile disables SHA-1, but our tests still
rely on it heavily . Hence we allow it here . A real - world server
should use the default profile unless there is a good reason not to . */
2017-05-09 15:59:24 +02:00
if ( opt . allow_sha1 > 0 )
{
crt_profile_for_test . allowed_mds | = MBEDTLS_X509_ID_FLAG ( MBEDTLS_MD_SHA1 ) ;
mbedtls_ssl_conf_cert_profile ( & conf , & crt_profile_for_test ) ;
2017-05-11 19:01:11 +02:00
mbedtls_ssl_conf_sig_hashes ( & conf , ssl_sig_hashes_for_test ) ;
2017-05-09 15:59:24 +02:00
}
2017-05-05 18:59:02 +02:00
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2015-03-27 17:52:25 +01:00
if ( opt . auth_mode ! = DFL_AUTH_MODE )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_authmode ( & conf , opt . auth_mode ) ;
2012-09-25 11:05:17 +02:00
2017-04-10 14:44:33 +02:00
if ( opt . cert_req_ca_list ! = DFL_CERT_REQ_CA_LIST )
mbedtls_ssl_conf_cert_req_ca_list ( & conf , opt . cert_req_ca_list ) ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_PROTO_DTLS)
2014-10-01 14:40:56 +02:00
if ( opt . hs_to_min ! = DFL_HS_TO_MIN | | opt . hs_to_max ! = DFL_HS_TO_MAX )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_handshake_timeout ( & conf , opt . hs_to_min , opt . hs_to_max ) ;
2018-08-12 13:28:53 +02:00
2018-08-14 14:28:56 +02:00
if ( opt . dgram_packing ! = DFL_DGRAM_PACKING )
2018-08-24 12:13:57 +02:00
mbedtls_ssl_set_datagram_packing ( & ssl , opt . dgram_packing ) ;
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_PROTO_DTLS */
2014-10-01 14:40:56 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2015-05-11 09:50:24 +02:00
if ( ( ret = mbedtls_ssl_conf_max_frag_len ( & conf , opt . mfl_code ) ) ! = 0 )
2014-07-08 14:05:52 +02:00
{
2015-05-11 09:50:24 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_conf_max_frag_len returned %d \n \n " , ret ) ;
2014-07-08 14:05:52 +02:00
goto exit ;
} ;
2013-08-15 13:33:48 +02:00
# endif
2013-07-18 14:07:36 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2015-01-09 12:39:35 +01:00
if ( opt . trunc_hmac ! = DFL_TRUNC_HMAC )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_truncated_hmac ( & conf , opt . trunc_hmac ) ;
2015-01-09 12:39:35 +01:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2014-10-20 18:40:56 +02:00
if ( opt . extended_ms ! = DFL_EXTENDED_MS )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_extended_master_secret ( & conf , opt . extended_ms ) ;
2014-10-20 18:40:56 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2014-10-27 13:57:03 +01:00
if ( opt . etm ! = DFL_ETM )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_encrypt_then_mac ( & conf , opt . etm ) ;
2014-10-27 13:57:03 +01:00
# endif
2019-05-12 10:03:32 +02:00
# if defined(MBEDTLS_SSL_EXPORT_KEYS)
if ( opt . eap_tls ! = 0 )
mbedtls_ssl_conf_export_keys_ext_cb ( & conf , eap_tls_key_derivation ,
& eap_tls_keying ) ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ALPN)
2014-04-05 14:34:07 +02:00
if ( opt . alpn_string ! = NULL )
2015-05-11 09:50:24 +02:00
if ( ( ret = mbedtls_ssl_conf_alpn_protocols ( & conf , alpn_list ) ) ! = 0 )
2014-07-08 14:05:52 +02:00
{
2015-05-11 09:50:24 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_conf_alpn_protocols returned %d \n \n " , ret ) ;
2014-07-08 14:05:52 +02:00
goto exit ;
}
2014-04-05 14:34:07 +02:00
# endif
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_rng ( & conf , mbedtls_ctr_drbg_random , & ctr_drbg ) ;
mbedtls_ssl_conf_dbg ( & conf , my_debug , stdout ) ;
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_CACHE_C)
2014-02-20 21:32:41 +01:00
if ( opt . cache_max ! = - 1 )
2015-04-08 12:49:31 +02:00
mbedtls_ssl_cache_set_max_entries ( & cache , opt . cache_max ) ;
2014-02-20 21:32:41 +01:00
2014-02-20 22:50:56 +01:00
if ( opt . cache_timeout ! = - 1 )
2015-04-08 12:49:31 +02:00
mbedtls_ssl_cache_set_timeout ( & cache , opt . cache_timeout ) ;
2014-02-20 22:50:56 +01:00
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_session_cache ( & conf , & cache ,
2015-05-06 19:06:26 +02:00
mbedtls_ssl_cache_get ,
mbedtls_ssl_cache_set ) ;
2012-09-25 23:55:46 +02:00
# endif
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_SESSION_TICKETS)
2015-05-19 15:28:00 +02:00
if ( opt . tickets = = MBEDTLS_SSL_SESSION_TICKETS_ENABLED )
2014-07-08 14:05:52 +02:00
{
2015-05-19 15:28:00 +02:00
if ( ( ret = mbedtls_ssl_ticket_setup ( & ticket_ctx ,
mbedtls_ctr_drbg_random , & ctr_drbg ,
2015-05-25 10:35:16 +02:00
MBEDTLS_CIPHER_AES_256_GCM ,
2015-05-19 15:28:00 +02:00
opt . ticket_timeout ) ) ! = 0 )
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_ticket_setup returned %d \n \n " , ret ) ;
goto exit ;
}
2014-02-21 09:18:13 +01:00
2015-05-19 15:28:00 +02:00
mbedtls_ssl_conf_session_tickets_cb ( & conf ,
mbedtls_ssl_ticket_write ,
mbedtls_ssl_ticket_parse ,
& ticket_ctx ) ;
}
2013-08-14 13:48:06 +02:00
# endif
2013-08-03 13:02:31 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_PROTO_DTLS)
if ( opt . transport = = MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2014-07-22 22:10:43 +02:00
{
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_COOKIE_C)
2014-07-23 19:34:59 +02:00
if ( opt . cookies > 0 )
2014-07-23 14:56:15 +02:00
{
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_ssl_cookie_setup ( & cookie_ctx ,
mbedtls_ctr_drbg_random , & ctr_drbg ) ) ! = 0 )
2014-07-23 19:34:59 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_cookie_setup returned %d \n \n " , ret ) ;
2014-07-23 19:34:59 +02:00
goto exit ;
}
2014-07-23 14:56:15 +02:00
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_dtls_cookies ( & conf , mbedtls_ssl_cookie_write , mbedtls_ssl_cookie_check ,
2014-07-23 19:34:59 +02:00
& cookie_ctx ) ;
}
else
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_COOKIE_C */
# if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2014-07-23 19:34:59 +02:00
if ( opt . cookies = = 0 )
{
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_dtls_cookies ( & conf , NULL , NULL , NULL ) ;
2014-07-23 19:34:59 +02:00
}
else
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2014-07-23 19:34:59 +02:00
{
; /* Nothing to do */
}
2014-09-24 14:41:11 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2014-09-24 14:41:11 +02:00
if ( opt . anti_replay ! = DFL_ANTI_REPLAY )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_dtls_anti_replay ( & conf , opt . anti_replay ) ;
2014-10-14 19:36:36 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
2014-10-14 19:36:36 +02:00
if ( opt . badmac_limit ! = DFL_BADMAC_LIMIT )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_dtls_badmac_limit ( & conf , opt . badmac_limit ) ;
2014-09-24 14:41:11 +02:00
# endif
2014-07-22 22:10:43 +02:00
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_PROTO_DTLS */
2014-07-22 22:10:43 +02:00
2013-03-20 14:39:14 +01:00
if ( opt . force_ciphersuite [ 0 ] ! = DFL_FORCE_CIPHER )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_ciphersuites ( & conf , opt . force_ciphersuite ) ;
2015-03-20 20:44:04 +01:00
2015-05-14 12:28:21 +02:00
# if defined(MBEDTLS_ARC4_C)
2015-03-20 20:44:04 +01:00
if ( opt . arc4 ! = DFL_ARC4 )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_arc4_support ( & conf , opt . arc4 ) ;
2015-05-14 12:28:21 +02:00
# endif
2012-09-25 11:05:17 +02:00
2014-06-11 13:50:34 +02:00
if ( opt . version_suites ! = NULL )
{
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_ciphersuites_for_version ( & conf , version_suites [ 0 ] ,
2015-04-08 12:49:31 +02:00
MBEDTLS_SSL_MAJOR_VERSION_3 ,
MBEDTLS_SSL_MINOR_VERSION_0 ) ;
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_ciphersuites_for_version ( & conf , version_suites [ 1 ] ,
2015-04-08 12:49:31 +02:00
MBEDTLS_SSL_MAJOR_VERSION_3 ,
MBEDTLS_SSL_MINOR_VERSION_1 ) ;
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_ciphersuites_for_version ( & conf , version_suites [ 2 ] ,
2015-04-08 12:49:31 +02:00
MBEDTLS_SSL_MAJOR_VERSION_3 ,
MBEDTLS_SSL_MINOR_VERSION_2 ) ;
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_ciphersuites_for_version ( & conf , version_suites [ 3 ] ,
2015-04-08 12:49:31 +02:00
MBEDTLS_SSL_MAJOR_VERSION_3 ,
MBEDTLS_SSL_MINOR_VERSION_3 ) ;
2014-06-11 13:50:34 +02:00
}
2014-11-03 20:10:36 +01:00
if ( opt . allow_legacy ! = DFL_ALLOW_LEGACY )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_legacy_renegotiation ( & conf , opt . allow_legacy ) ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_RENEGOTIATION)
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_renegotiation ( & conf , opt . renegotiation ) ;
2014-11-05 14:23:03 +01:00
2014-07-04 14:32:27 +02:00
if ( opt . renego_delay ! = DFL_RENEGO_DELAY )
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_renegotiation_enforced ( & conf , opt . renego_delay ) ;
2012-09-25 11:05:17 +02:00
2014-11-05 14:23:03 +01:00
if ( opt . renego_period ! = DFL_RENEGO_PERIOD )
{
2017-01-19 17:30:57 +01:00
PUT_UINT64_BE ( renego_period , opt . renego_period , 0 ) ;
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_renegotiation_period ( & conf , renego_period ) ;
2014-11-05 14:23:03 +01:00
}
2014-11-03 08:23:14 +01:00
# endif
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
2014-02-27 13:35:00 +01:00
if ( strcmp ( opt . ca_path , " none " ) ! = 0 & &
strcmp ( opt . ca_file , " none " ) ! = 0 )
{
2019-03-27 16:55:27 +01:00
# if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if ( opt . ca_callback ! = 0 )
mbedtls_ssl_conf_ca_cb ( & conf , ca_callback , & cacert ) ;
else
# endif
mbedtls_ssl_conf_ca_chain ( & conf , & cacert , NULL ) ;
2014-02-27 13:35:00 +01:00
}
2013-09-25 14:05:49 +02:00
if ( key_cert_init )
2018-01-05 21:15:57 +01:00
{
mbedtls_pk_context * pk = & pkey ;
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-05 21:15:57 +01:00
if ( opt . async_private_delay1 > = 0 )
{
2018-06-13 18:09:28 +02:00
ret = ssl_async_set_key ( & ssl_async_keys , & srvcert , pk , 0 ,
2018-04-30 10:23:56 +02:00
opt . async_private_delay1 ) ;
if ( ret < 0 )
{
mbedtls_printf ( " Test error: ssl_async_set_key failed (%d) \n " ,
ret ) ;
goto exit ;
}
2018-01-05 21:15:57 +01:00
pk = NULL ;
}
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2018-01-05 21:15:57 +01:00
if ( ( ret = mbedtls_ssl_conf_own_cert ( & conf , & srvcert , pk ) ) ! = 0 )
2014-07-08 14:05:52 +02:00
{
2015-05-11 09:50:24 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_conf_own_cert returned %d \n \n " , ret ) ;
2014-07-08 14:05:52 +02:00
goto exit ;
}
2018-01-05 21:15:57 +01:00
}
2013-09-25 14:05:49 +02:00
if ( key_cert_init2 )
2018-01-05 21:15:57 +01:00
{
mbedtls_pk_context * pk = & pkey2 ;
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-05 21:15:57 +01:00
if ( opt . async_private_delay2 > = 0 )
{
2018-06-13 18:09:28 +02:00
ret = ssl_async_set_key ( & ssl_async_keys , & srvcert2 , pk , 0 ,
2018-04-30 10:23:56 +02:00
opt . async_private_delay2 ) ;
if ( ret < 0 )
{
mbedtls_printf ( " Test error: ssl_async_set_key failed (%d) \n " ,
ret ) ;
goto exit ;
}
2018-01-05 21:15:57 +01:00
pk = NULL ;
}
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2018-01-05 21:15:57 +01:00
if ( ( ret = mbedtls_ssl_conf_own_cert ( & conf , & srvcert2 , pk ) ) ! = 0 )
2014-07-08 14:05:52 +02:00
{
2015-05-11 09:50:24 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_conf_own_cert returned %d \n \n " , ret ) ;
2014-07-08 14:05:52 +02:00
goto exit ;
}
2018-01-05 21:15:57 +01:00
}
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-12 13:47:48 +01:00
if ( opt . async_operations [ 0 ] ! = ' - ' )
2018-01-05 21:15:57 +01:00
{
2018-01-12 13:47:48 +01:00
mbedtls_ssl_async_sign_t * sign = NULL ;
mbedtls_ssl_async_decrypt_t * decrypt = NULL ;
2018-04-24 12:32:04 +02:00
const char * r ;
for ( r = opt . async_operations ; * r ; r + + )
2018-01-12 13:47:48 +01:00
{
2018-04-24 12:32:04 +02:00
switch ( * r )
2018-01-12 13:47:48 +01:00
{
case ' d ' :
decrypt = ssl_async_decrypt ;
break ;
case ' s ' :
sign = ssl_async_sign ;
break ;
}
}
2018-01-08 11:28:05 +01:00
ssl_async_keys . inject_error = ( opt . async_private_error < 0 ?
- opt . async_private_error :
opt . async_private_error ) ;
2018-01-05 21:15:57 +01:00
ssl_async_keys . f_rng = mbedtls_ctr_drbg_random ;
ssl_async_keys . p_rng = & ctr_drbg ;
mbedtls_ssl_conf_async_private_cb ( & conf ,
2018-01-12 13:47:48 +01:00
sign ,
decrypt ,
2018-01-05 21:15:57 +01:00
ssl_async_resume ,
ssl_async_cancel ,
& ssl_async_keys ) ;
}
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
2018-01-05 21:15:57 +01:00
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2013-04-18 22:46:23 +02:00
2015-04-03 16:41:52 +02:00
# if defined(SNI_OPTION)
2014-02-21 16:52:06 +01:00
if ( opt . sni ! = NULL )
2018-04-30 10:30:49 +02:00
{
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_sni ( & conf , sni_callback , sni_info ) ;
2018-04-30 10:30:49 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if ( opt . async_private_delay2 > = 0 )
{
2018-06-13 18:06:51 +02:00
sni_entry * cur ;
for ( cur = sni_info ; cur ! = NULL ; cur = cur - > next )
2018-04-30 10:30:49 +02:00
{
2018-06-13 18:06:51 +02:00
ret = ssl_async_set_key ( & ssl_async_keys ,
2018-06-13 18:09:28 +02:00
cur - > cert , cur - > key , 1 ,
2018-06-13 18:06:51 +02:00
opt . async_private_delay2 ) ;
if ( ret < 0 )
{
mbedtls_printf ( " Test error: ssl_async_set_key failed (%d) \n " ,
ret ) ;
goto exit ;
}
cur - > key = NULL ;
2018-04-30 10:30:49 +02:00
}
}
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
}
2014-02-21 16:52:06 +01:00
# endif
2017-05-15 17:05:15 +02:00
# if defined(MBEDTLS_ECP_C)
if ( opt . curves ! = NULL & &
strcmp ( opt . curves , " default " ) ! = 0 )
{
mbedtls_ssl_conf_curves ( & conf , curve_list ) ;
}
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2018-10-26 12:28:08 +02:00
2014-06-10 15:24:51 +02:00
if ( strlen ( opt . psk ) ! = 0 & & strlen ( opt . psk_identity ) ! = 0 )
{
2018-10-26 12:28:08 +02:00
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
if ( opt . psk_opaque ! = 0 )
2018-10-26 12:28:08 +02:00
{
2019-01-25 15:27:15 +01:00
status = psa_allocate_key ( & psk_slot ) ;
2018-10-26 12:28:08 +02:00
if ( status ! = PSA_SUCCESS )
{
2018-11-15 14:06:09 +01:00
fprintf ( stderr , " ALLOC FAIL \n " ) ;
2018-10-26 12:28:08 +02:00
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ;
goto exit ;
}
2018-11-15 14:06:09 +01:00
/* The algorithm has already been determined earlier. */
status = psa_setup_psk_key_slot ( psk_slot , alg , psk , psk_len ) ;
if ( status ! = PSA_SUCCESS )
{
fprintf ( stderr , " SETUP FAIL \n " ) ;
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ;
goto exit ;
}
if ( ( ret = mbedtls_ssl_conf_psk_opaque ( & conf , psk_slot ,
( const unsigned char * ) opt . psk_identity ,
strlen ( opt . psk_identity ) ) ) ! = 0 )
2018-10-26 12:28:08 +02:00
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_conf_psk_opaque returned %d \n \n " ,
ret ) ;
goto exit ;
}
}
else
# endif /* MBEDTLS_USE_PSA_CRYPTO */
if ( ( ret = mbedtls_ssl_conf_psk ( & conf , psk , psk_len ,
( const unsigned char * ) opt . psk_identity ,
strlen ( opt . psk_identity ) ) ) ! = 0 )
2014-06-10 15:24:51 +02:00
{
2015-05-11 09:50:24 +02:00
mbedtls_printf ( " failed \n mbedtls_ssl_conf_psk returned -0x%04X \n \n " , - ret ) ;
2014-06-10 15:24:51 +02:00
goto exit ;
}
}
2014-06-10 14:01:52 +02:00
if ( opt . psk_list ! = NULL )
2018-10-26 12:28:08 +02:00
{
# if defined(MBEDTLS_USE_PSA_CRYPTO)
2018-11-15 14:06:09 +01:00
if ( opt . psk_list_opaque ! = 0 )
2018-10-26 12:28:08 +02:00
{
psk_entry * cur_psk ;
for ( cur_psk = psk_info ; cur_psk ! = NULL ; cur_psk = cur_psk - > next )
{
2019-01-25 15:27:15 +01:00
status = psa_allocate_key ( & cur_psk - > slot ) ;
2018-11-15 14:06:09 +01:00
if ( status ! = PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ;
goto exit ;
}
2018-10-26 12:28:08 +02:00
status = psa_setup_psk_key_slot ( cur_psk - > slot , alg ,
cur_psk - > key ,
cur_psk - > key_len ) ;
if ( status ! = PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ;
goto exit ;
}
}
}
# endif /* MBEDTLS_USE_PSA_CRYPTO */
2018-11-15 14:06:09 +01:00
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_psk_cb ( & conf , psk_callback , psk_info ) ;
2018-10-26 12:28:08 +02:00
}
2013-04-18 22:46:23 +02:00
# endif
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DHM_C)
2012-09-28 09:33:00 +02:00
/*
* Use different group than default DHM group
*/
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_FS_IO)
2014-06-09 11:29:50 +02:00
if ( opt . dhm_file ! = NULL )
2015-05-11 09:50:24 +02:00
ret = mbedtls_ssl_conf_dh_param_ctx ( & conf , & dhm ) ;
2014-06-09 11:29:50 +02:00
# endif
if ( ret ! = 0 )
{
2015-05-11 09:50:24 +02:00
mbedtls_printf ( " failed \n mbedtls_ssl_conf_dh_param returned -0x%04X \n \n " , - ret ) ;
2014-06-09 11:29:50 +02:00
goto exit ;
}
2012-09-25 11:05:17 +02:00
# endif
2015-03-31 14:21:11 +02:00
if ( opt . min_version ! = DFL_MIN_VERSION )
2015-05-11 10:11:56 +02:00
mbedtls_ssl_conf_min_version ( & conf , MBEDTLS_SSL_MAJOR_VERSION_3 , opt . min_version ) ;
2012-09-28 15:28:45 +02:00
2015-03-31 14:21:11 +02:00
if ( opt . max_version ! = DFL_MIN_VERSION )
2015-05-11 10:11:56 +02:00
mbedtls_ssl_conf_max_version ( & conf , MBEDTLS_SSL_MAJOR_VERSION_3 , opt . max_version ) ;
2013-06-29 16:01:32 +02:00
2015-05-11 11:25:46 +02:00
if ( ( ret = mbedtls_ssl_setup ( & ssl , & conf ) ) ! = 0 )
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_setup returned -0x%x \n \n " , - ret ) ;
goto exit ;
}
if ( opt . nbio = = 2 )
mbedtls_ssl_set_bio ( & ssl , & client_fd , my_send , my_recv , NULL ) ;
else
mbedtls_ssl_set_bio ( & ssl , & client_fd , mbedtls_net_send , mbedtls_net_recv ,
2015-05-14 18:58:17 +02:00
opt . nbio = = 0 ? mbedtls_net_recv_timeout : NULL ) ;
2015-05-11 11:25:46 +02:00
2018-08-20 10:37:23 +02:00
# if defined(MBEDTLS_SSL_PROTO_DTLS)
if ( opt . dtls_mtu ! = DFL_DTLS_MTU )
mbedtls_ssl_set_mtu ( & ssl , opt . dtls_mtu ) ;
# endif
2015-05-13 13:58:56 +02:00
# if defined(MBEDTLS_TIMING_C)
2015-05-13 10:04:32 +02:00
mbedtls_ssl_set_timer_cb ( & ssl , & timer , mbedtls_timing_set_delay ,
mbedtls_timing_get_delay ) ;
2015-05-13 13:58:56 +02:00
# endif
2015-05-13 10:04:32 +02:00
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2012-09-25 11:05:17 +02:00
reset :
2014-09-20 12:03:00 +02:00
# if !defined(_WIN32)
if ( received_sigterm )
{
2018-01-22 10:55:10 +01:00
mbedtls_printf ( " interrupted by SIGTERM (not in net_accept()) \n " ) ;
if ( ret = = MBEDTLS_ERR_NET_INVALID_CONTEXT )
ret = 0 ;
2014-09-20 12:03:00 +02:00
goto exit ;
}
# endif
2015-09-08 11:58:14 +02:00
if ( ret = = MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
{
mbedtls_printf ( " ! Client initiated reconnection from same port \n " ) ;
goto handshake ;
}
2015-04-08 12:49:31 +02:00
# ifdef MBEDTLS_ERROR_C
2012-09-25 11:05:17 +02:00
if ( ret ! = 0 )
{
char error_buf [ 100 ] ;
2015-04-08 12:49:31 +02:00
mbedtls_strerror ( ret , error_buf , 100 ) ;
mbedtls_printf ( " Last error was: %d - %s \n \n " , ret , error_buf ) ;
2012-09-25 11:05:17 +02:00
}
# endif
2015-06-30 15:55:03 +02:00
mbedtls_net_free ( & client_fd ) ;
2014-03-23 18:23:41 +01:00
2015-04-08 12:49:31 +02:00
mbedtls_ssl_session_reset ( & ssl ) ;
2012-09-25 11:05:17 +02:00
/*
* 3. Wait until a client connects
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Waiting for a remote connection ... " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2015-06-30 15:40:39 +02:00
if ( ( ret = mbedtls_net_accept ( & listen_fd , & client_fd ,
2015-05-14 21:52:40 +02:00
client_ip , sizeof ( client_ip ) , & cliip_len ) ) ! = 0 )
2012-09-25 11:05:17 +02:00
{
2014-08-18 11:05:51 +02:00
# if !defined(_WIN32)
2014-08-14 15:36:12 +02:00
if ( received_sigterm )
{
2018-01-22 10:55:10 +01:00
mbedtls_printf ( " interrupted by SIGTERM (in net_accept()) \n " ) ;
if ( ret = = MBEDTLS_ERR_NET_ACCEPT_FAILED )
ret = 0 ;
2014-08-14 15:36:12 +02:00
goto exit ;
}
2014-08-18 11:05:51 +02:00
# endif
2014-08-14 15:36:12 +02:00
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_net_accept returned -0x%x \n \n " , - ret ) ;
2012-09-25 11:05:17 +02:00
goto exit ;
}
2014-02-26 13:47:08 +01:00
if ( opt . nbio > 0 )
2015-06-30 15:40:39 +02:00
ret = mbedtls_net_set_nonblock ( & client_fd ) ;
2014-02-26 13:47:08 +01:00
else
2015-06-30 15:40:39 +02:00
ret = mbedtls_net_set_block ( & client_fd ) ;
2014-02-26 13:47:08 +01:00
if ( ret ! = 0 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! net_set_(non)block() returned -0x%x \n \n " , - ret ) ;
2014-02-26 13:47:08 +01:00
goto exit ;
}
2015-05-11 09:50:24 +02:00
mbedtls_ssl_conf_read_timeout ( & conf , opt . read_timeout ) ;
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if ( opt . transport = = MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2014-07-22 17:57:43 +02:00
{
2015-05-14 21:52:40 +02:00
if ( ( ret = mbedtls_ssl_set_client_transport_id ( & ssl ,
client_ip , cliip_len ) ) ! = 0 )
2014-07-22 17:57:43 +02:00
{
2017-10-27 14:43:58 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_set_client_transport_id() returned -0x%x \n \n " ,
- ret ) ;
2014-07-22 17:57:43 +02:00
goto exit ;
}
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2014-07-22 17:57:43 +02:00
2015-09-16 11:08:34 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if ( opt . ecjpake_pw ! = DFL_ECJPAKE_PW )
{
if ( ( ret = mbedtls_ssl_set_hs_ecjpake_password ( & ssl ,
( const unsigned char * ) opt . ecjpake_pw ,
strlen ( opt . ecjpake_pw ) ) ) ! = 0 )
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_set_hs_ecjpake_password returned %d \n \n " , ret ) ;
goto exit ;
}
}
# endif
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2012-09-25 11:05:17 +02:00
/*
* 4. Handshake
*/
2015-09-08 11:58:14 +02:00
handshake :
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Performing the SSL/TLS handshake... " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2017-10-10 16:56:37 +02:00
while ( ( ret = mbedtls_ssl_handshake ( & ssl ) ) ! = 0 )
2018-01-05 21:15:57 +01:00
{
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-05 21:15:57 +01:00
if ( ret = = MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS & &
2018-01-08 11:28:05 +01:00
ssl_async_keys . inject_error = = SSL_ASYNC_INJECT_ERROR_CANCEL )
2018-01-05 21:15:57 +01:00
{
mbedtls_printf ( " cancelling on injected error \n " ) ;
2018-01-08 11:28:05 +01:00
break ;
2018-01-05 21:15:57 +01:00
}
2018-04-24 13:09:22 +02:00
# endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
concurrently added errors; made the new error a full sentence per
current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
* ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
was due to style corrections in development
(4cb1f4d49cff999d0c853bc696ad7eea68888c35) which I merged with
my refactoring.
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first case, variable declarations: merged line
by line:
* dig_signed_len: added in async
* signature_len: removed in async
* hashlen: type changed to size_t in development
* hash: size changed to MBEDTLS_MD_MAX_SIZE in async
* ret: added in async
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first cae comment: the conflict was due to style
corrections in development (4cb1f4d49cff999d0c853bc696ad7eea68888c35)
which I merged with my comment changes made as part of refactoring
the function.
* ssl_prepare_server_key_exchange "Compute the hash to be signed" if
`md_alg != MBEDTLS_MD_NONE`: conflict between
ebd652fe2dfc2c82d774bfd334398279d9027492
"ssl_write_server_key_exchange: calculate hashlen explicitly" and
46f5a3e9b4d5db3cacfe2ba33480a27317c62d46 "Check return codes from
MD in ssl code". I took the code from commit
ca1d74290439ec9e2723a911657fd96aa320e219 made on top of development
which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
definitions for async support, and the introduction of idle().
* definitions before main: concurrent additions, kept both.
* main, just after `handshake:`: in the loop around
mbedtls_ssl_handshake(), merge the addition of support for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
with the addition of the idle() call.
* main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
* main, loop around mbedtls_ssl_read() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
* main, loop around mbedtls_ssl_write() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
2018-04-24 12:18:19 +02:00
2018-04-26 08:05:02 +02:00
if ( ! mbedtls_status_is_ssl_in_progress ( ret ) )
2017-10-10 16:56:37 +02:00
break ;
/* For event-driven IO, wait for socket to become available */
if ( opt . event = = 1 /* level triggered IO */ )
{
# if defined(MBEDTLS_TIMING_C)
2018-03-15 12:35:07 +01:00
ret = idle ( & client_fd , & timer , ret ) ;
2017-10-10 16:56:37 +02:00
# else
2018-03-15 12:35:07 +01:00
ret = idle ( & client_fd , ret ) ;
2017-10-10 16:56:37 +02:00
# endif
2018-03-15 12:35:07 +01:00
if ( ret ! = 0 )
goto reset ;
2017-10-10 16:56:37 +02:00
}
2018-01-05 21:15:57 +01:00
}
2014-10-13 19:04:37 +02:00
2015-04-08 12:49:31 +02:00
if ( ret = = MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
2012-09-25 11:05:17 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " hello verification requested \n " ) ;
2014-10-13 19:04:37 +02:00
ret = 0 ;
goto reset ;
}
else if ( ret ! = 0 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_handshake returned -0x%x \n \n " , - ret ) ;
2015-06-22 16:50:52 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
if ( ret = = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
{
char vrfy_buf [ 512 ] ;
2015-08-27 12:02:40 +02:00
flags = mbedtls_ssl_get_verify_result ( & ssl ) ;
2015-06-22 16:50:52 +02:00
mbedtls_x509_crt_verify_info ( vrfy_buf , sizeof ( vrfy_buf ) , " ! " , flags ) ;
mbedtls_printf ( " %s \n " , vrfy_buf ) ;
}
# endif
2018-04-24 13:09:22 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2018-01-08 11:28:05 +01:00
if ( opt . async_private_error < 0 )
/* Injected error only the first time round, to test reset */
ssl_async_keys . inject_error = SSL_ASYNC_INJECT_ERROR_NONE ;
# endif
2014-10-13 19:04:37 +02:00
goto reset ;
}
else /* ret == 0 */
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n [ Protocol is %s ] \n [ Ciphersuite is %s ] \n " ,
mbedtls_ssl_get_version ( & ssl ) , mbedtls_ssl_get_ciphersuite ( & ssl ) ) ;
2012-09-25 11:05:17 +02:00
}
2015-04-08 12:49:31 +02:00
if ( ( ret = mbedtls_ssl_get_record_expansion ( & ssl ) ) > = 0 )
mbedtls_printf ( " [ Record expansion is %d ] \n " , ret ) ;
2014-10-14 17:47:31 +02:00
else
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " [ Record expansion is unknown (compression) ] \n " ) ;
2014-10-14 17:47:31 +02:00
2015-08-31 18:30:52 +02:00
# if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_printf ( " [ Maximum fragment length is %u ] \n " ,
( unsigned int ) mbedtls_ssl_get_max_frag_len ( & ssl ) ) ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_ALPN)
2014-04-05 14:34:07 +02:00
if ( opt . alpn_string ! = NULL )
{
2015-04-08 12:49:31 +02:00
const char * alp = mbedtls_ssl_get_alpn_protocol ( & ssl ) ;
mbedtls_printf ( " [ Application Layer Protocol is %s ] \n " ,
2014-04-05 14:34:07 +02:00
alp ? alp : " (none) " ) ;
}
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
2012-09-25 11:05:17 +02:00
/*
2017-06-20 14:23:23 +02:00
* 5. Verify the client certificate
2012-09-25 11:05:17 +02:00
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Verifying peer X.509 certificate... " ) ;
2012-09-25 11:05:17 +02:00
2015-05-11 19:54:43 +02:00
if ( ( flags = mbedtls_ssl_get_verify_result ( & ssl ) ) ! = 0 )
2012-09-25 11:05:17 +02:00
{
2015-04-20 11:56:18 +02:00
char vrfy_buf [ 512 ] ;
2012-09-25 11:05:17 +02:00
2015-04-20 11:56:18 +02:00
mbedtls_printf ( " failed \n " ) ;
2012-09-25 11:05:17 +02:00
2015-05-11 19:54:43 +02:00
mbedtls_x509_crt_verify_info ( vrfy_buf , sizeof ( vrfy_buf ) , " ! " , flags ) ;
2012-09-25 11:05:17 +02:00
2015-04-20 11:56:18 +02:00
mbedtls_printf ( " %s \n " , vrfy_buf ) ;
2012-09-25 11:05:17 +02:00
}
else
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2012-09-25 11:05:17 +02:00
2015-06-27 14:38:51 +02:00
if ( mbedtls_ssl_get_peer_cert ( & ssl ) ! = NULL )
2012-09-25 11:05:17 +02:00
{
2015-06-27 14:38:51 +02:00
char crt_buf [ 512 ] ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Peer certificate information ... \n " ) ;
2015-06-27 14:38:51 +02:00
mbedtls_x509_crt_info ( crt_buf , sizeof ( crt_buf ) , " " ,
2015-04-08 12:49:31 +02:00
mbedtls_ssl_get_peer_cert ( & ssl ) ) ;
2015-07-02 11:15:48 +02:00
mbedtls_printf ( " %s \n " , crt_buf ) ;
2012-09-25 11:05:17 +02:00
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_X509_CRT_PARSE_C */
2012-09-25 11:05:17 +02:00
2019-05-12 10:03:32 +02:00
# if defined(MBEDTLS_SSL_EXPORT_KEYS)
2019-05-12 13:54:30 +02:00
if ( opt . eap_tls ! = 0 )
2019-05-12 10:03:32 +02:00
{
size_t j = 0 ;
2019-05-12 13:54:30 +02:00
if ( ( ret = mbedtls_ssl_tls_prf ( eap_tls_keying . tls_prf_type ,
eap_tls_keying . master_secret ,
sizeof ( eap_tls_keying . master_secret ) ,
eap_tls_label ,
eap_tls_keying . randbytes ,
sizeof ( eap_tls_keying . randbytes ) ,
eap_tls_keymaterial ,
sizeof ( eap_tls_keymaterial ) ) )
! = 0 )
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_tls_prf returned -0x%x \n \n " ,
- ret ) ;
goto exit ;
}
2019-05-12 10:03:32 +02:00
mbedtls_printf ( " EAP-TLS key material is: " ) ;
for ( j = 0 ; j < sizeof ( eap_tls_keymaterial ) ; j + + )
{
if ( j % 8 = = 0 )
mbedtls_printf ( " \n " ) ;
mbedtls_printf ( " %02x " , eap_tls_keymaterial [ j ] ) ;
}
mbedtls_printf ( " \n " ) ;
2019-05-12 13:54:30 +02:00
if ( ( ret = mbedtls_ssl_tls_prf ( eap_tls_keying . tls_prf_type , NULL , 0 ,
eap_tls_label ,
eap_tls_keying . randbytes ,
sizeof ( eap_tls_keying . randbytes ) ,
eap_tls_iv ,
sizeof ( eap_tls_iv ) ) ) ! = 0 )
{
mbedtls_printf ( " failed \n ! mbedtls_ssl_tls_prf returned -0x%x \n \n " ,
- ret ) ;
goto exit ;
}
2019-05-12 10:03:32 +02:00
mbedtls_printf ( " EAP-TLS IV is: " ) ;
for ( j = 0 ; j < sizeof ( eap_tls_iv ) ; j + + )
{
if ( j % 8 = = 0 )
mbedtls_printf ( " \n " ) ;
mbedtls_printf ( " %02x " , eap_tls_iv [ j ] ) ;
}
mbedtls_printf ( " \n " ) ;
}
# endif
2014-10-09 15:33:13 +02:00
if ( opt . exchanges = = 0 )
goto close_notify ;
2015-01-22 11:33:29 +01:00
exchanges_left = opt . exchanges ;
2014-08-15 12:07:38 +02:00
data_exchange :
2012-09-25 11:05:17 +02:00
/*
* 6. Read the HTTP Request
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " < Read from client: " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
2014-10-06 18:11:43 +02:00
/*
* TLS and DTLS need different reading styles ( stream vs datagram )
*/
2015-04-08 12:49:31 +02:00
if ( opt . transport = = MBEDTLS_SSL_TRANSPORT_STREAM )
2014-10-06 18:11:43 +02:00
{
do
{
int terminated = 0 ;
2017-10-12 13:50:29 +02:00
len = opt . buffer_size - 1 ;
memset ( buf , 0 , opt . buffer_size ) ;
2015-04-08 12:49:31 +02:00
ret = mbedtls_ssl_read ( & ssl , buf , len ) ;
2014-10-06 18:11:43 +02:00
2018-04-26 08:05:02 +02:00
if ( mbedtls_status_is_ssl_in_progress ( ret ) )
2017-10-10 16:56:37 +02:00
{
if ( opt . event = = 1 /* level triggered IO */ )
{
# if defined(MBEDTLS_TIMING_C)
2017-10-31 11:58:53 +01:00
idle ( & client_fd , & timer , ret ) ;
2017-10-10 16:56:37 +02:00
# else
2017-10-31 11:58:53 +01:00
idle ( & client_fd , ret ) ;
2017-10-10 16:56:37 +02:00
# endif
}
2014-10-06 18:11:43 +02:00
continue ;
2017-10-10 16:56:37 +02:00
}
2014-10-06 18:11:43 +02:00
if ( ret < = 0 )
{
switch ( ret )
{
2015-04-08 12:49:31 +02:00
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY :
mbedtls_printf ( " connection was closed gracefully \n " ) ;
2014-10-06 18:11:43 +02:00
goto close_notify ;
case 0 :
2015-04-08 12:49:31 +02:00
case MBEDTLS_ERR_NET_CONN_RESET :
mbedtls_printf ( " connection was reset by peer \n " ) ;
ret = MBEDTLS_ERR_NET_CONN_RESET ;
2014-10-06 18:11:43 +02:00
goto reset ;
default :
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " mbedtls_ssl_read returned -0x%x \n " , - ret ) ;
2014-10-06 18:11:43 +02:00
goto reset ;
}
}
2015-04-08 12:49:31 +02:00
if ( mbedtls_ssl_get_bytes_avail ( & ssl ) = = 0 )
2014-10-06 18:11:43 +02:00
{
len = ret ;
buf [ len ] = ' \0 ' ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " %d bytes read \n \n %s \n " , len , ( char * ) buf ) ;
2014-10-06 18:11:43 +02:00
/* End of message should be detected according to the syntax of the
* application protocol ( eg HTTP ) , just use a dummy test here . */
if ( buf [ len - 1 ] = = ' \n ' )
terminated = 1 ;
}
else
{
int extra_len , ori_len ;
unsigned char * larger_buf ;
ori_len = ret ;
2015-07-01 15:51:43 +02:00
extra_len = ( int ) mbedtls_ssl_get_bytes_avail ( & ssl ) ;
2014-10-06 18:11:43 +02:00
2015-05-26 16:04:06 +02:00
larger_buf = mbedtls_calloc ( 1 , ori_len + extra_len + 1 ) ;
2014-10-06 18:11:43 +02:00
if ( larger_buf = = NULL )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ! memory allocation failed \n " ) ;
2014-10-06 18:11:43 +02:00
ret = 1 ;
goto reset ;
}
memset ( larger_buf , 0 , ori_len + extra_len ) ;
memcpy ( larger_buf , buf , ori_len ) ;
/* This read should never fail and get the whole cached data */
2015-04-08 12:49:31 +02:00
ret = mbedtls_ssl_read ( & ssl , larger_buf + ori_len , extra_len ) ;
2014-10-06 18:11:43 +02:00
if ( ret ! = extra_len | |
2015-04-08 12:49:31 +02:00
mbedtls_ssl_get_bytes_avail ( & ssl ) ! = 0 )
2014-10-06 18:11:43 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ! mbedtls_ssl_read failed on cached data \n " ) ;
2014-10-06 18:11:43 +02:00
ret = 1 ;
goto reset ;
}
larger_buf [ ori_len + extra_len ] = ' \0 ' ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " %u bytes read (%u + %u) \n \n %s \n " ,
2014-10-06 18:11:43 +02:00
ori_len + extra_len , ori_len , extra_len ,
( char * ) larger_buf ) ;
/* End of message should be detected according to the syntax of the
* application protocol ( eg HTTP ) , just use a dummy test here . */
if ( larger_buf [ ori_len + extra_len - 1 ] = = ' \n ' )
terminated = 1 ;
2015-04-08 12:49:31 +02:00
mbedtls_free ( larger_buf ) ;
2014-10-06 18:11:43 +02:00
}
if ( terminated )
{
ret = 0 ;
break ;
}
}
while ( 1 ) ;
}
else /* Not stream, so datagram */
2012-09-25 11:05:17 +02:00
{
2017-10-12 13:50:29 +02:00
len = opt . buffer_size - 1 ;
memset ( buf , 0 , opt . buffer_size ) ;
2012-09-25 11:05:17 +02:00
Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
concurrently added errors; made the new error a full sentence per
current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
* ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
was due to style corrections in development
(4cb1f4d49cff999d0c853bc696ad7eea68888c35) which I merged with
my refactoring.
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first case, variable declarations: merged line
by line:
* dig_signed_len: added in async
* signature_len: removed in async
* hashlen: type changed to size_t in development
* hash: size changed to MBEDTLS_MD_MAX_SIZE in async
* ret: added in async
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first cae comment: the conflict was due to style
corrections in development (4cb1f4d49cff999d0c853bc696ad7eea68888c35)
which I merged with my comment changes made as part of refactoring
the function.
* ssl_prepare_server_key_exchange "Compute the hash to be signed" if
`md_alg != MBEDTLS_MD_NONE`: conflict between
ebd652fe2dfc2c82d774bfd334398279d9027492
"ssl_write_server_key_exchange: calculate hashlen explicitly" and
46f5a3e9b4d5db3cacfe2ba33480a27317c62d46 "Check return codes from
MD in ssl code". I took the code from commit
ca1d74290439ec9e2723a911657fd96aa320e219 made on top of development
which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
definitions for async support, and the introduction of idle().
* definitions before main: concurrent additions, kept both.
* main, just after `handshake:`: in the loop around
mbedtls_ssl_handshake(), merge the addition of support for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
with the addition of the idle() call.
* main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
* main, loop around mbedtls_ssl_read() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
* main, loop around mbedtls_ssl_write() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
2018-04-24 12:18:19 +02:00
do
2017-10-10 16:56:37 +02:00
{
2018-03-13 12:39:09 +01:00
/* Without the call to `mbedtls_ssl_check_pending`, it might
* happen that the client sends application data in the same
* datagram as the Finished message concluding the handshake .
* In this case , the application data would be ready to be
* processed while the underlying transport wouldn ' t signal
* any further incoming data .
*
* See the test ' Event - driven I / O : session - id resume , UDP packing '
* in tests / ssl - opt . sh .
*/
2017-10-10 16:56:37 +02:00
/* For event-driven IO, wait for socket to become available */
2018-03-13 12:39:09 +01:00
if ( mbedtls_ssl_check_pending ( & ssl ) = = 0 & &
opt . event = = 1 /* level triggered IO */ )
2017-10-10 16:56:37 +02:00
{
# if defined(MBEDTLS_TIMING_C)
2018-03-13 12:39:09 +01:00
idle ( & client_fd , & timer , MBEDTLS_ERR_SSL_WANT_READ ) ;
2017-10-10 16:56:37 +02:00
# else
2018-03-13 12:39:09 +01:00
idle ( & client_fd , MBEDTLS_ERR_SSL_WANT_READ ) ;
2017-10-10 16:56:37 +02:00
# endif
}
2018-03-13 12:39:09 +01:00
ret = mbedtls_ssl_read ( & ssl , buf , len ) ;
/* Note that even if `mbedtls_ssl_check_pending` returns true,
* it can happen that the subsequent call to ` mbedtls_ssl_read `
* returns ` MBEDTLS_ERR_SSL_WANT_READ ` , because the pending messages
* might be discarded ( e . g . because they are retransmissions ) . */
2017-10-10 16:56:37 +02:00
}
2018-04-26 08:05:02 +02:00
while ( mbedtls_status_is_ssl_in_progress ( ret ) ) ;
2012-09-25 11:05:17 +02:00
if ( ret < = 0 )
{
switch ( ret )
{
2015-04-08 12:49:31 +02:00
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY :
mbedtls_printf ( " connection was closed gracefully \n " ) ;
2014-10-06 18:11:43 +02:00
ret = 0 ;
2014-08-16 11:28:40 +02:00
goto close_notify ;
2012-09-25 11:05:17 +02:00
default :
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " mbedtls_ssl_read returned -0x%x \n " , - ret ) ;
2014-08-15 12:07:38 +02:00
goto reset ;
2012-09-25 11:05:17 +02:00
}
}
2014-10-06 18:11:43 +02:00
len = ret ;
buf [ len ] = ' \0 ' ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " %d bytes read \n \n %s " , len , ( char * ) buf ) ;
2014-10-06 18:11:43 +02:00
ret = 0 ;
2012-09-25 11:05:17 +02:00
}
/*
2014-08-15 12:07:38 +02:00
* 7 a . Request renegotiation while client is waiting for input from us .
2014-10-15 12:44:41 +02:00
* ( only on the first exchange , to be able to test retransmission )
2012-09-25 11:05:17 +02:00
*/
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_RENEGOTIATION)
2015-01-22 14:30:33 +01:00
if ( opt . renegotiate & & exchanges_left = = opt . exchanges )
2014-08-19 12:59:03 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Requestion renegotiation... " ) ;
2014-08-19 12:59:03 +02:00
fflush ( stdout ) ;
2014-08-15 12:07:38 +02:00
2015-04-08 12:49:31 +02:00
while ( ( ret = mbedtls_ssl_renegotiate ( & ssl ) ) ! = 0 )
2014-08-19 12:59:03 +02:00
{
2018-04-26 08:05:02 +02:00
if ( ! mbedtls_status_is_ssl_in_progress ( ret ) )
2014-08-19 12:59:03 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_renegotiate returned %d \n \n " , ret ) ;
2014-08-19 12:59:03 +02:00
goto reset ;
}
2017-10-10 16:56:37 +02:00
/* For event-driven IO, wait for socket to become available */
if ( opt . event = = 1 /* level triggered IO */ )
{
# if defined(MBEDTLS_TIMING_C)
2017-10-31 11:58:53 +01:00
idle ( & client_fd , & timer , ret ) ;
2017-10-10 16:56:37 +02:00
# else
2017-10-31 11:58:53 +01:00
idle ( & client_fd , ret ) ;
2017-10-10 16:56:37 +02:00
# endif
}
2014-08-19 12:59:03 +02:00
}
2014-08-15 12:07:38 +02:00
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " ok \n " ) ;
2014-08-19 12:59:03 +02:00
}
2015-04-08 12:49:31 +02:00
# endif /* MBEDTLS_SSL_RENEGOTIATION */
2014-08-19 12:59:03 +02:00
2014-08-15 12:07:38 +02:00
/*
* 7. Write the 200 Response
*/
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " > Write to client: " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ;
len = sprintf ( ( char * ) buf , HTTP_RESPONSE ,
2015-04-08 12:49:31 +02:00
mbedtls_ssl_get_ciphersuite ( & ssl ) ) ;
2012-09-25 11:05:17 +02:00
2017-10-12 13:50:29 +02:00
/* Add padding to the response to reach opt.response_size in length */
if ( opt . response_size ! = DFL_RESPONSE_SIZE & &
len < opt . response_size )
{
memset ( buf + len , ' B ' , opt . response_size - len ) ;
len + = opt . response_size - len ;
}
/* Truncate if response size is smaller than the "natural" size */
if ( opt . response_size ! = DFL_RESPONSE_SIZE & &
len > opt . response_size )
{
len = opt . response_size ;
/* Still end with \r\n unless that's really not possible */
if ( len > = 2 ) buf [ len - 2 ] = ' \r ' ;
if ( len > = 1 ) buf [ len - 1 ] = ' \n ' ;
}
2015-04-08 12:49:31 +02:00
if ( opt . transport = = MBEDTLS_SSL_TRANSPORT_STREAM )
2012-09-25 11:05:17 +02:00
{
2014-10-13 18:38:36 +02:00
for ( written = 0 , frags = 0 ; written < len ; written + = ret , frags + + )
2012-09-25 11:05:17 +02:00
{
2015-04-08 12:49:31 +02:00
while ( ( ret = mbedtls_ssl_write ( & ssl , buf + written , len - written ) )
2014-10-13 18:38:36 +02:00
< = 0 )
2013-07-17 15:34:17 +02:00
{
2015-04-08 12:49:31 +02:00
if ( ret = = MBEDTLS_ERR_NET_CONN_RESET )
2014-10-13 18:38:36 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! peer closed the connection \n \n " ) ;
2014-10-13 18:38:36 +02:00
goto reset ;
}
2012-09-25 11:05:17 +02:00
2018-04-26 08:05:02 +02:00
if ( ! mbedtls_status_is_ssl_in_progress ( ret ) )
2014-10-13 18:38:36 +02:00
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_write returned %d \n \n " , ret ) ;
2014-10-13 18:38:36 +02:00
goto reset ;
}
2017-10-10 16:56:37 +02:00
/* For event-driven IO, wait for socket to become available */
if ( opt . event = = 1 /* level triggered IO */ )
{
# if defined(MBEDTLS_TIMING_C)
2017-10-31 11:58:53 +01:00
idle ( & client_fd , & timer , ret ) ;
2017-10-10 16:56:37 +02:00
# else
2017-10-31 11:58:53 +01:00
idle ( & client_fd , ret ) ;
2017-10-10 16:56:37 +02:00
# endif
}
2013-07-17 15:34:17 +02:00
}
2012-09-25 11:05:17 +02:00
}
}
2014-10-13 18:38:36 +02:00
else /* Not stream, so datagram */
{
2017-10-10 16:56:37 +02:00
while ( 1 )
{
ret = mbedtls_ssl_write ( & ssl , buf , len ) ;
2018-04-26 08:05:02 +02:00
if ( ! mbedtls_status_is_ssl_in_progress ( ret ) )
2017-10-10 16:56:37 +02:00
break ;
/* For event-driven IO, wait for socket to become available */
if ( opt . event = = 1 /* level triggered IO */ )
{
# if defined(MBEDTLS_TIMING_C)
2017-10-31 11:58:53 +01:00
idle ( & client_fd , & timer , ret ) ;
2017-10-10 16:56:37 +02:00
# else
2017-10-31 11:58:53 +01:00
idle ( & client_fd , ret ) ;
2017-10-10 16:56:37 +02:00
# endif
}
}
2014-10-13 18:38:36 +02:00
if ( ret < 0 )
{
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " failed \n ! mbedtls_ssl_write returned %d \n \n " , ret ) ;
2014-10-13 18:38:36 +02:00
goto reset ;
}
frags = 1 ;
written = ret ;
}
2012-09-25 11:05:17 +02:00
2013-07-17 15:34:17 +02:00
buf [ written ] = ' \0 ' ;
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " %d bytes written in %d fragments \n \n %s \n " , written , frags , ( char * ) buf ) ;
2015-01-14 10:46:08 +01:00
ret = 0 ;
2014-02-20 17:19:59 +01:00
2014-08-15 12:07:38 +02:00
/*
* 7 b . Continue doing data exchanges ?
*/
2015-01-22 11:33:29 +01:00
if ( - - exchanges_left > 0 )
2014-08-15 12:07:38 +02:00
goto data_exchange ;
2013-10-29 18:17:41 +01:00
2014-08-16 11:28:40 +02:00
/*
2014-08-15 12:07:38 +02:00
* 8. Done , cleanly close the connection
2014-08-16 11:28:40 +02:00
*/
close_notify :
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Closing the connection... " ) ;
2014-03-25 11:24:43 +01:00
2014-10-09 19:56:44 +02:00
/* No error checking, the connection might be closed already */
2015-04-08 12:49:31 +02:00
do ret = mbedtls_ssl_close_notify ( & ssl ) ;
2015-05-06 17:19:31 +02:00
while ( ret = = MBEDTLS_ERR_SSL_WANT_WRITE ) ;
2014-10-09 19:56:44 +02:00
ret = 0 ;
2014-08-16 11:28:40 +02:00
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " done \n " ) ;
2015-01-19 15:26:37 +01:00
2012-09-25 11:05:17 +02:00
goto reset ;
2014-08-16 11:28:40 +02:00
/*
* Cleanup and exit
*/
2012-09-25 11:05:17 +02:00
exit :
2015-04-08 12:49:31 +02:00
# ifdef MBEDTLS_ERROR_C
2012-09-25 11:05:17 +02:00
if ( ret ! = 0 )
{
char error_buf [ 100 ] ;
2015-04-08 12:49:31 +02:00
mbedtls_strerror ( ret , error_buf , 100 ) ;
mbedtls_printf ( " Last error was: -0x%X - %s \n \n " , - ret , error_buf ) ;
2012-09-25 11:05:17 +02:00
}
# endif
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " . Cleaning up... " ) ;
2014-11-21 11:54:41 +01:00
fflush ( stdout ) ;
2015-06-30 15:55:03 +02:00
mbedtls_net_free ( & client_fd ) ;
mbedtls_net_free ( & listen_fd ) ;
2014-04-17 16:02:36 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_free ( & dhm ) ;
2014-06-18 16:44:11 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_free ( & cacert ) ;
mbedtls_x509_crt_free ( & srvcert ) ;
mbedtls_pk_free ( & pkey ) ;
mbedtls_x509_crt_free ( & srvcert2 ) ;
mbedtls_pk_free ( & pkey2 ) ;
2013-04-18 22:46:23 +02:00
# endif
2018-06-13 18:09:28 +02:00
# if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
for ( i = 0 ; ( size_t ) i < ssl_async_keys . slots_used ; i + + )
{
if ( ssl_async_keys . slots [ i ] . pk_owned )
{
mbedtls_pk_free ( ssl_async_keys . slots [ i ] . pk ) ;
mbedtls_free ( ssl_async_keys . slots [ i ] . pk ) ;
ssl_async_keys . slots [ i ] . pk = NULL ;
}
}
# endif
2015-04-03 16:41:52 +02:00
# if defined(SNI_OPTION)
2014-02-21 16:52:06 +01:00
sni_free ( sni_info ) ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2018-11-05 14:48:43 +01:00
if ( ( ret = psk_free ( psk_info ) ) ! = 0 )
mbedtls_printf ( " Failed to list of opaque PSKs - error was %d \n " , ret ) ;
2014-06-19 20:56:52 +02:00
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_free ( & dhm ) ;
2014-06-19 20:56:52 +02:00
# endif
2013-04-18 22:46:23 +02:00
2018-11-05 14:48:43 +01:00
# if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && \
defined ( MBEDTLS_USE_PSA_CRYPTO )
2018-11-15 14:06:09 +01:00
if ( opt . psk_opaque ! = 0 )
2018-11-05 14:48:43 +01:00
{
/* This is ok even if the slot hasn't been
* initialized ( we might have jumed here
* immediately because of bad cmd line params ,
* for example ) . */
2018-11-15 14:06:09 +01:00
status = psa_destroy_key ( psk_slot ) ;
2018-11-05 14:48:43 +01:00
if ( status ! = PSA_SUCCESS )
{
mbedtls_printf ( " Failed to destroy key slot %u - error was %d " ,
2018-11-15 14:06:09 +01:00
( unsigned ) psk_slot , ( int ) status ) ;
2018-11-05 14:48:43 +01:00
}
}
# endif / * MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED &&
MBEDTLS_USE_PSA_CRYPTO */
2015-04-08 12:49:31 +02:00
mbedtls_ssl_free ( & ssl ) ;
2015-05-04 14:56:36 +02:00
mbedtls_ssl_config_free ( & conf ) ;
2015-04-08 12:49:31 +02:00
mbedtls_ctr_drbg_free ( & ctr_drbg ) ;
mbedtls_entropy_free ( & entropy ) ;
2012-09-25 11:05:17 +02:00
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free ( & cache ) ;
2012-09-25 23:55:46 +02:00
# endif
2015-05-19 15:28:00 +02:00
# if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_free ( & ticket_ctx ) ;
# endif
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_SSL_COOKIE_C)
mbedtls_ssl_cookie_free ( & cookie_ctx ) ;
2014-07-23 14:56:15 +02:00
# endif
2012-09-25 23:55:46 +02:00
2018-10-09 13:39:13 +02:00
mbedtls_free ( buf ) ;
2015-04-08 12:49:31 +02:00
# if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
# if defined(MBEDTLS_MEMORY_DEBUG)
mbedtls_memory_buffer_alloc_status ( ) ;
2013-07-04 11:52:32 +02:00
# endif
2015-04-08 12:49:31 +02:00
mbedtls_memory_buffer_alloc_free ( ) ;
2013-09-29 14:45:34 +02:00
# endif
2013-07-04 11:52:32 +02:00
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " done. \n " ) ;
2014-11-21 11:54:41 +01:00
2012-09-25 11:05:17 +02:00
# if defined(_WIN32)
2015-04-08 12:49:31 +02:00
mbedtls_printf ( " + Press Enter to exit this program. \n " ) ;
2012-09-25 11:05:17 +02:00
fflush ( stdout ) ; getchar ( ) ;
# endif
2013-07-24 16:28:35 +02:00
// Shell can not handle large exit numbers -> 1 for errors
if ( ret < 0 )
ret = 1 ;
2012-09-25 11:05:17 +02:00
return ( ret ) ;
}
2015-04-08 12:49:31 +02:00
# endif / * MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_SRV_C & & MBEDTLS_NET_C & & MBEDTLS_RSA_C & &
2015-05-13 13:58:56 +02:00
MBEDTLS_CTR_DRBG_C */