TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 24f11a366da5823d57bc6e34d272752acab96d88 / . / library / ssl_tls12_server.c
blob: fc9b860543813a9b3ec243e7b25f95e664b20621 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6 */
7
Harry Ramsey0f6bc412024-10-04 10:36:54 +0100[diff] [blame]8#include "ssl_misc.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]11
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]12#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]13
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]14#include "mbedtls/ssl.h"
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame]15#include "debug_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]16#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]17#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]18#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]19#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]20
21#include <string.h>
22
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]23/* Define a local translating function to save code size by not using too many
24 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]25#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
26 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]34#endif
35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]38#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]41#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
46 const unsigned char *info,
47 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]48{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]49 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
50 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
51 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]52
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]53 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]54
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]55 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
56 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
57 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]58
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]59 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]60 ssl->cli_id_len = ilen;
61
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]62 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
66 mbedtls_ssl_cookie_write_t *f_cookie_write,
67 mbedtls_ssl_cookie_check_t *f_cookie_check,
68 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]69{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]70 conf->f_cookie_write = f_cookie_write;
71 conf->f_cookie_check = f_cookie_check;
72 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]73}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]74#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]76#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]77MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]79{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 if (conf->f_psk != NULL) {
81 return 1;
82 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]83
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]84 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
85 return 0;
86 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]87
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]88
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]89 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
90 return 1;
91 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]92
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if (conf->psk != NULL && conf->psk_len != 0) {
94 return 1;
95 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]96
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]97 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]99#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]100
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]101MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
103 const unsigned char *buf,
104 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]105{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]106#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]108 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]110 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]111 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
112 ssl->verify_data_len) != 0) {
113 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
114 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
115 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
116 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]117 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]119#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]120 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 if (len != 1 || buf[0] != 0x0) {
122 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
125 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]126 }
127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]128 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]129 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]132}
133
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]134#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]135 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]136 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]137/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]138 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
139 * curves (TLS 1.2) extension.
140 *
141 * The "extension_data" field of a supported groups extension contains a
142 * "NamedGroupList" value (TLS 1.3 RFC8446):
143 * enum {
144 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
145 * x25519(0x001D), x448(0x001E),
146 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
147 * ffdhe6144(0x0103), ffdhe8192(0x0104),
148 * ffdhe_private_use(0x01FC..0x01FF),
149 * ecdhe_private_use(0xFE00..0xFEFF),
150 * (0xFFFF)
151 * } NamedGroup;
152 * struct {
153 * NamedGroup named_group_list<2..2^16-1>;
154 * } NamedGroupList;
155 *
156 * The "extension_data" field of a supported elliptic curves extension contains
157 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
158 * enum {
159 * deprecated(1..22),
160 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
161 * x25519(29), x448(30),
162 * reserved (0xFE00..0xFEFF),
163 * deprecated(0xFF01..0xFF02),
164 * (0xFFFF)
165 * } NamedCurve;
166 * struct {
167 * NamedCurve named_curve_list<2..2^16-1>
168 * } NamedCurveList;
169 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]170 * The TLS 1.3 supported groups extension was defined to be a compatible
171 * generalization of the TLS 1.2 supported elliptic curves extension. They both
172 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]173 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]174 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]175MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]176static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
177 const unsigned char *buf,
178 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]179{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]180 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]181 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]182 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]183
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]184 if (len < 2) {
185 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
186 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
187 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
188 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]189 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]190 list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (list_size + 2 != len ||
192 list_size % 2 != 0) {
193 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
194 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
195 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
196 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]197 }
198
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]199 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]200 if (ssl->handshake->curves_tls_id != NULL) {
201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
204 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]205 }
206
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]207 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]208 * and leave room for a final 0 */
209 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]214 if ((curves_tls_id = mbedtls_calloc(our_size,
215 sizeof(*curves_tls_id))) == NULL) {
216 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
217 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
218 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]219 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]220
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]221 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]222
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]223 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]224 while (list_size > 0 && our_size > 1) {
225 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
228 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]229 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]230 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]231 }
232
233 list_size -= 2;
234 p += 2;
235 }
236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]237 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]238}
239
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]240MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
242 const unsigned char *buf,
243 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]244{
245 size_t list_size;
246 const unsigned char *p;
247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]248 if (len == 0 || (size_t) (buf[0] + 1) != len) {
249 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
250 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
251 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
252 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]253 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]254 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]255
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]256 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]257 while (list_size > 0) {
258 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
259 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]260 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
261 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]262 }
263
264 list_size--;
265 p++;
266 }
267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]269}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]270#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]271 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]272 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]273
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]274#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]275MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
277 const unsigned char *buf,
278 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]279{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]280 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]281
Manuel Pégourié-Gonnard58916762025-01-23 10:48:45 +0100[diff] [blame]282 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
284 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]285 }
286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 if ((ret = mbedtls_psa_ecjpake_read_round(
288 &ssl->handshake->psa_pake_ctx, buf, len,
289 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
290 psa_destroy_key(ssl->handshake->psa_pake_password);
291 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]293 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]294 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]295 ssl,
296 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
297 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]300 }
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]301
302 /* Only mark the extension as OK when we're sure it is */
303 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]305 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]306}
307#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
308
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]309#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]310MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]311static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
312 const unsigned char *buf,
313 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]314{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
316 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
317 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
318 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
319 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]320 }
321
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]322 ssl->session_negotiate->mfl_code = buf[0];
323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]325}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]326#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]327
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]328#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]329MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
331 const unsigned char *buf,
332 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]333{
334 size_t peer_cid_len;
335
336 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
338 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
339 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
340 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
341 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]342 }
343
344 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]345 * struct {
346 * opaque cid<0..2^8-1>;
347 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]350 if (len < 1) {
351 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
352 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
353 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
354 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]355 }
356
357 peer_cid_len = *buf++;
358 len--;
359
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]360 if (len != peer_cid_len) {
361 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
362 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
363 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
364 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]365 }
366
367 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]368 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]369 /* Leave ssl->handshake->cid_in_use in its default
370 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
372 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]373 }
374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]375 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
377 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
378 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
379 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]380 }
381
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]382 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]383 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
387 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]390}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]391#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]393#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]394MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
396 const unsigned char *buf,
397 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]398{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 if (len != 0) {
400 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
401 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
402 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
403 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]404 }
405
406 ((void) buf);
407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]410 }
411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]413}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]414#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]416#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]417MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
419 const unsigned char *buf,
420 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]421{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 if (len != 0) {
423 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
424 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
425 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
426 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]427 }
428
429 ((void) buf);
430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]431 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]432 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]433 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]436}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]439#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]440MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
442 unsigned char *buf,
443 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]444{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]446 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]450 if (ssl->conf->f_ticket_parse == NULL ||
451 ssl->conf->f_ticket_write == NULL) {
452 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]453 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]454
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]455 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]456 ssl->handshake->new_session_ticket = 1;
457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (len == 0) {
461 return 0;
462 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
466 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
467 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]468 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]470
471 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]472 * Failures are ok: just ignore the ticket and proceed.
473 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
475 buf, len)) != 0) {
476 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]478 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
479 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
480 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
481 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
482 } else {
483 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
484 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]486 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]487 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]488
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]489 /*
490 * Keep the session ID sent by the client, since we MUST send it back to
491 * inform them we're accepting the ticket (RFC 5077 section 3.4)
492 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]493 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496 mbedtls_ssl_session_free(ssl->session_negotiate);
497 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]498
499 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]502 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]503
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]504 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]505
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]506 /* Don't send a new ticket after all, this one is OK */
507 ssl->handshake->new_session_ticket = 0;
508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]510}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]512
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]513#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]514MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
516 const unsigned char *buf,
517 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]518{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]519 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]520 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]521 size_t profile_length;
522 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]523 /*! 2 bytes for profile length and 1 byte for mki len */
524 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]525
526 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
528 (ssl->conf->dtls_srtp_profile_list == NULL) ||
529 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
530 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]531 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]532
533 /* RFC5764 section 4.1.1
534 * uint8 SRTPProtectionProfile[2];
535 *
536 * struct {
537 * SRTPProtectionProfiles SRTPProtectionProfiles;
538 * opaque srtp_mki<0..255>;
539 * } UseSRTPData;
540
541 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]542 */
543
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]544 /*
545 * Min length is 5: at least one protection profile(2 bytes)
546 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]547 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]548 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]549 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]550 if (len < size_of_lengths) {
551 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
552 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
553 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]554 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]556 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]557
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]558 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]559 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]560 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]561
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]562 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if (profile_length > len - size_of_lengths ||
564 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
565 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
566 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
567 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]568 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]569 /*
570 * parse the extension list values are defined in
571 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
572 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]573 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]574 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]577 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
578 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
579 mbedtls_ssl_get_srtp_profile_as_string(
580 client_protection)));
581 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]582 continue;
583 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]584 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]585 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
586 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]587 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
589 mbedtls_ssl_get_srtp_profile_as_string(
590 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]591 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]592 }
593 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]595 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]597 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]598 buf += profile_length; /* buf points to the mki length */
599 mki_length = *buf;
600 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
603 mki_length + profile_length + size_of_lengths != len) {
604 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
605 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
606 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]607 }
608
609 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
611 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]612 ssl->dtls_srtp_info.mki_len = mki_length;
613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]616 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
617 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]618 }
619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]621}
622#endif /* MBEDTLS_SSL_DTLS_SRTP */
623
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]624/*
625 * Auxiliary functions for ServerHello parsing and related actions
626 */
627
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]628#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]629/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]630 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]631 */
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]632#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]633MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634static int ssl_check_key_curve(mbedtls_pk_context *pk,
635 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]636{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]637 uint16_t *curr_tls_id = curves_tls_id;
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]638 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]639 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]641 while (*curr_tls_id != 0) {
642 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
643 if (curr_grp_id == grp_id) {
644 return 0;
645 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]646 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]647 }
648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]649 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]650}
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]651#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]652
653/*
654 * Try picking a certificate for this ciphersuite,
655 * return 0 on success and -1 on failure.
656 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]657MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658static int ssl_pick_cert(mbedtls_ssl_context *ssl,
659 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]660{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]661 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]662 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]664 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]665 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]666 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]670 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]671 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]672#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]673 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]674
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]675 int pk_alg_is_none = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]677 if (pk_alg_is_none) {
678 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]679 }
680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]681 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
682
683 if (list == NULL) {
684 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
685 return -1;
686 }
687
688 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]689 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]690 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
691 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]692
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]693 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]694#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
696 ssl->conf->f_async_decrypt_start != NULL ||
697 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
698 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]699#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]700 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]702#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if (!key_type_matches) {
704 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]705 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]706 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]707
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]708 /*
709 * This avoids sending the client a cert it'll reject based on
710 * keyUsage or other extensions.
711 *
712 * It also allows the user to provision different certificates for
713 * different uses based on keyUsage, eg if they want to avoid signing
714 * and decrypting with the same RSA key.
715 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
Manuel Pégourié-Gonnard7a4aa4d2024-08-09 11:49:12 +0200[diff] [blame]717 MBEDTLS_SSL_IS_CLIENT,
718 MBEDTLS_SSL_VERSION_TLS1_2,
719 &flags) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
721 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]722 continue;
723 }
724
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]725#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 if (pk_alg == MBEDTLS_PK_ECDSA &&
727 ssl_check_key_curve(&cur->cert->pk,
728 ssl->handshake->curves_tls_id) != 0) {
729 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]730 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]731 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]732#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]733
734 /* If we get there, we got a winner */
735 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]736 }
737
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]738 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]740 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]741 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
742 ssl->handshake->key_cert->cert);
743 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]744 }
745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]746 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]747}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]748#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]749
750/*
751 * Check if a given ciphersuite is suitable for use with our config/keys/etc
752 * Sets ciphersuite_info only if the suite matches.
753 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]754MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]755static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
756 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]757{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]759
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]760#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]761 mbedtls_pk_type_t sig_type;
762#endif
763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]764 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
765 if (suite_info == NULL) {
766 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
767 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]768 }
769
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
771 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]772
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 if (suite_info->min_tls_version > ssl->tls_version ||
774 suite_info->max_tls_version < ssl->tls_version) {
775 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
776 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]777 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]778
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]779#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
781 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
782 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
783 "not configured or ext missing"));
784 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]785 }
786#endif
787
788
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]789#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]790 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]791 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
792 (ssl->handshake->curves_tls_id == NULL ||
793 ssl->handshake->curves_tls_id[0] == 0)) {
794 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
795 "no common elliptic curve"));
796 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]797 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]798#endif
799
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]800#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]801 /* If the ciphersuite requires a pre-shared key and we don't
802 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]803 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
804 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
805 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
806 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]807 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808#endif
809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]810#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]811 /*
812 * Final check: if ciphersuite requires us to have a
813 * certificate/key of a particular type:
814 * - select the appropriate certificate if we have one, or
815 * - try the next ciphersuite if we don't
816 * This must be done last since we modify the key_cert list.
817 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]818 if (ssl_pick_cert(ssl, suite_info) != 0) {
819 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
820 "no suitable certificate"));
821 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]822 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]823#endif
824
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]825#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
826 /* If the ciphersuite requires signing, check whether
827 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
829 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]830 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
832 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
833 "for signature algorithm %u", (unsigned) sig_type));
834 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]835 }
836
837#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
838
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]839 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]840 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]841}
842
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]843/* This function doesn't alert on errors that happen early during
844 ClientHello parsing because they might indicate that the client is
845 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]846MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]847static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]849 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]850 size_t i, j;
851 size_t ciph_offset, comp_offset, ext_offset;
852 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]853#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]854 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]855#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]856 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]857#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]858 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]859#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]860 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]861 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]862 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]864 /* If there is no signature-algorithm extension present,
865 * we need to fall back to the default values for allowed
866 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]867#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]868 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]869#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]870
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]873 int renegotiating;
874
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]875#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]876read_record_header:
877#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]878 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]879 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]880 * otherwise read it ourselves manually in order to support SSLv2
881 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]882 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
883 * ClientHello has been already fully fetched by the TLS 1.3 code and the
884 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]885 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]886 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]887#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]888 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]889#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]890 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]892 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]893 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
894 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]895 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896 }
897
898 buf = ssl->in_hdr;
899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]900 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]901
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]902 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]903 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]904 *
905 * Record layer:
906 * 0 . 0 message type
907 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]908 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]909 * 3 . 4 message length
910 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
912 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]913
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]914 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
915 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
916 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]917 }
918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]919 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]920 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
923 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]924
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]925 /* For DTLS if this is the initial handshake, remember the client sequence
926 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]928 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]929#if defined(MBEDTLS_SSL_RENEGOTIATION)
930 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]931#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]932 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]933 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]934 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
935 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
936 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]937 }
938
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
940 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]943 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
944 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]945 ssl->next_record_offset = 0;
946 ssl->in_left = 0;
947 goto read_record_header;
948 }
949
950 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]952#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]953 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]955
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]956 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]960 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]961 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]963#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]964 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]965 if (ssl->keep_current_message) {
966 ssl->keep_current_message = 0;
967 } else {
968 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
969 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
970 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
971 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]972
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]973 if ((ret = mbedtls_ssl_fetch_input(ssl,
974 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
975 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
976 return ret;
977 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]978
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]979 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]981 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
982 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
983 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]984#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]985 ssl->in_left = 0;
986 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]987 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]988
989 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]992
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]993 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
994 if (0 != ret) {
995 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
996 return ret;
997 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]998
999 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1000 * Handshake layer:
1001 * 0 . 0 handshake type
1002 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1003 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1004 * 6 . 8 DTLS only: fragment offset
1005 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1006 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1008 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1009 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1010 }
1011
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1012 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1013
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1014 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1015 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1016 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1017 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1018 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1019 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1020 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1021 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1022
1023 /* The record layer has a record size limit of 2^14 - 1 and
1024 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1025 if (buf[1] != 0) {
1026 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1027 (unsigned) buf[1]));
1028 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1029 }
1030
1031 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1032 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1033 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1034 (unsigned) msg_len,
1035 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1036 (unsigned) handshake_len));
1037 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1038 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1039 }
1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1042 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1043 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1044 * Copy the client's handshake message_seq on initial handshakes,
1045 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1046 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1047#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1048 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1049 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1050 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1051 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1052 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1053 "%u (expected %u)", cli_msg_seq,
1054 ssl->handshake->in_msg_seq));
1055 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1056 }
1057
1058 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1060#endif
1061 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1062 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1063 ssl->handshake->out_msg_seq = cli_msg_seq;
1064 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1065 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1066 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1067 /*
1068 * For now we don't support fragmentation, so make sure
1069 * fragment_offset == 0 and fragment_length == length
1070 */
1071 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1072 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1073 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1074 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1075 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1076 4, ("fragment_offset=%u fragment_length=%u length=%u",
1077 (unsigned) fragment_offset, (unsigned) fragment_length,
1078 (unsigned) length));
1079 if (fragment_offset != 0 || length != fragment_length) {
1080 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1081 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1082 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1083 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1084 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1086
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1087 buf += mbedtls_ssl_hs_hdr_len(ssl);
1088 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1089
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1090 /*
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1091 * ClientHello layout:
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1092 * 0 . 1 protocol version
1093 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1094 * 34 . 34 session id length (1 byte)
1095 * 35 . 34+x session id, where x = session id length from byte 34
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1096 * 35+x . 35+x DTLS only: cookie length (1 byte)
1097 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1098 * .. . .. ciphersuite list length (2 bytes)
1099 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1100 * .. . .. compression alg. list length (1 byte)
1101 * .. . .. compression alg. list
1102 * .. . .. extensions length (2 bytes, optional)
1103 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1104 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1105
1106 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1107 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1108 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1109 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1110 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1111 if (msg_len < 38) {
1112 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1113 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1114 }
1115
1116 /*
1117 * Check and save the protocol version
1118 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1119 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1120
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1121 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1122 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1123 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame]1124 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1125
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1126 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1127 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1128 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1129 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1130 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1131 }
1132
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1133 /*
1134 * Save client random (inc. Unix time)
1135 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1136 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1137
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1138 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1139
1140 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1141 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1142 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1143 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1145 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1146 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1147 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1148 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1149 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1150 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1151 }
1152
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1153 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1154
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1155 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1156 memset(ssl->session_negotiate->id, 0,
1157 sizeof(ssl->session_negotiate->id));
1158 memcpy(ssl->session_negotiate->id, buf + 35,
1159 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1160
1161 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1162 * Check the cookie length and content
1163 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1164#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1165 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1166 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1167 cookie_len = buf[cookie_offset];
1168
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1169 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1170 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1171 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1172 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1173 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1174 }
1175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1176 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1177 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1178
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1179#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1180 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1181#if defined(MBEDTLS_SSL_RENEGOTIATION)
1182 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1183#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1184 ) {
1185 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1186 buf + cookie_offset + 1, cookie_len,
1187 ssl->cli_id, ssl->cli_id_len) != 0) {
1188 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1189 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1190 } else {
1191 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1192 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1193 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1194 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1195#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1196 {
1197 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1198 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1199 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1200 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1201 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1202 }
1203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1204 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1205 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1207 /*
1208 * Check the ciphersuitelist length (will be parsed later)
1209 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1210 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1212#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1213 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1214
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1215 ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1216
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1217 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1218 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1219 (ciph_len % 2) != 0) {
1220 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1222 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1223 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1224 }
1225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1226 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1227 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1228
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1229 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1230 * Check the compression algorithm's length.
1231 * The list contents are ignored because implementing
1232 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1233 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1234 */
1235 comp_offset = ciph_offset + 2 + ciph_len;
1236
1237 comp_len = buf[comp_offset];
1238
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1240 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1241 comp_len + comp_offset + 1 > msg_len) {
1242 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1243 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1244 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1245 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1246 }
1247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1248 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1249 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1251 /*
1252 * Check the extension length
1253 */
1254 ext_offset = comp_offset + 1 + comp_len;
1255 if (msg_len > ext_offset) {
1256 if (msg_len < ext_offset + 2) {
1257 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1258 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1259 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1260 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1261 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1262
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1263 ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 if (msg_len != ext_offset + 2 + ext_len) {
1266 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1267 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1268 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1269 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1270 }
1271 } else {
1272 ext_len = 0;
1273 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1275 ext = buf + ext_offset + 2;
1276 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1277
1278 while (ext_len != 0) {
1279 unsigned int ext_id;
1280 unsigned int ext_size;
1281 if (ext_len < 4) {
1282 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1283 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1284 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1285 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1286 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1287 ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1288 ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289
1290 if (ext_size + 4 > ext_len) {
1291 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1292 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1293 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1294 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1295 }
1296 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1298 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1299 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1300 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1301 ext + 4 + ext_size);
1302 if (ret != 0) {
1303 return ret;
1304 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1305 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1307
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1308 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1309 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1311 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1312#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1313
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1314 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1315 if (ret != 0) {
1316 return ret;
1317 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1318 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1319
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1320#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1321 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1322 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1325 if (ret != 0) {
1326 return ret;
1327 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1328
1329 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1330 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1331#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1332
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1333#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1334 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1336 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1337 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1338
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1339 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1340 if (ret != 0) {
1341 return ret;
1342 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1343 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1344
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1345 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1346 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1347 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1349 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1350 if (ret != 0) {
1351 return ret;
1352 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1353 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1354#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1355 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1357
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1358#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1359 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1360 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1361
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1362 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1363 if (ret != 0) {
1364 return ret;
1365 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1366 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1367#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1370 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1373 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1374 if (ret != 0) {
1375 return ret;
1376 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1377 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1379
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1380#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1381 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1384 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1385 if (ret != 0) {
1386 return ret;
1387 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1388 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1389#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1392 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1395 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1396 if (ret != 0) {
1397 return ret;
1398 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1399 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1400#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1403 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1404 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1406 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1407 if (ret != 0) {
1408 return ret;
1409 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1410 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1412
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1413#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1414 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1415 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1416
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1417 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1418 if (ret != 0) {
1419 return ret;
1420 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1421 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1422#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1423
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1424#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1425 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1426 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1427
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1428 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1429 ext + 4 + ext_size);
1430 if (ret != 0) {
1431 return ret;
1432 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1433 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1434#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1435
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1436#if defined(MBEDTLS_SSL_DTLS_SRTP)
1437 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1438 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1441 if (ret != 0) {
1442 return ret;
1443 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1444 break;
1445#endif /* MBEDTLS_SSL_DTLS_SRTP */
1446
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1447 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1448 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1449 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1450 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1451
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1452 ext_len -= 4 + ext_size;
1453 ext += 4 + ext_size;
1454 }
1455
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1456#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1457
1458 /*
1459 * Try to fall back to default hash SHA1 if the client
1460 * hasn't provided any preferred signature-hash combinations.
1461 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1462 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1463 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1464 const uint16_t default_sig_algs[] = {
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1465#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1466 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1467 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1468#endif
1469#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1470 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1471 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1472#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1473 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1474 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1475
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1476 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1477 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1478 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1480 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1481 }
1482
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1483#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1484
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1485 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1486 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1487 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1489 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1490 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1493 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1494 "during renegotiation"));
1495 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1496 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1497 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1498 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1499#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1500 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1501 break;
1502 }
1503 }
1504
1505 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1506 * Renegotiation security checks
1507 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1508 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1509 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1510 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1511 handshake_failure = 1;
1512 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1514 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1516 renegotiation_info_seen == 0) {
1517 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1518 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1519 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1520 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1521 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1522 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1523 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1524 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1525 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1526 renegotiation_info_seen == 1) {
1527 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1528 handshake_failure = 1;
1529 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1532 if (handshake_failure == 1) {
1533 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1534 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1535 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1536 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1537
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1538 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1539 * Server certification selection (after processing TLS extensions)
1540 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1541 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1542 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1543 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1544 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1545#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1546 ssl->handshake->sni_name = NULL;
1547 ssl->handshake->sni_name_len = 0;
1548#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1549
1550 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1551 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1552 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1553 * and certificate from the SNI callback triggered by the SNI extension
1554 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1555 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1556 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1557 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1558 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1559
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1560 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1561 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1562 for (i = 0; ciphersuites[i] != 0; i++) {
1563 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1564 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1565 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1566
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1567 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1570 &ciphersuite_info)) != 0) {
1571 return ret;
1572 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1573
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1574 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1575 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1576 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1577 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1578 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1579 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580 for (i = 0; ciphersuites[i] != 0; i++) {
1581 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1582 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1583 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1584 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1585
1586 got_common_suite = 1;
1587
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1588 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1589 &ciphersuite_info)) != 0) {
1590 return ret;
1591 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1592
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1593 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1594 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1596 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1597 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1598 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1599
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1600 if (got_common_suite) {
1601 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1602 "but none of them usable"));
1603 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1604 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1605 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1606 } else {
1607 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1608 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1609 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1610 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1611 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1612
1613have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1614 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1615
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1616 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1617 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1618
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1619 ssl->state++;
1620
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1621#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1622 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1623 mbedtls_ssl_recv_flight_completed(ssl);
1624 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1625#endif
1626
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1627 /* Debugging-only output for testsuite */
1628#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1629 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1630 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1631 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1632 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1633 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1634 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1635 sig_hash));
1636 } else {
1637 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1638 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1639 }
1640#endif
1641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1642 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1643
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1644 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1645}
1646
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1647#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1648static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1649 unsigned char *buf,
1650 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1651{
1652 unsigned char *p = buf;
1653 size_t ext_len;
1654 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1655
1656 *olen = 0;
1657
1658 /* Skip writing the extension if we don't want to use it or if
1659 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1660 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1661 return;
1662 }
1663
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1664 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1665 * which is at most 255, so the increment cannot overflow. */
1666 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1667 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1668 return;
1669 }
1670
1671 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1672
1673 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1674 * struct {
1675 * opaque cid<0..2^8-1>;
1676 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1677 */
1678 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1679 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1680 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1681 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1682 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1683
1684 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1685 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1686
1687 *olen = ssl->own_cid_len + 5;
1688}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1689#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1690
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1691#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1692static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1693 unsigned char *buf,
1694 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1695{
1696 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1697 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1698
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1699 /*
1700 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1701 * from a client and then selects a stream or Authenticated Encryption
1702 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1703 * encrypt-then-MAC response extension back to the client."
1704 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1705 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1706 ssl->session_negotiate->ciphersuite);
1707 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1708 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1709 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1710 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1711 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1712 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1713 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1715 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1716 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1717 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1718 }
1719
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1720 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1721 *olen = 0;
1722 return;
1723 }
1724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1725 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1727 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1728 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1729
1730 *p++ = 0x00;
1731 *p++ = 0x00;
1732
1733 *olen = 4;
1734}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1735#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1738static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1739 unsigned char *buf,
1740 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1741{
1742 unsigned char *p = buf;
1743
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1744 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1745 *olen = 0;
1746 return;
1747 }
1748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1749 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1750 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1753 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1754
1755 *p++ = 0x00;
1756 *p++ = 0x00;
1757
1758 *olen = 4;
1759}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1760#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1763static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1764 unsigned char *buf,
1765 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1766{
1767 unsigned char *p = buf;
1768
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1769 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1770 *olen = 0;
1771 return;
1772 }
1773
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1774 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1776 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1777 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1778
1779 *p++ = 0x00;
1780 *p++ = 0x00;
1781
1782 *olen = 4;
1783}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1785
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1786static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1787 unsigned char *buf,
1788 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1789{
1790 unsigned char *p = buf;
1791
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1792 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1793 *olen = 0;
1794 return;
1795 }
1796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1797 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1798
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1799 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1800 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1803 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1804 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1805 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1806 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1807
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1808 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1809 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1810 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1811 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1812 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1813#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1814 {
1815 *p++ = 0x00;
1816 *p++ = 0x01;
1817 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1818 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1819
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1820 *olen = (size_t) (p - buf);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1821}
1822
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1823#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1824static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1825 unsigned char *buf,
1826 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1827{
1828 unsigned char *p = buf;
1829
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1830 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1831 *olen = 0;
1832 return;
1833 }
1834
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1835 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1838 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1839
1840 *p++ = 0x00;
1841 *p++ = 1;
1842
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1843 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1844
1845 *olen = 5;
1846}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1848
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1849#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1850 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1851 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1852static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1853 unsigned char *buf,
1854 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1855{
1856 unsigned char *p = buf;
1857 ((void) ssl);
1858
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 if ((ssl->handshake->cli_exts &
1860 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1861 *olen = 0;
1862 return;
1863 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1864
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1865 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1866
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1867 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1868 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1869
1870 *p++ = 0x00;
1871 *p++ = 2;
1872
1873 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1874 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1875
1876 *olen = 6;
1877}
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1878#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1879 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1880 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1881
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1882#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1883static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1884 unsigned char *buf,
1885 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1886{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1887 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1888 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1889 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1890 size_t kkpp_len;
1891
1892 *olen = 0;
1893
1894 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1895 if (ssl->handshake->ciphersuite_info->key_exchange !=
1896 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1897 return;
1898 }
1899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1900 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1901
1902 if (end - p < 4) {
1903 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1904 return;
1905 }
1906
1907 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1908 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1909
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1910 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1911 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1912 MBEDTLS_ECJPAKE_ROUND_ONE);
1913 if (ret != 0) {
1914 psa_destroy_key(ssl->handshake->psa_pake_password);
1915 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1916 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1917 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1918 }
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1919
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1920 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1921 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1922
1923 *olen = kkpp_len + 4;
1924}
1925#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1926
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1927#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1928static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1929 unsigned char *buf,
1930 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1931{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1932 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1933 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1934 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1935
1936 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1937
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1938 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1939 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1940 return;
1941 }
1942
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1943 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1944
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1945 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1946 mki_len = ssl->dtls_srtp_info.mki_len;
1947 }
1948
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]1949 /* The extension total size is 9 bytes :
1950 * - 2 bytes for the extension tag
1951 * - 2 bytes for the total size
1952 * - 2 bytes for the protection profile length
1953 * - 2 bytes for the protection profile
1954 * - 1 byte for the mki length
1955 * + the actual mki length
1956 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1957 if ((size_t) (end - buf) < mki_len + 9) {
1958 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1959 return;
1960 }
1961
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1962 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1963 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1964 /*
1965 * total length 5 and mki value: only one profile(2 bytes)
1966 * and length(2 bytes) and srtp_mki )
1967 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1968 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1969 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1970
1971 /* protection profile length: 2 */
1972 buf[4] = 0x00;
1973 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1974 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1975 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
1976 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
1977 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
1978 } else {
1979 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1980 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1981 }
1982
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1983 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1984 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1985
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1986 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1987}
1988#endif /* MBEDTLS_SSL_DTLS_SRTP */
1989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1990#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1991MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1993{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1994 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1995 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]1996 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1997
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1998 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1999
2000 /*
2001 * struct {
2002 * ProtocolVersion server_version;
2003 * opaque cookie<0..2^8-1>;
2004 * } HelloVerifyRequest;
2005 */
2006
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2007 /* The RFC is not clear on this point, but sending the actual negotiated
2008 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2009 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2010 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2011 p += 2;
2012
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2013 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2014 if (ssl->conf->f_cookie_write == NULL) {
2015 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2016 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2017 }
2018
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2019 /* Skip length byte until we know the length */
2020 cookie_len_byte = p++;
2021
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2022 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2023 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2024 ssl->cli_id, ssl->cli_id_len)) != 0) {
2025 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2026 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2027 }
2028
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2029 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2030
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2031 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2032
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2033 ssl->out_msglen = (size_t) (p - ssl->out_msg);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2035 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2038
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2039 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2040 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2041 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2042 }
2043
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2044#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2045 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2046 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2047 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2048 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2049 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2050#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2052 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2053
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2054 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2055}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2058static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2059{
2060 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2061 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2062 mbedtls_ssl_session * const session = ssl->session_negotiate;
2063
2064 /* Resume is 0 by default, see ssl_handshake_init().
2065 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2066 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2067 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2068 }
2069 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2070 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2071 }
2072 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2073 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2074 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2075#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2076 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2077 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2079#endif
2080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2081 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2082
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2083 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2084 session->id,
2085 session->id_len,
2086 &session_tmp);
2087 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2088 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2089 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2090
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2091 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2092 /* Mismatch between cached and negotiated session */
2093 goto exit;
2094 }
2095
2096 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2097 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2098 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2099 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2100
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2101 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2102 ssl->handshake->resume = 1;
2103
2104exit:
2105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2106 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2107}
2108
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2109MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2110static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2111{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2113 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2114#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2115 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2116 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2117 unsigned char *buf, *p;
2118
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2119 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2122 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2123 ssl->handshake->cookie_verify_result != 0) {
2124 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2125 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2126
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2128 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2129#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2130
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2131 /*
2132 * 0 . 0 handshake type
2133 * 1 . 3 handshake length
2134 * 4 . 5 protocol version
2135 * 6 . 9 UNIX time()
2136 * 10 . 37 random bytes
2137 */
2138 buf = ssl->out_msg;
2139 p = buf + 4;
2140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2141 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2142 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2144 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2145 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2147#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2148 t = mbedtls_time(NULL);
2149 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2150 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2152 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2153 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2154#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2155 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2156 return ret;
2157 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2158
2159 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2160#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2161
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2162 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2163 return ret;
2164 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2165 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2166
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2167#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2168 /*
2169 * RFC 8446
2170 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2171 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2172 * response to a ClientHello MUST set the last 8 bytes of their Random
2173 * value specially in their ServerHello.
2174 */
2175 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2176 static const unsigned char magic_tls12_downgrade_string[] =
2177 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2178
2179 MBEDTLS_STATIC_ASSERT(
2180 sizeof(magic_tls12_downgrade_string) == 8,
2181 "magic_tls12_downgrade_string does not have the expected size");
2182
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2183 memcpy(p, magic_tls12_downgrade_string,
2184 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2185 } else
2186#endif
2187 {
2188 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2189 return ret;
2190 }
2191 }
2192 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2194 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2196 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2198 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2200 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2202 * New session, create a new session id,
2203 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205 ssl->state++;
2206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2208 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2209#endif
2210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2212 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2213 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2214 memset(ssl->session_negotiate->id, 0, 32);
2215 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2216#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2217 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2218 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2219 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2220 n)) != 0) {
2221 return ret;
2222 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2223 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2224 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2225 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2226 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2228 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2229 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2230
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2231 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2232 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2233 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2234 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235 }
2236
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2237 /*
2238 * 38 . 38 session id length
2239 * 39 . 38+n session id
2240 * 39+n . 40+n chosen ciphersuite
2241 * 41+n . 41+n chosen compression alg.
2242 * 42+n . 43+n extensions length
2243 * 44+n . 43+n+m extensions
2244 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2245 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2246 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2247 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2248
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2249 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2250 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2251 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2252 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2254 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2255 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2256 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2259 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2260 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2261 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2262
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2263 /*
2264 * First write extensions, then the total length
2265 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2266 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2267 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2270 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2271 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2272#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2273
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2274#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2275 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2276 ext_len += olen;
2277#endif
2278
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2279#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2280 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2281 ext_len += olen;
2282#endif
2283
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2284#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2285 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2286 ext_len += olen;
2287#endif
2288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2289#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2290 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2291 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2292#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2293
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2294#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]2295 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2296 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2297 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2298 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2299 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2300 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2301 ext_len += olen;
2302 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2303#endif
2304
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2305#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2306 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2307 ext_len += olen;
2308#endif
2309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2311 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2312 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2313 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2314 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2315 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2316
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2317 ext_len += olen;
2318#endif
2319
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2320#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2321 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2322 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2323#endif
2324
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2325 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2326 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2327
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2328 if (ext_len > 0) {
2329 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2330 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2331 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2332
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2333 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2335 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2337 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2338
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2339 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2340
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2341 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2342}
2343
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2344#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2345MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2346static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2347{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2348 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2349 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2351 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2353 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2354 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2355 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2356 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2357 }
2358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2359 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2360 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2361}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2362#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2363MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2364static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2365{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2366 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2367 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2368 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2369 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2370 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2371 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2372 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2373 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2374 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2376 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2377
2378 ssl->state++;
2379
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2380#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2381 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2382 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2384#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2385 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2387 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2388 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2389 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2390 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2391 }
2392
2393 /*
2394 * 0 . 0 handshake type
2395 * 1 . 3 handshake length
2396 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2397 * 5 .. m-1 cert types
2398 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2399 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400 * n .. n+1 length of all DNs
2401 * n+2 .. n+3 length of DN 1
2402 * n+4 .. ... Distinguished Name #1
2403 * ... .. ... length of DN 2, etc.
2404 */
2405 buf = ssl->out_msg;
2406 p = buf + 4;
2407
2408 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2409 * Supported certificate types
2410 *
2411 * ClientCertificateType certificate_types<1..2^8-1>;
2412 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2414 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2416#if defined(MBEDTLS_RSA_C)
2417 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2418#endif
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2419#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2420 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2421#endif
2422
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2423 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2424 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2425
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2426 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2427
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2428 /*
2429 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2430 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2431 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2432 *
2433 * struct {
2434 * HashAlgorithm hash;
2435 * SignatureAlgorithm signature;
2436 * } SignatureAndHashAlgorithm;
2437 *
2438 * enum { (255) } HashAlgorithm;
2439 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2440 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2441 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2442 if (sig_alg == NULL) {
2443 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2444 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2446 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2447 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2449 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2450 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2451 }
2452 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2453 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2454 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2455
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2456 /* Write elements at offsets starting from 1 (offset 0 is for the
2457 * length). Thus the offset of each element is the length of the
2458 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2459 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2460 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2461
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2462 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2463
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2464 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2465 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2466 sa_len += 2;
2467 p += sa_len;
2468
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2469 /*
2470 * DistinguishedName certificate_authorities<0..2^16-1>;
2471 * opaque DistinguishedName<1..2^16-1>;
2472 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2474
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2475 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2477 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2478 /* NOTE: If trusted certificates are provisioned
2479 * via a CA callback (configured through
2480 * `mbedtls_ssl_conf_ca_cb()`, then the
2481 * CertificateRequest is currently left empty. */
2482
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2483#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2484#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2485 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2486 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2487 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2488#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2489 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2490 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2491 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2492#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2493#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2494 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2495 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2496 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2497#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2498 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2500 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2501 /* It follows from RFC 5280 A.1 that this length
2502 * can be represented in at most 11 bits. */
2503 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2505 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2506 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2507 break;
2508 }
2509
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2510 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2511 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2513 p += dn_size;
2514
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2515 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2516
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2517 total_dn_size += (unsigned short) (2 + dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2518 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2519 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2520 }
2521
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2522 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2523 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2524 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2525 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2527 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2529 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2531 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2532}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2533#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2534
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2535#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2537MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2538static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2539{
2540 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2541 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2542 mbedtls_pk_context *pk;
2543 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2544 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2545 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2546 size_t key_len;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2547#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2548 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2549 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2550 mbedtls_ecp_group_id grp_id;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2551 mbedtls_ecp_keypair *key;
2552#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2553
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2556 if (pk == NULL) {
2557 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2558 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2559
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2560 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2561
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2562 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2563 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2564#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2565 case MBEDTLS_PK_ECKEY:
2566 case MBEDTLS_PK_ECKEY_DH:
2567 case MBEDTLS_PK_ECDSA:
2568#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2569 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2570 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2571 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2572
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2573 /* Get the attributes of the key previously parsed by PK module in
2574 * order to extract its type and length (in bits). */
2575 status = psa_get_key_attributes(pk->priv_id, &key_attributes);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2576 if (status != PSA_SUCCESS) {
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2577 ret = PSA_TO_MBEDTLS_ERR(status);
2578 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2579 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2580 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2581 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2582
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2583#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2584 if (pk_type != MBEDTLS_PK_OPAQUE) {
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2585 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2586 * module and only have ECDSA capabilities. Since we need
2587 * them for ECDH later, we export and then re-import them with
2588 * proper flags and algorithm. Of course We also set key's type
2589 * and bits that we just got above. */
2590 key_attributes = psa_key_attributes_init();
2591 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2592 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2593 psa_set_key_type(&key_attributes,
2594 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2595 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2596
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2597 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2598 if (status != PSA_SUCCESS) {
2599 ret = PSA_TO_MBEDTLS_ERR(status);
2600 goto exit;
2601 }
2602 status = psa_import_key(&key_attributes, buf, key_len,
2603 &ssl->handshake->xxdh_psa_privkey);
2604 if (status != PSA_SUCCESS) {
2605 ret = PSA_TO_MBEDTLS_ERR(status);
2606 goto exit;
2607 }
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2608
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2609 /* Set this key as owned by the TLS library: it will be its duty
2610 * to clear it exit. */
2611 ssl->handshake->xxdh_psa_privkey_is_external = 0;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2612
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2613 ret = 0;
2614 break;
2615 }
2616#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2617
2618 /* Opaque key is created by the user (externally from Mbed TLS)
2619 * so we assume it already has the right algorithm and flags
2620 * set. Just copy its ID as reference. */
2621 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2622 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2623 ret = 0;
2624 break;
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2625
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2626#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2627 case MBEDTLS_PK_ECKEY:
2628 case MBEDTLS_PK_ECKEY_DH:
2629 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2630 key = mbedtls_pk_ec_rw(*pk);
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]2631 grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2632 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2633 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2634 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2635 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2636 if (tls_id == 0) {
2637 /* This elliptic curve is not supported */
2638 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2639 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2641 /* If the above conversion to TLS ID was fine, then also this one will
2642 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2643 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2644 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2645
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2646 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2647
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2648 key_attributes = psa_key_attributes_init();
2649 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2650 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2651 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2652 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2653 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2654
Gilles Peskine84b9f1b2024-02-19 16:44:29 +0100[diff] [blame]2655 ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2656 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2657 mbedtls_platform_zeroize(buf, sizeof(buf));
2658 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2659 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2661 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2662 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2663 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2664 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2665 mbedtls_platform_zeroize(buf, sizeof(buf));
2666 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2667 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2668
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2669 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2670 ret = 0;
2671 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2672#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2673 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2674 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2675 }
2676
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2677exit:
2678 psa_reset_key_attributes(&key_attributes);
2679 mbedtls_platform_zeroize(buf, sizeof(buf));
2680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2681 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2682}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2683#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2684 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2685
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2686#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2687 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2688MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2689static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2690 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2691{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2692 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2693 * signature length which will be added in ssl_write_server_key_exchange
2694 * after the call to ssl_prepare_server_key_exchange.
2695 * ssl_write_server_key_exchange also takes care of incrementing
2696 * ssl->out_msglen. */
2697 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2698 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2699 - sig_start);
2700 int ret = ssl->conf->f_async_resume(ssl,
2701 sig_start, signature_len, sig_max_len);
2702 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2703 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2704 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2705 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2706 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2707 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2708}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2709#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2710 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2711
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2712/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2713 * calculating the signature if any, but excluding formatting the
2714 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2715MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2716static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2717 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2718{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2719 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2720 ssl->handshake->ciphersuite_info;
2721
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2722#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2723#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2724 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2725#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2726#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2727
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2728 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2729#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2730 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2731#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2732
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2733#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2734#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2735 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2736#else
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2737 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2738#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2739#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2740
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2741 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2742
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2743 /*
2744 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2745 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2746 *
2747 */
2748
2749 /*
2750 * - ECJPAKE key exchanges
2751 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2752#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2753 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2754 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2755 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2756 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2757 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2758 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2759 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2760
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2761 /*
2762 * The first 3 bytes are:
2763 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2764 * [1, 2] elliptic curve's TLS ID
2765 *
2766 * However since we only support secp256r1 for now, we hardcode its
2767 * TLS ID here
2768 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2769 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2770 MBEDTLS_ECP_DP_SECP256R1);
2771 if (tls_id == 0) {
2772 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2773 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2774 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2775 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2776 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2777
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2778 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2779 out_p + output_offset,
2780 end_p - out_p - output_offset, &output_len,
2781 MBEDTLS_ECJPAKE_ROUND_TWO);
2782 if (ret != 0) {
2783 psa_destroy_key(ssl->handshake->psa_pake_password);
2784 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2785 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2786 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2787 }
2788
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2789 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2790 ssl->out_msglen += output_offset;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2791 }
2792#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2793
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2794 /*
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2795 * For ECDHE key exchanges with PSK, parameters are prefixed by support
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2796 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2797 * we use empty support identity hints here.
2798 **/
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2799#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2800 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2801 ssl->out_msg[ssl->out_msglen++] = 0x00;
2802 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2803 }
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2804#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2805
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2806 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2807 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2808 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2809#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2810 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2811 /*
2812 * Ephemeral ECDH parameters:
2813 *
2814 * struct {
2815 * ECParameters curve_params;
2816 * ECPoint public;
2817 * } ServerECDHParams;
2818 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2819 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Manuel Pégourié-Gonnard6402c352025-01-14 12:23:56 +0100[diff] [blame]2820 const uint16_t *group_list = ssl->conf->group_list;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2821 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2822 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2823
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2824 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2825 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2826 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2827 }
2828 for (; *group_list != 0; group_list++) {
2829 for (curr_tls_id = ssl->handshake->curves_tls_id;
2830 *curr_tls_id != 0; curr_tls_id++) {
2831 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2832 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2833 }
2834 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2835 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2837curve_matching_done:
2838 if (*curr_tls_id == 0) {
2839 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2840 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2841 }
2842
2843 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2844 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2845
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2846 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2847 psa_key_attributes_t key_attributes;
2848 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2849 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2850 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2851 // data length(1)
2852 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2853 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2854 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2855
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2856 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2857
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2858 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2859 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2860 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2861 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2862 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2863 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2864 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2865 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2866 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2867
2868 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2869 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2870 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2871 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2872 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2873
2874 /*
2875 * ECParameters curve_params
2876 *
2877 * First byte is curve_type, always named_curve
2878 */
2879 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
2880
2881 /*
2882 * Next two bytes are the namedcurve value
2883 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2884 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2885 p += 2;
2886
2887 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2888 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2889 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2890 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2891 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2892 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
2893 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2894 }
2895
2896 /*
2897 * ECPoint public
2898 *
2899 * First byte is data length.
2900 * It will be filled later. p holds now the data length location.
2901 */
2902
2903 /* Export the public part of the ECDH private key from PSA.
2904 * Make one byte space for the length.
2905 */
2906 unsigned char *own_pubkey = p + data_length_size;
2907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2908 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
2909 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2910
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2911 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2912 own_pubkey, own_pubkey_max_len,
2913 &len);
2914 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2915 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2916 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2917 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
2918 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2919 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2920 }
2921
2922 /* Store the length of the exported public key. */
2923 *p = (uint8_t) len;
2924
2925 /* Determine full message length. */
2926 len += header_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2927
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2928#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2929 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2930#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2931
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2932 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2933 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2934#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2935
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2936 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2937 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2938 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2939 * exchange parameters, compute and add the signature here.
2940 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2941 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2942#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2943 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
2944 if (dig_signed == NULL) {
2945 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2946 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]2947 }
2948
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2949 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2950 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2951 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]2952
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2953 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2954
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2955 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2956 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]2957 * For TLS 1.2, obey signature-hash-algorithm extension
2958 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2959 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2960
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2961 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2962 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2963
Dave Rodgmanc37ad442023-11-03 23:36:06 +0000[diff] [blame]2964 unsigned char sig_hash =
2965 (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2966 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]2967
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2968 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]2969
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2970 /* For TLS 1.2, obey signature-hash-algorithm extension
2971 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2972 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
2973 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2974 /* (... because we choose a cipher suite
2975 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2976 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2977 }
2978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2979 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2980
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2981 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2982 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2983 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2984 if (md_alg != MBEDTLS_MD_NONE) {
2985 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2986 dig_signed,
2987 dig_signed_len,
2988 md_alg);
2989 if (ret != 0) {
2990 return ret;
2991 }
2992 } else {
2993 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2994 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2995 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2996
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2997 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2998
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2999 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3000 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3001 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3002 /*
3003 * We need to specify signature and hash algorithm explicitly through
3004 * a prefix to the signature.
3005 *
3006 * struct {
3007 * HashAlgorithm hash;
3008 * SignatureAlgorithm signature;
3009 * } SignatureAndHashAlgorithm;
3010 *
3011 * struct {
3012 * SignatureAndHashAlgorithm algorithm;
3013 * opaque signature<0..2^16-1>;
3014 * } DigitallySigned;
3015 *
3016 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3017
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3018 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3019 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3020
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3021#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3022 if (ssl->conf->f_async_sign_start != NULL) {
3023 ret = ssl->conf->f_async_sign_start(ssl,
3024 mbedtls_ssl_own_cert(ssl),
3025 md_alg, hash, hashlen);
3026 switch (ret) {
3027 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3028 /* act as if f_async_sign was null */
3029 break;
3030 case 0:
3031 ssl->handshake->async_in_progress = 1;
3032 return ssl_resume_server_key_exchange(ssl, signature_len);
3033 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3034 ssl->handshake->async_in_progress = 1;
3035 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3036 default:
3037 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3038 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3039 }
3040 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3041#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3042
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3043 if (mbedtls_ssl_own_key(ssl) == NULL) {
3044 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3045 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3046 }
3047
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3048 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3049 * signature length which will be added in ssl_write_server_key_exchange
3050 * after the call to ssl_prepare_server_key_exchange.
3051 * ssl_write_server_key_exchange also takes care of incrementing
3052 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3053 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3054 md_alg, hash, hashlen,
3055 ssl->out_msg + ssl->out_msglen + 2,
3056 out_buf_len - ssl->out_msglen - 2,
3057 signature_len,
3058 ssl->conf->f_rng,
3059 ssl->conf->p_rng)) != 0) {
3060 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3061 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3062 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3063 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3064#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3065
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3066 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3067}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3068
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3069/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3070 * that do not include a ServerKeyExchange message, do nothing. Either
3071 * way, if successful, move on to the next step in the SSL state
3072 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3073MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3074static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3075{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3076 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3077 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3078#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3079 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3080 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3081#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3082
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3083 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3084
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3085#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3086 /* Extract static ECDH parameters and abort if ServerKeyExchange
3087 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3088 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3089 /* For suites involving ECDH, extract DH parameters
3090 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3091#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3092 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3093 ret = ssl_get_ecdh_params_from_cert(ssl);
3094 if (ret != 0) {
3095 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3096 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3097 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3098 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3099#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3100
3101 /* Key exchanges not involving ephemeral keys don't use
3102 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3103 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3104 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3105 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3106 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3107#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3108
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3109#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3110 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3111 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3112 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3113 if (ssl->handshake->async_in_progress != 0) {
3114 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3115 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3116 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3117#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3118 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3119 {
3120 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3121 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3122 }
3123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3124 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3125 /* If we're starting to write a new message, set ssl->out_msglen
3126 * to 0. But if we're resuming after an asynchronous message,
3127 * out_msglen is the amount of data written so far and mst be
3128 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3129 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3130 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3131 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3132 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3133 }
3134 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3135 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3136
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3137 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3138 * ssl_prepare_server_key_exchange already wrote the signature
3139 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3140#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3141 if (signature_len != 0) {
3142 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3143 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3145 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3146 ssl->out_msg + ssl->out_msglen,
3147 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3148
3149 /* Skip over the already-written signature */
3150 ssl->out_msglen += signature_len;
3151 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3152#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3153
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3154 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3155 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3156 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3157
3158 ssl->state++;
3159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3160 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3161 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3162 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3163 }
3164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3165 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3166 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3167}
3168
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3169MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3170static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3171{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3172 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3173
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3174 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3175
3176 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3177 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3178 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3179
3180 ssl->state++;
3181
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3182#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3183 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3184 mbedtls_ssl_send_flight_completed(ssl);
3185 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3186#endif
3187
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3188 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3189 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3190 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3191 }
3192
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3193#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3194 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3195 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3196 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3197 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3198 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3199#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3200
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3201 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3202
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3203 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3204}
3205
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3206#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3207
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3208#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3209MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3210static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3211 unsigned char *peer_pms,
3212 size_t *peer_pmslen,
3213 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3214{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3215 int ret = ssl->conf->f_async_resume(ssl,
3216 peer_pms, peer_pmslen, peer_pmssize);
3217 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3218 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3219 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3220 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3221 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3222 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3223}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3224#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3225
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3226MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3227static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3228 const unsigned char *p,
3229 const unsigned char *end,
3230 unsigned char *peer_pms,
3231 size_t *peer_pmslen,
3232 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3233{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3234 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3235
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3236 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3237 if (own_cert == NULL) {
3238 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3239 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3240 }
3241 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3242 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3243 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3244
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3245#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3246 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3247 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3248 if (ssl->handshake->async_in_progress != 0) {
3249 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3250 return ssl_resume_decrypt_pms(ssl,
3251 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3252 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3253#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3254
3255 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3256 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3257 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3258 if (p + 2 > end) {
3259 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3260 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3261 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3262 if (*p++ != MBEDTLS_BYTE_1(len) ||
3263 *p++ != MBEDTLS_BYTE_0(len)) {
3264 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3265 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3266 }
3267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3268 if (p + len != end) {
3269 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3270 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3271 }
3272
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3273 /*
3274 * Decrypt the premaster secret
3275 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3276#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3277 if (ssl->conf->f_async_decrypt_start != NULL) {
3278 ret = ssl->conf->f_async_decrypt_start(ssl,
3279 mbedtls_ssl_own_cert(ssl),
3280 p, len);
3281 switch (ret) {
3282 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3283 /* act as if f_async_decrypt_start was null */
3284 break;
3285 case 0:
3286 ssl->handshake->async_in_progress = 1;
3287 return ssl_resume_decrypt_pms(ssl,
3288 peer_pms,
3289 peer_pmslen,
3290 peer_pmssize);
3291 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3292 ssl->handshake->async_in_progress = 1;
3293 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3294 default:
3295 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3296 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3297 }
3298 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3299#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3300
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3301 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3302 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3303 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3304 }
3305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3306 ret = mbedtls_pk_decrypt(private_key, p, len,
3307 peer_pms, peer_pmslen, peer_pmssize,
3308 ssl->conf->f_rng, ssl->conf->p_rng);
3309 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3310}
3311
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3312MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3313static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3314 const unsigned char *p,
3315 const unsigned char *end,
3316 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3317{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3318 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3319 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3320 unsigned char ver[2];
3321 unsigned char fake_pms[48], peer_pms[48];
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3322 size_t peer_pmslen;
3323 mbedtls_ct_condition_t diff;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3324
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3325 /* In case of a failure in decryption, the decryption may write less than
3326 * 2 bytes of output, but we always read the first two bytes. It doesn't
3327 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3328 * ret being nonzero, and we only care whether diff is 0.
3329 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3330 * also makes memory analyzers happy (don't access uninitialized memory,
3331 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3332 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3333 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3334
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3335 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3336 peer_pms,
3337 &peer_pmslen,
3338 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3339
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3340#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3341 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3342 return ret;
3343 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3344#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3345
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3346 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3347 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3348
3349 /* Avoid data-dependent branches while checking for invalid
3350 * padding, to protect against timing-based Bleichenbacher-type
3351 * attacks. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3352 diff = mbedtls_ct_bool(ret);
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100[diff] [blame]3353 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3354 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3355 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3356
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3357 /*
3358 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3359 * must not cause the connection to end immediately; instead, send a
3360 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3361 * To protect against timing-based variants of the attack, we must
3362 * not have any branch that depends on whether the decryption was
3363 * successful. In particular, always generate the fake premaster secret,
3364 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3365 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3366 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3367 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3368 /* It's ok to abort on an RNG failure, since this does not reveal
3369 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3370 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3371 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3372
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3373#if defined(MBEDTLS_SSL_DEBUG_ALL)
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3374 if (diff != MBEDTLS_CT_FALSE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3375 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3376 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3377#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3379 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3380 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3381 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3382 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3383 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3384 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3385
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3386 /* Set pms to either the true or the fake PMS, without
3387 * data-dependent branches. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3388 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3390 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3391}
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3392#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3393
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3394#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3395MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3396static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3397 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3398{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3399 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3400 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3402 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3403 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3404 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3405 }
3406
3407 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3408 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3409 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3410 if (end - *p < 2) {
3411 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3412 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3413 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3414
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3415 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3416 *p += 2;
3417
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3418 if (n == 0 || n > end - *p) {
3419 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3420 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3421 }
3422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3423 if (ssl->conf->f_psk != NULL) {
3424 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3425 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3426 }
3427 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3428 /* Identity is not a big secret since clients send it in the clear,
3429 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3430 if (n != ssl->conf->psk_identity_len ||
3431 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3432 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3433 }
3434 }
3435
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3436 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3437 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3438 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3439 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3440 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3441 }
3442
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3443 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3444
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3445 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3446}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3447#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3448
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3449MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3450static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3451{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3452 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3453 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3454 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3455
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3456 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3458 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3460#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3461 defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine712e9a12024-09-20 18:11:31 +0200[diff] [blame]3462 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3463 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3464 /* We've already read a record and there is an asynchronous
3465 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3466 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3467 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3468 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3469#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3470 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3471 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3472 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3473 }
3474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3475 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3476 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3478 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3479 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3480 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3481 }
3482
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3483 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3484 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3485 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3486 }
3487
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3488#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3489 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3490 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3491 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3492 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3493 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3494 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3495 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3496 size_t data_len = (size_t) (*p++);
3497 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3498 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3499 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3500
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3501 MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3502
3503 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3504 * We must have at least two bytes (1 for length, at least 1 for data)
3505 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3506 if (buf_len < 2) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3507 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3508 buf_len));
3509 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3510 }
3511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3512 if (data_len < 1 || data_len > buf_len) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3513 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3514 " > %" MBEDTLS_PRINTF_SIZET,
3515 data_len, buf_len));
3516 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3517 }
3518
3519 /* Store peer's ECDH public key. */
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3520 if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3521 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3522 " > %" MBEDTLS_PRINTF_SIZET,
3523 data_len,
3524 sizeof(handshake->xxdh_psa_peerkey)));
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3525 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3526 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3527 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3528 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3529
3530 /* Compute ECDH shared secret. */
3531 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3532 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3533 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3534 handshake->premaster, sizeof(handshake->premaster),
3535 &handshake->pmslen);
3536 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3537 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3538 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3539 if (handshake->xxdh_psa_privkey_is_external == 0) {
3540 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3541 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3542 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3543 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3544 }
3545
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3546 if (handshake->xxdh_psa_privkey_is_external == 0) {
3547 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3548
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3549 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3550 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3551 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3552 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3553 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3554 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3555 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3556 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3557#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3558 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3559 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3560 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3561#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3562 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3563 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3564 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3565 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3566 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3567
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3568 if (p != end) {
3569 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3570 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3571 }
3572
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3573 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3574#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3575#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3576 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3577 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3578 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Michael Schuster7e390282024-05-27 20:07:05 +0200[diff] [blame]3579 size_t ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3580
3581 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3582
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3583 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3584 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3585 psa_destroy_key(handshake->xxdh_psa_privkey);
3586 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3587 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3588 }
3589
3590 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3591 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3592 psa_destroy_key(handshake->xxdh_psa_privkey);
3593 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3594 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3595 }
3596
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3597 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3598 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3599 psa_destroy_key(handshake->xxdh_psa_privkey);
3600 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3601 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3602 }
3603
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3604 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3605 the sizes of the FFDH keys which are at least 2048 bits.
3606 The size of the array is thus greater than 256 bytes which is greater than any
3607 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3608#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3609 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3610 psa_destroy_key(handshake->xxdh_psa_privkey);
3611 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3612 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3613 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3614#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3615 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3616 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3617#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3618
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3619 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3620 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3621 p += ecpoint_len;
3622
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3623 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3624 * - a uint16 containing the length (in octets) of the ECDH computation
3625 * - the octet string produced by the ECDH computation
3626 * - a uint16 containing the length (in octets) of the PSK
3627 * - the PSK itself
3628 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3629 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3630 const unsigned char * const psm_end =
3631 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3632 /* uint16 to store length (in octets) of the ECDH computation */
3633 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3634 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3635
3636 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3637 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3638 handshake->xxdh_psa_privkey,
3639 handshake->xxdh_psa_peerkey,
3640 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3641 psm + zlen_size,
3642 psm_end - (psm + zlen_size),
3643 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3644
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3645 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3646 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3647
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3648 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3649 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3650 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3651 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3652 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3653
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3654 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3655 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3656 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3657
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3658 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3659#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3660#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3661 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3662 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3663 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3664 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3665 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3666 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3667#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3668#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3669 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3670 if ((ret = mbedtls_psa_ecjpake_read_round(
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3671 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3672 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
3673 psa_destroy_key(ssl->handshake->psa_pake_password);
3674 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3675
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3676 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
3677 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3678 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3679 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3680#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3681 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3682 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3683 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3684 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3686 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3687 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3688 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3689 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3690
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3691 ssl->state++;
3692
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3693 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3694
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3695 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3696}
3697
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3698#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3699MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3700static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3701{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3702 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3703 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3704
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3705 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3706
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3707 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3708 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3709 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3710 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3711 }
3712
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3713 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3714 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3715}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3716#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3717MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3718static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3719{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3720 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3721 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3722 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3723 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3724 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3725 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3726 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3727 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3728 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3729 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3730
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3731 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3733 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3734 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3735 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3736 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3737 }
3738
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3739#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3740 if (ssl->session_negotiate->peer_cert == NULL) {
3741 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3742 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3743 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3744 }
3745#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3746 if (ssl->session_negotiate->peer_cert_digest == NULL) {
3747 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3748 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3749 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3750 }
3751#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3752
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3753 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3754 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
3755 if (0 != ret) {
3756 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
3757 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3758 }
3759
3760 ssl->state++;
3761
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3762 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3763 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
3764 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
3765 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3766 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3767 }
3768
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3769 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3770
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3771#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3772 peer_pk = &ssl->handshake->peer_pubkey;
3773#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3774 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3775 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3776 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3777 }
3778 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3779#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3780
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3781 /*
3782 * struct {
3783 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3784 * opaque signature<0..2^16-1>;
3785 * } DigitallySigned;
3786 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3787 if (i + 2 > ssl->in_hslen) {
3788 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3789 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3790 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3791
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3792 /*
3793 * Hash
3794 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3795 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3797 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
3798 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3799 " for verify message"));
3800 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3801 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3802
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3803#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3804 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3805 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3806 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3807#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3808
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3809 /* Info from md_alg will be used instead */
3810 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3811
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3812 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3813
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3814 /*
3815 * Signature
3816 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3817 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
3818 == MBEDTLS_PK_NONE) {
3819 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3820 " for verify message"));
3821 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]3822 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3823
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3824 /*
3825 * Check the certificate's key type matches the signature alg
3826 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3827 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
3828 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
3829 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3830 }
3831
3832 i++;
3833
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3834 if (i + 2 > ssl->in_hslen) {
3835 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3836 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3837 }
3838
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3839 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3840 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3841
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3842 if (i + sig_len != ssl->in_hslen) {
3843 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3844 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3845 }
3846
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3847 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3848 {
3849 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3850 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
3851 if (0 != ret) {
3852 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3853 return ret;
3854 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3855 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3856
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3857 if ((ret = mbedtls_pk_verify(peer_pk,
3858 md_alg, hash_start, hashlen,
3859 ssl->in_msg + i, sig_len)) != 0) {
3860 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3861 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3862 }
3863
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3864 ret = mbedtls_ssl_update_handshake_status(ssl);
3865 if (0 != ret) {
3866 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
3867 return ret;
3868 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3869
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3870 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3871
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3872 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3873}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3874#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3876#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3877MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3878static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3879{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3880 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3881 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]3882 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3883
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3884 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3885
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3886 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3887 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3888
3889 /*
3890 * struct {
3891 * uint32 ticket_lifetime_hint;
3892 * opaque ticket<0..2^16-1>;
3893 * } NewSessionTicket;
3894 *
3895 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3896 * 8 . 9 ticket_len (n)
3897 * 10 . 9+n ticket content
3898 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]3899
Ronald Cron3c0072b2023-11-22 10:00:14 +0100[diff] [blame]3900#if defined(MBEDTLS_HAVE_TIME)
3901 ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
3902#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3903 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
3904 ssl->session_negotiate,
3905 ssl->out_msg + 10,
3906 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
3907 &tlen, &lifetime)) != 0) {
3908 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]3909 tlen = 0;
3910 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3911
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3912 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
3913 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3914 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3915
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]3916 /*
3917 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3918 * ChangeCipherSpec share the same state.
3919 */
3920 ssl->handshake->new_session_ticket = 0;
3921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3922 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3923 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3924 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3925 }
3926
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3927 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3928
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3929 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3930}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3931#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3932
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3933/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3934 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3935 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3936int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3937{
3938 int ret = 0;
3939
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3940 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3941
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3942 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3943 case MBEDTLS_SSL_HELLO_REQUEST:
3944 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3945 break;
3946
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3947 /*
3948 * <== ClientHello
3949 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3950 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3951 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3952 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3954#if defined(MBEDTLS_SSL_PROTO_DTLS)
3955 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3956 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3957#endif
3958
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3959 /*
3960 * ==> ServerHello
3961 * Certificate
3962 * ( ServerKeyExchange )
3963 * ( CertificateRequest )
3964 * ServerHelloDone
3965 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3966 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3967 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3968 break;
3969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3970 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3971 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3972 break;
3973
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3974 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3975 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3976 break;
3977
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3978 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3979 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3980 break;
3981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3982 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3983 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3984 break;
3985
3986 /*
3987 * <== ( Certificate/Alert )
3988 * ClientKeyExchange
3989 * ( CertificateVerify )
3990 * ChangeCipherSpec
3991 * Finished
3992 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3993 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3994 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3995 break;
3996
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3997 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3998 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3999 break;
4000
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4001 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4002 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4003 break;
4004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4005 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4006 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4007 break;
4008
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4009 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4010 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4011 break;
4012
4013 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4014 * ==> ( NewSessionTicket )
4015 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4016 * Finished
4017 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4018 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4019#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4020 if (ssl->handshake->new_session_ticket != 0) {
4021 ret = ssl_write_new_session_ticket(ssl);
4022 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4023#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4024 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4025 break;
4026
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4027 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4028 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4029 break;
4030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4031 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4032 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4033 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4034 break;
4035
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4036 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4037 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4038 break;
4039
4040 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4041 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4042 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4043 }
4044
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4045 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4046}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4047
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4048void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4049{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4050 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4051}
4052
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4053#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */