TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2dcd7686cef78bd13caf72766883cf796649f26f / . / library / ssl_cli.c
blob: 3ef318c96353714e98880e4fbe759d6a27419f5b [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS client-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]23
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]24#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]25#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]26#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]27#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]28#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]29#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]30#endif
31
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]32#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]33#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]34#include "mbedtls/debug.h"
35#include "mbedtls/error.h"
gabor-mezei-armdb9a38c2021-09-27 11:28:54 +0200[diff] [blame]36#include "constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]37
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]38#if defined(MBEDTLS_USE_PSA_CRYPTO)
39#include "mbedtls/psa_util.h"
40#endif /* MBEDTLS_USE_PSA_CRYPTO */
41
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]47#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52#endif
53
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]54#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]55static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]56{
57 if( conf->psk_identity == NULL ||
58 conf->psk_identity_len == 0 )
59 {
60 return( 0 );
61 }
62
63 if( conf->psk != NULL && conf->psk_len != 0 )
64 return( 1 );
65
66#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +0200[diff] [blame]67 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]68 return( 1 );
69#endif /* MBEDTLS_USE_PSA_CRYPTO */
70
71 return( 0 );
72}
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]73
74#if defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]75static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]76{
77 if( conf->psk_identity == NULL ||
78 conf->psk_identity_len == 0 )
79 {
80 return( 0 );
81 }
82
83 if( conf->psk != NULL && conf->psk_len != 0 )
84 return( 1 );
85
86 return( 0 );
87}
88#endif /* MBEDTLS_USE_PSA_CRYPTO */
89
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]90#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]91
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]92#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]93static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
94 unsigned char *buf,
95 const unsigned char *end,
96 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]97{
98 unsigned char *p = buf;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]99 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]100
101 *olen = 0;
102
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]103 if( ssl->hostname == NULL )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]104 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]105
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]106 MBEDTLS_SSL_DEBUG_MSG( 3,
107 ( "client hello, adding server name extension: %s",
108 ssl->hostname ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]109
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]110 hostname_len = strlen( ssl->hostname );
111
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]112 MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]113
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]114 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]115 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
116 *
117 * In order to provide any of the server names, clients MAY include an
118 * extension of type "server_name" in the (extended) client hello. The
119 * "extension_data" field of this extension SHALL contain
120 * "ServerNameList" where:
121 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122 * struct {
123 * NameType name_type;
124 * select (name_type) {
125 * case host_name: HostName;
126 * } name;
127 * } ServerName;
128 *
129 * enum {
130 * host_name(0), (255)
131 * } NameType;
132 *
133 * opaque HostName<1..2^16-1>;
134 *
135 * struct {
136 * ServerName server_name_list<1..2^16-1>
137 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]138 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]139 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
141 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]142
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]143 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
144 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]145
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]146 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
147 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]149 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]150 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
151 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]152
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]153 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]154
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]155 *olen = hostname_len + 9;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]156
157 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]158}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]159#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]160
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]161#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]162static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
163 unsigned char *buf,
164 const unsigned char *end,
165 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]166{
167 unsigned char *p = buf;
168
169 *olen = 0;
170
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]171 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
172 * initial ClientHello, in which case also adding the renegotiation
173 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]174 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]175 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]176
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]177 MBEDTLS_SSL_DEBUG_MSG( 3,
178 ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]179
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]180 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]181
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]182 /*
183 * Secure renegotiation
184 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]185 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
186 & 0xFF );
187 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
188 & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]189
190 *p++ = 0x00;
191 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
192 *p++ = ssl->verify_data_len & 0xFF;
193
194 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
195
196 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]197
198 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]199}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]200#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]201
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]202/*
203 * Only if we handle at least one key exchange that needs signatures.
204 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]205#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]206 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]207static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
208 unsigned char *buf,
209 const unsigned char *end,
210 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]211{
212 unsigned char *p = buf;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]213 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]214 const int *md;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]215
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]216#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]217 unsigned char *sig_alg_list = buf + 6;
218#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]219
220 *olen = 0;
221
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]222 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]223 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]224
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]225 MBEDTLS_SSL_DEBUG_MSG( 3,
226 ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]227
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]228 if( ssl->conf->sig_hashes == NULL )
229 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
230
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]231 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
232 {
233#if defined(MBEDTLS_ECDSA_C)
234 sig_alg_len += 2;
235#endif
236#if defined(MBEDTLS_RSA_C)
237 sig_alg_len += 2;
238#endif
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]239 if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
240 {
241 MBEDTLS_SSL_DEBUG_MSG( 3,
242 ( "length in bytes of sig-hash-alg extension too big" ) );
243 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
244 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]245 }
246
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]247 /* Empty signature algorithms list, this is a configuration error. */
248 if( sig_alg_len == 0 )
249 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
250
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]251 MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]252
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]253 /*
254 * Prepare signature_algorithms extension (TLS 1.2)
255 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]256 sig_alg_len = 0;
257
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]258 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
259 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]260#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]261 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
262 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]263#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]264#if defined(MBEDTLS_RSA_C)
265 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
266 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]267#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]268 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]269
270 /*
271 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]272 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
273 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]274 * } HashAlgorithm;
275 *
276 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
277 * SignatureAlgorithm;
278 *
279 * struct {
280 * HashAlgorithm hash;
281 * SignatureAlgorithm signature;
282 * } SignatureAndHashAlgorithm;
283 *
284 * SignatureAndHashAlgorithm
285 * supported_signature_algorithms<2..2^16-2>;
286 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]287 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
288 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]289
290 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
291 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
292
293 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
294 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
295
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]296 *olen = 6 + sig_alg_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]297
298 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]299}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]300#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]301 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]302
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]303#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]304 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]305static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
306 unsigned char *buf,
307 const unsigned char *end,
308 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]309{
310 unsigned char *p = buf;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]311 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]312 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]313 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]314 const mbedtls_ecp_group_id *grp_id;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]315
316 *olen = 0;
317
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]318 MBEDTLS_SSL_DEBUG_MSG( 3,
319 ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]320
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]321 if( ssl->conf->curve_list == NULL )
322 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
323
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]324 for( grp_id = ssl->conf->curve_list;
325 *grp_id != MBEDTLS_ECP_DP_NONE;
326 grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]327 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]328 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]329 if( info == NULL )
330 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]331 MBEDTLS_SSL_DEBUG_MSG( 1,
332 ( "invalid curve in ssl configuration" ) );
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]333 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]334 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]335 elliptic_curve_len += 2;
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]336
337 if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
338 {
339 MBEDTLS_SSL_DEBUG_MSG( 3,
340 ( "malformed supported_elliptic_curves extension in config" ) );
341 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
342 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]343 }
344
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]345 /* Empty elliptic curve list, this is a configuration error. */
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]346 if( elliptic_curve_len == 0 )
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]347 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]348
349 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]350
351 elliptic_curve_len = 0;
352
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]353 for( grp_id = ssl->conf->curve_list;
354 *grp_id != MBEDTLS_ECP_DP_NONE;
355 grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]356 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]357 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]358 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
359 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]360 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]361
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]362 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
363 & 0xFF );
364 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
365 & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]366
367 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
368 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
369
370 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
371 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
372
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]373 *olen = 6 + elliptic_curve_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]374
375 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]376}
377
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]378static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
379 unsigned char *buf,
380 const unsigned char *end,
381 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]382{
383 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]384 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]385
386 *olen = 0;
387
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]388 MBEDTLS_SSL_DEBUG_MSG( 3,
389 ( "client hello, adding supported_point_formats extension" ) );
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]390 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]391
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]392 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
393 & 0xFF );
394 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
395 & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]396
397 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]398 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]399
400 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]401 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]402
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]403 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]404
405 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]406}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]407#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]408 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]409
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]410#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]411static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
412 unsigned char *buf,
413 const unsigned char *end,
414 size_t *olen )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]415{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]417 unsigned char *p = buf;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]418 size_t kkpp_len;
419
420 *olen = 0;
421
422 /* Skip costly extension if we can't use EC J-PAKE anyway */
423 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]424 return( 0 );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]425
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]426 MBEDTLS_SSL_DEBUG_MSG( 3,
427 ( "client hello, adding ecjpake_kkpp extension" ) );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]428
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]429 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]430
431 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
432 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
433
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]434 /*
435 * We may need to send ClientHello multiple times for Hello verification.
436 * We don't want to compute fresh values every time (both for performance
437 * and consistency reasons), so cache the extension content.
438 */
439 if( ssl->handshake->ecjpake_cache == NULL ||
440 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]441 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]442 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
443
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]444 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]445 p + 2, end - p - 2, &kkpp_len,
446 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]447 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]448 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]449 MBEDTLS_SSL_DEBUG_RET( 1 ,
450 "mbedtls_ecjpake_write_round_one", ret );
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]451 return( ret );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]452 }
453
454 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
455 if( ssl->handshake->ecjpake_cache == NULL )
456 {
457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]458 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]459 }
460
461 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
462 ssl->handshake->ecjpake_cache_len = kkpp_len;
463 }
464 else
465 {
466 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
467
468 kkpp_len = ssl->handshake->ecjpake_cache_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]469 MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]470
471 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]472 }
473
474 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
475 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
476
477 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]478
479 return( 0 );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]480}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]481#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]482
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]483#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]484static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
485 unsigned char *buf,
486 const unsigned char *end,
487 size_t *olen )
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]488{
489 unsigned char *p = buf;
490 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]491
492 /*
Hanno Beckerebcc9132019-05-15 10:26:32 +0100[diff] [blame]493 * Quoting draft-ietf-tls-dtls-connection-id-05
494 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]495 *
496 * struct {
497 * opaque cid<0..2^8-1>;
498 * } ConnectionId;
499 */
500
501 *olen = 0;
502 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
503 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
504 {
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]505 return( 0 );
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]506 }
507 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
508
509 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
510 * which is at most 255, so the increment cannot overflow. */
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]511 MBEDTLS_SSL_CHK_BUF_PTR( p, end, (unsigned)( ssl->own_cid_len + 5 ) );
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]512
513 /* Add extension ID + size */
514 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
515 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
516 ext_len = (size_t) ssl->own_cid_len + 1;
517 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
518 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
519
520 *p++ = (uint8_t) ssl->own_cid_len;
521 memcpy( p, ssl->own_cid, ssl->own_cid_len );
522
523 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]524
525 return( 0 );
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]526}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]527#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]529#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]530static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
531 unsigned char *buf,
532 const unsigned char *end,
533 size_t *olen )
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]534{
535 unsigned char *p = buf;
536
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]537 *olen = 0;
538
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]539 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
540 return( 0 );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]541
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]542 MBEDTLS_SSL_DEBUG_MSG( 3,
543 ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]544
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]545 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]546
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]547 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
548 & 0xFF );
549 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
550 & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]551
552 *p++ = 0x00;
553 *p++ = 1;
554
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]555 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]556
557 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]558
559 return( 0 );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]560}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]561#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]564static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
565 unsigned char *buf,
566 const unsigned char *end,
567 size_t *olen )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]568{
569 unsigned char *p = buf;
570
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]571 *olen = 0;
572
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]573 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]574 return( 0 );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]575
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]576 MBEDTLS_SSL_DEBUG_MSG( 3,
577 ( "client hello, adding encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]578
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]579 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
582 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]583
584 *p++ = 0x00;
585 *p++ = 0x00;
586
587 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]588
589 return( 0 );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]590}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]593#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]594static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
595 unsigned char *buf,
596 const unsigned char *end,
597 size_t *olen )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]598{
599 unsigned char *p = buf;
600
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]601 *olen = 0;
602
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]603 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]604 return( 0 );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]605
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]606 MBEDTLS_SSL_DEBUG_MSG( 3,
607 ( "client hello, adding extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]608
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]609 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]610
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]611 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
612 & 0xFF );
613 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
614 & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]615
616 *p++ = 0x00;
617 *p++ = 0x00;
618
619 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]620
621 return( 0 );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]622}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]624
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]625#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]626static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
627 unsigned char *buf,
628 const unsigned char *end,
629 size_t *olen )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]630{
631 unsigned char *p = buf;
632 size_t tlen = ssl->session_negotiate->ticket_len;
633
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]634 *olen = 0;
635
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]636 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]637 return( 0 );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]638
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]639 MBEDTLS_SSL_DEBUG_MSG( 3,
640 ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]641
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]642 /* The addition is safe here since the ticket length is 16 bit. */
643 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]645 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
646 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]647
648 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
649 *p++ = (unsigned char)( ( tlen ) & 0xFF );
650
651 *olen = 4;
652
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]653 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]654 return( 0 );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]655
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]656 MBEDTLS_SSL_DEBUG_MSG( 3,
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]657 ( "sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]658
659 memcpy( p, ssl->session_negotiate->ticket, tlen );
660
661 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]662
663 return( 0 );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]664}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]665#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667#if defined(MBEDTLS_SSL_ALPN)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]668static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
669 unsigned char *buf,
670 const unsigned char *end,
671 size_t *olen )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]672{
673 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]674 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]675 const char **cur;
676
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]677 *olen = 0;
678
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]679 if( ssl->conf->alpn_list == NULL )
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]680 return( 0 );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]683
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]684 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]685 alpnlen += strlen( *cur ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]686
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]687 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]689 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
690 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]691
692 /*
693 * opaque ProtocolName<1..2^8-1>;
694 *
695 * struct {
696 * ProtocolName protocol_name_list<2..2^16-1>
697 * } ProtocolNameList;
698 */
699
700 /* Skip writing extension and list length for now */
701 p += 4;
702
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]703 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]704 {
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]705 /*
706 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
707 * protocol names is less than 255.
708 */
709 *p = (unsigned char)strlen( *cur );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]710 memcpy( p + 1, *cur, *p );
711 p += 1 + *p;
712 }
713
714 *olen = p - buf;
715
716 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
717 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
718 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
719
720 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
721 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
722 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]723
724 return( 0 );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]725}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]727
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]728#if defined(MBEDTLS_SSL_DTLS_SRTP)
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]729static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
Johan Pascald387aa02020-09-23 18:47:56 +0200[diff] [blame]730 unsigned char *buf,
731 const unsigned char *end,
732 size_t *olen )
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]733{
734 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]735 size_t protection_profiles_index = 0, ext_len = 0;
736 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]737
738 *olen = 0;
739
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]740 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
741 ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
742 ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]743 {
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]744 return( 0 );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]745 }
746
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]747 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]748 * uint8 SRTPProtectionProfile[2];
749 *
750 * struct {
751 * SRTPProtectionProfiles SRTPProtectionProfiles;
752 * opaque srtp_mki<0..255>;
753 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]754 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]755 */
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]756 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]757 {
758 mki_len = ssl->dtls_srtp_info.mki_len;
759 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]760 /* Extension length = 2 bytes for profiles length,
761 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
762 * 1 byte for srtp_mki vector length and the mki_len value
763 */
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]764 ext_len = 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len;
765
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding use_srtp extension" ) );
767
768 /* Check there is room in the buffer for the extension + 4 bytes
769 * - the extension tag (2 bytes)
770 * - the extension length (2 bytes)
771 */
772 MBEDTLS_SSL_CHK_BUF_PTR( p, end, ext_len + 4 );
773
774 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
775 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
776
777
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]778 *p++ = (unsigned char)( ( ( ext_len & 0xFF00 ) >> 8 ) & 0xFF );
779 *p++ = (unsigned char)( ext_len & 0xFF );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]780
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]781 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200[diff] [blame]782 /* micro-optimization:
783 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
784 * which is lower than 127, so the upper byte of the length is always 0
785 * For the documentation, the more generic code is left in comments
786 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
787 * >> 8 ) & 0xFF );
788 */
789 *p++ = 0;
Johan Pascale79c1e82020-09-22 15:51:27 +0200[diff] [blame]790 *p++ = (unsigned char)( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]791 & 0xFF );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]792
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]793 for( protection_profiles_index=0;
794 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
795 protection_profiles_index++ )
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]796 {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]797 profile_value = mbedtls_ssl_check_srtp_profile_value
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]798 ( ssl->conf->dtls_srtp_profile_list[protection_profiles_index] );
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]799 if( profile_value != MBEDTLS_TLS_SRTP_UNSET )
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]800 {
801 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
802 profile_value ) );
803 *p++ = ( ( profile_value >> 8 ) & 0xFF );
804 *p++ = ( profile_value & 0xFF );
805 }
806 else
807 {
808 /*
809 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]810 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]811 */
Johan Pascale79c1e82020-09-22 15:51:27 +0200[diff] [blame]812 MBEDTLS_SSL_DEBUG_MSG( 3,
813 ( "client hello, "
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]814 "illegal DTLS-SRTP protection profile %d",
Johan Pascale79c1e82020-09-22 15:51:27 +0200[diff] [blame]815 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
816 ) );
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]817 return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]818 }
819 }
820
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]821 *p++ = mki_len & 0xFF;
822
823 if( mki_len != 0 )
824 {
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]825 memcpy( p, ssl->dtls_srtp_info.mki_value, mki_len );
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]826 /*
827 * Increment p to point to the current position.
828 */
829 p += mki_len;
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]830 MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value,
831 ssl->dtls_srtp_info.mki_len );
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]832 }
833
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]834 /*
835 * total extension length: extension type (2 bytes)
836 * + extension length (2 bytes)
837 * + protection profile length (2 bytes)
838 * + 2 * number of protection profiles
839 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]840 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]841 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]842 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]843
844 return( 0 );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]845}
846#endif /* MBEDTLS_SSL_DTLS_SRTP */
847
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]848/*
849 * Generate random bytes for ClientHello
850 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]851static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]852{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]853 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]854 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]855#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]856 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]857#endif
858
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]859 /*
860 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
861 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]862#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]863 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]864 ssl->handshake->verify_cookie != NULL )
865 {
866 return( 0 );
867 }
868#endif
869
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]870#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]871 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]872 *p++ = (unsigned char)( t >> 24 );
873 *p++ = (unsigned char)( t >> 16 );
874 *p++ = (unsigned char)( t >> 8 );
875 *p++ = (unsigned char)( t );
876
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]877 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
878 (long long) t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]879#else
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]880 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]881 return( ret );
882
883 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]884#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]885
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]886 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]887 return( ret );
888
889 return( 0 );
890}
891
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]892/**
893 * \brief Validate cipher suite against config in SSL context.
894 *
895 * \param suite_info cipher suite to validate
896 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]897 * \param min_minor_ver Minimal minor version to accept a cipher suite
898 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]899 *
900 * \return 0 if valid, else 1
901 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]902static int ssl_validate_ciphersuite(
903 const mbedtls_ssl_ciphersuite_t * suite_info,
904 const mbedtls_ssl_context * ssl,
905 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]906{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]907 (void) ssl;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]908 if( suite_info == NULL )
909 return( 1 );
910
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]911 if( suite_info->min_minor_ver > max_minor_ver ||
912 suite_info->max_minor_ver < min_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]913 return( 1 );
914
915#if defined(MBEDTLS_SSL_PROTO_DTLS)
916 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
917 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
918 return( 1 );
919#endif
920
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]921#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
922 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
923 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
924 return( 1 );
925#endif
926
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]927 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]928#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]929 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]930 ssl_conf_has_static_psk( ssl->conf ) == 0 )
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]931 {
932 return( 1 );
933 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]934#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]935
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]936 return( 0 );
937}
938
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]939static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]940{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]941 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]942 size_t i, n, olen, ext_len = 0;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]943
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]945 unsigned char *p, *q;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]946 const unsigned char *end;
947
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]948 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]949 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]950#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
951 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
952 int uses_ec = 0;
953#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]955 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]956
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]957 if( ssl->conf->f_rng == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]958 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
960 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]961 }
962
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]963#if defined(MBEDTLS_SSL_RENEGOTIATION)
964 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]965#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]966 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]967 ssl->major_ver = ssl->conf->min_major_ver;
968 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]969 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]970
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]971 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]972 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG( 1,
974 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]975 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]976 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]977
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]978 buf = ssl->out_msg;
979 end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
980
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]981 /*
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]982 * Check if there's enough space for the first part of the ClientHello
983 * consisting of the 38 bytes described below, the session identifier (at
984 * most 32 bytes) and its length (1 byte).
985 *
986 * Use static upper bounds instead of the actual values
987 * to allow the compiler to optimize this away.
988 */
989 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
990
991 /*
992 * The 38 first bytes of the ClientHello:
993 * 0 . 0 handshake type (written later)
994 * 1 . 3 handshake length (written later)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995 * 4 . 5 highest version supported
996 * 6 . 9 current UNIX time
997 * 10 . 37 random bytes
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]998 *
999 * The current UNIX time (4 bytes) and following 28 random bytes are written
1000 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
1001 * copied from there into the output buffer.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1002 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1004 p = buf + 4;
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1005 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
1006 ssl->conf->max_minor_ver,
1007 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1008 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1010 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011 buf[4], buf[5] ) );
1012
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]1013 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
1014 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1015 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1016 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]1017 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1018
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]1019 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]1021 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022
1023 /*
1024 * 38 . 38 session id length
1025 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1026 * 39+n . 39+n DTLS only: cookie length (1 byte)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1027 * 40+n . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1028 * .. . .. ciphersuitelist length (2 bytes)
1029 * .. . .. ciphersuitelist
1030 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1031 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1032 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1033 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1035 n = ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1037 if( n < 16 || n > 32 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1038#if defined(MBEDTLS_SSL_RENEGOTIATION)
1039 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1040#endif
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1041 ssl->handshake->resume == 0 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1042 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1044 }
1045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1047 /*
1048 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
1049 * generate and include a Session ID in the TLS ClientHello."
1050 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051#if defined(MBEDTLS_SSL_RENEGOTIATION)
1052 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1053#endif
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]1054 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1055 if( ssl->session_negotiate->ticket != NULL &&
1056 ssl->session_negotiate->ticket_len != 0 )
1057 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1058 ret = ssl->conf->f_rng( ssl->conf->p_rng,
1059 ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1060
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1061 if( ret != 0 )
1062 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1063
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1064 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1065 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1066 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1069 /*
1070 * The first check of the output buffer size above (
1071 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
1072 * has checked that there is enough space in the output buffer for the
1073 * session identifier length byte and the session identifier (n <= 32).
1074 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 *p++ = (unsigned char) n;
1076
1077 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1078 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1081 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1083 /*
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1084 * With 'n' being the length of the session identifier
1085 *
1086 * 39+n . 39+n DTLS only: cookie length (1 byte)
1087 * 40+n . .. DTLS only: cookie
1088 * .. . .. ciphersuitelist length (2 bytes)
1089 * .. . .. ciphersuitelist
1090 * .. . .. compression methods length (1 byte)
1091 * .. . .. compression methods
1092 * .. . .. extensions length (2 bytes)
1093 * .. . .. extensions
1094 */
1095
1096 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1097 * DTLS cookie
1098 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1099#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1100 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1101 {
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1102 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
1103
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1104 if( ssl->handshake->verify_cookie == NULL )
1105 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1106 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1107 *p++ = 0;
1108 }
1109 else
1110 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1111 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1112 ssl->handshake->verify_cookie,
1113 ssl->handshake->verify_cookie_len );
1114
1115 *p++ = ssl->handshake->verify_cookie_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1116
1117 MBEDTLS_SSL_CHK_BUF_PTR( p, end,
1118 ssl->handshake->verify_cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1119 memcpy( p, ssl->handshake->verify_cookie,
1120 ssl->handshake->verify_cookie_len );
1121 p += ssl->handshake->verify_cookie_len;
1122 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1123 }
1124#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1125
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1126 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1127 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1128 */
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1129 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1130
1131 /* Skip writing ciphersuite length for now */
1132 n = 0;
1133 q = p;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1134
1135 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1136 p += 2;
1137
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1138 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1140 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1141
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1142 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1143 ssl->conf->min_minor_ver,
1144 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1145 continue;
1146
Hanno Becker3c88c652019-01-02 11:17:25 +0000[diff] [blame]1147 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %#04x (%s)",
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]1148 (unsigned int)ciphersuites[i], ciphersuite_info->name ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1150#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1151 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1152 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1153#endif
1154
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1155 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1156
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1157 n++;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1158 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
1159 *p++ = (unsigned char)( ciphersuites[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160 }
1161
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1162 MBEDTLS_SSL_DEBUG_MSG( 3,
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1163 ( "client hello, got %" MBEDTLS_PRINTF_SIZET " ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]1164
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1165 /*
1166 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1167 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1168#if defined(MBEDTLS_SSL_RENEGOTIATION)
1169 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1170#endif
1171 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]1172 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1173 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1174 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1175 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1176 n++;
1177 }
1178
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1179 *q++ = (unsigned char)( n >> 7 );
1180 *q++ = (unsigned char)( n << 1 );
1181
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100[diff] [blame]1182 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1183 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1184 MBEDTLS_SSL_COMPRESS_NULL ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100[diff] [blame]1186 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1187 *p++ = 1;
1188 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1189
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1190 /* First write extensions, then the total length */
1191
1192 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1194#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1195 if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
1196 end, &olen ) ) != 0 )
1197 {
1198 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
1199 return( ret );
1200 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1201 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1202#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1203
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1204 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1205 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1206#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1207 if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
1208 end, &olen ) ) != 0 )
1209 {
1210 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
1211 return( ret );
1212 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1213 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1214#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1215
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1216#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1217 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1218 if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
1219 end, &olen ) ) != 0 )
1220 {
1221 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
1222 return( ret );
1223 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1224 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1225#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1226
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1227#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1228 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1229 if( uses_ec )
1230 {
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1231 if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
1232 end, &olen ) ) != 0 )
1233 {
1234 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
1235 return( ret );
1236 }
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1237 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1238
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1239 if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
1240 end, &olen ) ) != 0 )
1241 {
1242 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
1243 return( ret );
1244 }
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1245 ext_len += olen;
1246 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1247#endif
1248
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1249#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1250 if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
1251 end, &olen ) ) != 0 )
1252 {
1253 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
1254 return( ret );
1255 }
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1256 ext_len += olen;
1257#endif
1258
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1259#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1260 if( ( ret = ssl_write_cid_ext( ssl, p + 2 + ext_len, end, &olen ) ) != 0 )
1261 {
1262 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_cid_ext", ret );
1263 return( ret );
1264 }
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]1265 ext_len += olen;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1266#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]1267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1268#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1269 if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
1270 end, &olen ) ) != 0 )
1271 {
1272 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
1273 return( ret );
1274 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1275 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1276#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1277
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1278#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1279 if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
1280 end, &olen ) ) != 0 )
1281 {
1282 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
1283 return( ret );
1284 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1285 ext_len += olen;
1286#endif
1287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1288#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1289 if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
1290 end, &olen ) ) != 0 )
1291 {
1292 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
1293 return( ret );
1294 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1295 ext_len += olen;
1296#endif
1297
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1298#if defined(MBEDTLS_SSL_ALPN)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1299 if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
1300 end, &olen ) ) != 0 )
1301 {
1302 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
1303 return( ret );
1304 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1305 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1306#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1307
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1308#if defined(MBEDTLS_SSL_DTLS_SRTP)
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]1309 if( ( ret = ssl_write_use_srtp_ext( ssl, p + 2 + ext_len,
1310 end, &olen ) ) != 0 )
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1311 {
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]1312 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_use_srtp_ext", ret );
1313 return( ret );
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1314 }
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]1315 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1316#endif
1317
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1318#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1319 if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
1320 end, &olen ) ) != 0 )
1321 {
1322 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
1323 return( ret );
1324 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1325 ext_len += olen;
1326#endif
1327
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1328 /* olen unused if all extensions are disabled */
1329 ((void) olen);
1330
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]1331 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1332 ext_len ) );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1333
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1334 if( ext_len > 0 )
1335 {
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1336 /* No need to check for space here, because the extension
1337 * writing functions already took care of that. */
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1338 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1339 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1340 p += ext_len;
1341 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1342
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1344 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1345 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346
1347 ssl->state++;
1348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1350 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1352#endif
1353
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1354 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1356 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357 return( ret );
1358 }
1359
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1360#if defined(MBEDTLS_SSL_PROTO_DTLS)
1361 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1362 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1363 {
1364 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1365 return( ret );
1366 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1367#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1370
1371 return( 0 );
1372}
1373
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1374static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1375 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1376 size_t len )
1377{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#if defined(MBEDTLS_SSL_RENEGOTIATION)
1379 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1380 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1381 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1382 if( len != 1 + ssl->verify_data_len * 2 ||
1383 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1384 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1385 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1387 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1388 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1390 mbedtls_ssl_send_alert_message(
1391 ssl,
1392 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1393 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Dave Rodgman43fcb8d2021-06-28 21:49:15 +0100[diff] [blame]1394 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1395 }
1396 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1397 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1398#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1399 {
1400 if( len != 1 || buf[0] != 0x00 )
1401 {
Ronald Cron5ee57072020-06-11 09:34:06 +0200[diff] [blame]1402 MBEDTLS_SSL_DEBUG_MSG( 1,
1403 ( "non-zero length renegotiation info" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1404 mbedtls_ssl_send_alert_message(
1405 ssl,
1406 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1407 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Dave Rodgman43fcb8d2021-06-28 21:49:15 +0100[diff] [blame]1408 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1409 }
1410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1412 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1413
1414 return( 0 );
1415}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1417#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1418static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1419 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1420 size_t len )
1421{
1422 /*
1423 * server should use the extension only if we did,
1424 * and if so the server's value should match ours (and len is always 1)
1425 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1426 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1427 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1428 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1429 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1430 MBEDTLS_SSL_DEBUG_MSG( 1,
1431 ( "non-matching max fragment length extension" ) );
1432 mbedtls_ssl_send_alert_message(
1433 ssl,
1434 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1436 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1437 }
1438
1439 return( 0 );
1440}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1441#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1442
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1443#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1444static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1445 const unsigned char *buf,
1446 size_t len )
1447{
1448 size_t peer_cid_len;
1449
1450 if( /* CID extension only makes sense in DTLS */
1451 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
1452 /* The server must only send the CID extension if we have offered it. */
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]1453 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1454 {
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]1455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1456 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +0100[diff] [blame]1457 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Dave Rodgman53c86892021-06-29 10:02:06 +0100[diff] [blame]1458 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]1459 }
1460
1461 if( len == 0 )
1462 {
1463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1464 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1465 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1466 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1467 }
1468
1469 peer_cid_len = *buf++;
1470 len--;
1471
1472 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1473 {
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]1474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1475 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1476 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1477 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1478 }
1479
1480 if( len != peer_cid_len )
1481 {
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]1482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1483 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1484 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1485 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1486 }
1487
Hanno Becker5a299902019-05-03 12:47:49 +0100[diff] [blame]1488 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1489 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1490 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1491
1492 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1493 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1494
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1495 return( 0 );
1496}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1497#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1500static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1501 const unsigned char *buf,
1502 size_t len )
1503{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1504 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1505 len != 0 )
1506 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1507 MBEDTLS_SSL_DEBUG_MSG( 1,
1508 ( "non-matching encrypt-then-MAC extension" ) );
1509 mbedtls_ssl_send_alert_message(
1510 ssl,
1511 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman43fcb8d2021-06-28 21:49:15 +0100[diff] [blame]1512 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Dave Rodgman53c86892021-06-29 10:02:06 +0100[diff] [blame]1513 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1514 }
1515
1516 ((void) buf);
1517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1518 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1519
1520 return( 0 );
1521}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1522#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1523
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1524#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1525static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1526 const unsigned char *buf,
1527 size_t len )
1528{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1529 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1530 len != 0 )
1531 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1532 MBEDTLS_SSL_DEBUG_MSG( 1,
1533 ( "non-matching extended master secret extension" ) );
1534 mbedtls_ssl_send_alert_message(
1535 ssl,
1536 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgmanbed89272021-06-29 12:06:32 +0100[diff] [blame]1537 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1538 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1539 }
1540
1541 ((void) buf);
1542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1544
1545 return( 0 );
1546}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1549#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1550static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1551 const unsigned char *buf,
1552 size_t len )
1553{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1554 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1555 len != 0 )
1556 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1557 MBEDTLS_SSL_DEBUG_MSG( 1,
1558 ( "non-matching session ticket extension" ) );
1559 mbedtls_ssl_send_alert_message(
1560 ssl,
1561 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgmanbed89272021-06-29 12:06:32 +0100[diff] [blame]1562 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1563 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1564 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1565
1566 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1567
1568 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1569
1570 return( 0 );
1571}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1572#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1573
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1574#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1575 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1576static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1577 const unsigned char *buf,
1578 size_t len )
1579{
1580 size_t list_size;
1581 const unsigned char *p;
1582
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1583 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1584 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1586 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1587 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1588 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1589 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1590 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1591
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1592 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1593 while( list_size > 0 )
1594 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1595 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1596 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1597 {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1598#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1599 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1600#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1601#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskinecd07e222021-05-27 23:17:34 +0200[diff] [blame]1602 mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx,
1603 p[0] );
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1604#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1605 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1606 return( 0 );
1607 }
1608
1609 list_size--;
1610 p++;
1611 }
1612
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1614 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1615 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1616 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1617}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1618#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1619 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1620
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1621#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1622static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1623 const unsigned char *buf,
1624 size_t len )
1625{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1626 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1627
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1628 if( ssl->handshake->ciphersuite_info->key_exchange !=
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1629 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1630 {
1631 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1632 return( 0 );
1633 }
1634
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1635 /* If we got here, we no longer need our cached extension */
1636 mbedtls_free( ssl->handshake->ecjpake_cache );
1637 ssl->handshake->ecjpake_cache = NULL;
1638 ssl->handshake->ecjpake_cache_len = 0;
1639
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1640 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1641 buf, len ) ) != 0 )
1642 {
1643 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1644 mbedtls_ssl_send_alert_message(
1645 ssl,
1646 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1647 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1648 return( ret );
1649 }
1650
1651 return( 0 );
1652}
1653#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655#if defined(MBEDTLS_SSL_ALPN)
1656static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1657 const unsigned char *buf, size_t len )
1658{
1659 size_t list_len, name_len;
1660 const char **p;
1661
1662 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1663 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1664 {
1665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1666 mbedtls_ssl_send_alert_message(
1667 ssl,
1668 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgmanbed89272021-06-29 12:06:32 +0100[diff] [blame]1669 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1670 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1671 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1672
1673 /*
1674 * opaque ProtocolName<1..2^8-1>;
1675 *
1676 * struct {
1677 * ProtocolName protocol_name_list<2..2^16-1>
1678 * } ProtocolNameList;
1679 *
1680 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1681 */
1682
1683 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1684 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1685 {
1686 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1687 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1688 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1689 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1690
1691 list_len = ( buf[0] << 8 ) | buf[1];
1692 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1693 {
1694 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1695 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1696 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1697 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1698
1699 name_len = buf[2];
1700 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1701 {
1702 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1703 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1704 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1705 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1706
1707 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1708 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1709 {
1710 if( name_len == strlen( *p ) &&
1711 memcmp( buf + 3, *p, name_len ) == 0 )
1712 {
1713 ssl->alpn_chosen = *p;
1714 return( 0 );
1715 }
1716 }
1717
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1719 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1720 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1721 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1722}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1723#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1724
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1725#if defined(MBEDTLS_SSL_DTLS_SRTP)
1726static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1727 const unsigned char *buf,
1728 size_t len )
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1729{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1730 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1731 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1732 uint16_t server_protection_profile_value = 0;
1733
1734 /* If use_srtp is not configured, just ignore the extension */
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]1735 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
1736 ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
1737 ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1738 return( 0 );
1739
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]1740 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1741 * uint8 SRTPProtectionProfile[2];
1742 *
1743 * struct {
1744 * SRTPProtectionProfiles SRTPProtectionProfiles;
1745 * opaque srtp_mki<0..255>;
1746 * } UseSRTPData;
1747
1748 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1749 *
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1750 */
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]1751 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1752 {
1753 mki_len = ssl->dtls_srtp_info.mki_len;
1754 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1755
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1756 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]1757 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1758 * + protection profile (2 bytes)
1759 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1760 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1761 */
Johan Pascaladbd9442020-10-26 21:24:25 +0100[diff] [blame]1762 if( ( len < 5 ) || ( len != ( buf[4] + 5u ) ) )
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1763 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1764
1765 /*
1766 * get the server protection profile
1767 */
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1768
1769 /*
1770 * protection profile length must be 0x0002 as we must have only
1771 * one protection profile in server Hello
1772 */
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1773 if( ( buf[0] != 0 ) || ( buf[1] != 2 ) )
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1774 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1775
1776 server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1777 server_protection = mbedtls_ssl_check_srtp_profile_value(
1778 server_protection_profile_value );
1779 if( server_protection != MBEDTLS_TLS_SRTP_UNSET )
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1780 {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s",
1782 mbedtls_ssl_get_srtp_profile_as_string(
1783 server_protection ) ) );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1784 }
1785
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1786 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1787
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1788 /*
1789 * Check we have the server profile in our list
1790 */
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1791 for( i=0; i < ssl->conf->dtls_srtp_profile_list_len; i++)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1792 {
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]1793 if( server_protection == ssl->conf->dtls_srtp_profile_list[i] )
1794 {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1795 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1796 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s",
1797 mbedtls_ssl_get_srtp_profile_as_string(
1798 server_protection ) ) );
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1799 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1800 }
1801 }
1802
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1803 /* If no match was found : server problem, it shall never answer with incompatible profile */
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1804 if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1805 {
1806 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1807 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1808 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1809 }
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1810
1811 /* If server does not use mki in its reply, make sure the client won't keep
1812 * one as negotiated */
1813 if( len == 5 )
1814 {
1815 ssl->dtls_srtp_info.mki_len = 0;
1816 }
1817
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1818 /*
1819 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1820 * If the client detects a nonzero-length MKI in the server's response
1821 * that is different than the one the client offered, then the client
1822 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1823 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1824 if( len > 5 && ( buf[4] != mki_len ||
1825 ( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) )
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1826 {
1827 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1828 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1829 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1830 }
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1831#if defined (MBEDTLS_DEBUG_C)
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1832 if( len > 5 )
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1833 {
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]1834 MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value,
1835 ssl->dtls_srtp_info.mki_len );
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1836 }
1837#endif
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]1838 return( 0 );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1839}
1840#endif /* MBEDTLS_SSL_DTLS_SRTP */
1841
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1842/*
1843 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1844 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845#if defined(MBEDTLS_SSL_PROTO_DTLS)
1846static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1847{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1849 int major_ver, minor_ver;
1850 unsigned char cookie_len;
1851
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1853
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1854 /* Check that there is enough room for:
1855 * - 2 bytes of version
1856 * - 1 byte of cookie_len
1857 */
1858 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1859 {
1860 MBEDTLS_SSL_DEBUG_MSG( 1,
1861 ( "incoming HelloVerifyRequest message is too short" ) );
1862 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1863 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1864 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1865 }
1866
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1867 /*
1868 * struct {
1869 * ProtocolVersion server_version;
1870 * opaque cookie<0..2^8-1>;
1871 * } HelloVerifyRequest;
1872 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1873 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1874 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1875 p += 2;
1876
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1877 /*
1878 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1879 * even is lower than our min version.
1880 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1881 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
TRodziewiczb5850c52021-05-13 17:11:23 +0200[diff] [blame]1882 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1883 major_ver > ssl->conf->max_major_ver ||
1884 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1885 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1887
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1888 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1889 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1890
Hanno Beckerbc000442021-06-24 09:18:19 +0100[diff] [blame]1891 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1892 }
1893
1894 cookie_len = *p++;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1895 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1896 {
1897 MBEDTLS_SSL_DEBUG_MSG( 1,
1898 ( "cookie length does not match incoming message size" ) );
1899 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1900 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]1901 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1902 }
Gilles Peskineb51130d2019-09-27 14:00:36 +0200[diff] [blame]1903 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1904
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1905 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1906
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1907 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1908 if( ssl->handshake->verify_cookie == NULL )
1909 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1911 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1912 }
1913
1914 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1915 ssl->handshake->verify_cookie_len = cookie_len;
1916
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1917 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1919 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1921 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1924
1925 return( 0 );
1926}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1927#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1929static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1931 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1932 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1933 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1934 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1935 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1936#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1937 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1938#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1939 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1940 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1942 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1943
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]1944 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1946 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1947 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948 return( ret );
1949 }
1950
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]1951 buf = ssl->in_msg;
1952
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1953 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1954 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1955#if defined(MBEDTLS_SSL_RENEGOTIATION)
1956 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1957 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1958 ssl->renego_records_seen++;
1959
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1960 if( ssl->conf->renego_max_records >= 0 &&
1961 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1962 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1963 MBEDTLS_SSL_DEBUG_MSG( 1,
1964 ( "renegotiation requested, but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1965 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1966 }
1967
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1968 MBEDTLS_SSL_DEBUG_MSG( 1,
1969 ( "non-handshake message during renegotiation" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1970
1971 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1973 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1975
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1977 mbedtls_ssl_send_alert_message(
1978 ssl,
1979 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1980 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1981 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982 }
1983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1984#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1985 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1986 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1987 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1988 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1989 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1990 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1991 return( ssl_parse_hello_verify_request( ssl ) );
1992 }
1993 else
1994 {
1995 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1997 ssl->handshake->verify_cookie = NULL;
1998 ssl->handshake->verify_cookie_len = 0;
1999 }
2000 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2002
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2003 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
2004 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2007 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2008 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2009 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 }
2011
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2012 /*
2013 * 0 . 1 server_version
2014 * 2 . 33 random (maybe including 4 bytes of Unix time)
2015 * 34 . 34 session_id length = n
2016 * 35 . 34+n session_id
2017 * 35+n . 36+n cipher_suite
2018 * 37+n . 37+n compression_method
2019 *
2020 * 38+n . 39+n extensions length (optional)
2021 * 40+n . .. extensions
2022 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2023 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2025 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
2026 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2027 ssl->conf->transport, buf + 0 );
Hanno Beckerfadbdbb2021-07-23 06:25:48 +0100[diff] [blame]2028 ssl->session_negotiate->minor_ver = ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2030 if( ssl->major_ver < ssl->conf->min_major_ver ||
2031 ssl->minor_ver < ssl->conf->min_minor_ver ||
2032 ssl->major_ver > ssl->conf->max_major_ver ||
2033 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2034 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2035 MBEDTLS_SSL_DEBUG_MSG( 1,
2036 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
2037 ssl->conf->min_major_ver,
2038 ssl->conf->min_minor_ver,
2039 ssl->major_ver, ssl->minor_ver,
2040 ssl->conf->max_major_ver,
2041 ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2042
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2043 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2044 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2045
Hanno Beckerbc000442021-06-24 09:18:19 +0100[diff] [blame]2046 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2047 }
2048
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +0100[diff] [blame]2049 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]2050 ( (unsigned long) buf[2] << 24 ) |
2051 ( (unsigned long) buf[3] << 16 ) |
2052 ( (unsigned long) buf[4] << 8 ) |
2053 ( (unsigned long) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2055 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2056
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2057 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2058
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2059 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2060
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2061 if( n > 32 )
2062 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2063 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2064 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2065 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2066 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2067 }
2068
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]2069 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2071 ext_len = ( ( buf[38 + n] << 8 )
2072 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2074 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2075 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2076 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2078 mbedtls_ssl_send_alert_message(
2079 ssl,
2080 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2081 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2082 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2083 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2084 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]2085 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]2086 {
2087 ext_len = 0;
2088 }
2089 else
2090 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2092 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2093 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2094 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]2095 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2096
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2097 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2098 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2099
2100 /*
2101 * Read and check compression
2102 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2103 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2104
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]2105 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2106 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2107 MBEDTLS_SSL_DEBUG_MSG( 1,
2108 ( "server hello, bad compression: %d", comp ) );
2109 mbedtls_ssl_send_alert_message(
2110 ssl,
2111 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2112 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2113 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2114 }
2115
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2116 /*
2117 * Initialize update checksum functions
2118 */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2119 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
2120 if( ssl->handshake->ciphersuite_info == NULL )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2121 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2122 MBEDTLS_SSL_DEBUG_MSG( 1,
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]2123 ( "ciphersuite info for %04x not found", (unsigned int)i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2124 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2125 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2126 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2127 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2128
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2129 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]2130
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2131 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2132 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2133
2134 /*
2135 * Check if the session can be resumed
2136 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]2137 if( ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2138#if defined(MBEDTLS_SSL_RENEGOTIATION)
2139 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]2140#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2141 ssl->session_negotiate->ciphersuite != i ||
2142 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2143 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2144 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2145 {
2146 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]2147 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2148#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2149 ssl->session_negotiate->start = mbedtls_time( NULL );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2150#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2151 ssl->session_negotiate->ciphersuite = i;
2152 ssl->session_negotiate->compression = comp;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2153 ssl->session_negotiate->id_len = n;
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2154 memcpy( ssl->session_negotiate->id, buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155 }
2156 else
2157 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2158 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2160 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2161 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2162 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2163 mbedtls_ssl_send_alert_message(
2164 ssl,
2165 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2166 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2167 return( ret );
2168 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169 }
2170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]2172 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173
Paul Elliott3891caf2020-12-17 18:42:40 +0000[diff] [blame]2174 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", (unsigned) i ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2175 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
2176 buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]2178 /*
2179 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2180 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2181 i = 0;
2182 while( 1 )
2183 {
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]2184 if( ssl->conf->ciphersuite_list[i] == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2185 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2187 mbedtls_ssl_send_alert_message(
2188 ssl,
2189 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2190 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2191 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192 }
2193
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]2194 if( ssl->conf->ciphersuite_list[i++] ==
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]2195 ssl->session_negotiate->ciphersuite )
2196 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2197 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]2198 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199 }
2200
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2201 suite_info = mbedtls_ssl_ciphersuite_from_id(
2202 ssl->session_negotiate->ciphersuite );
2203 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
2204 ssl->minor_ver ) != 0 )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2205 {
2206 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2207 mbedtls_ssl_send_alert_message(
2208 ssl,
2209 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2210 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2211 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2212 }
2213
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2214 MBEDTLS_SSL_DEBUG_MSG( 3,
2215 ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2216
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2217#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]2218 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
2219 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2220 {
2221 ssl->handshake->ecrs_enabled = 1;
2222 }
2223#endif
2224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2225 if( comp != MBEDTLS_SSL_COMPRESS_NULL
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2226 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2229 mbedtls_ssl_send_alert_message(
2230 ssl,
2231 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2232 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2233 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2234 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2235 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2237 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2238
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2239 MBEDTLS_SSL_DEBUG_MSG( 2,
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2240 ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]2241
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2242 while( ext_len )
2243 {
2244 unsigned int ext_id = ( ( ext[0] << 8 )
2245 | ( ext[1] ) );
2246 unsigned int ext_size = ( ( ext[2] << 8 )
2247 | ( ext[3] ) );
2248
2249 if( ext_size + 4 > ext_len )
2250 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2252 mbedtls_ssl_send_alert_message(
2253 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2254 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2255 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2256 }
2257
2258 switch( ext_id )
2259 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2260 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
2261 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
2262#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2263 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]2264#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2265
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]2266 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
2267 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2268 return( ret );
2269
2270 break;
2271
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2272#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2273 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2274 MBEDTLS_SSL_DEBUG_MSG( 3,
2275 ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]2276
2277 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
2278 ext + 4, ext_size ) ) != 0 )
2279 {
2280 return( ret );
2281 }
2282
2283 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2284#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]2285
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2286#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]2287 case MBEDTLS_TLS_EXT_CID:
2288 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
2289
2290 if( ( ret = ssl_parse_cid_ext( ssl,
2291 ext + 4,
2292 ext_size ) ) != 0 )
2293 {
2294 return( ret );
2295 }
2296
2297 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2298#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]2299
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2300#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2301 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2302 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2303
2304 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2305 ext + 4, ext_size ) ) != 0 )
2306 {
2307 return( ret );
2308 }
2309
2310 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2311#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2312
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2313#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2314 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2315 MBEDTLS_SSL_DEBUG_MSG( 3,
2316 ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2317
2318 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2319 ext + 4, ext_size ) ) != 0 )
2320 {
2321 return( ret );
2322 }
2323
2324 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2325#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2327#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2328 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2329 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2330
2331 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2332 ext + 4, ext_size ) ) != 0 )
2333 {
2334 return( ret );
2335 }
2336
2337 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2338#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2339
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]2340#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2341 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2342 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2343 MBEDTLS_SSL_DEBUG_MSG( 3,
2344 ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2345
2346 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2347 ext + 4, ext_size ) ) != 0 )
2348 {
2349 return( ret );
2350 }
2351
2352 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2353#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2354 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2355
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2356#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2357 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2358 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2359
2360 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2361 ext + 4, ext_size ) ) != 0 )
2362 {
2363 return( ret );
2364 }
2365
2366 break;
2367#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2369#if defined(MBEDTLS_SSL_ALPN)
2370 case MBEDTLS_TLS_EXT_ALPN:
2371 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2372
Johan Pascal275874b2020-10-27 10:43:53 +0100[diff] [blame]2373 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2374 return( ret );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2375
2376 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2377#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2378
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2379#if defined(MBEDTLS_SSL_DTLS_SRTP)
2380 case MBEDTLS_TLS_EXT_USE_SRTP:
2381 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
2382
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2383 if( ( ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ) ) != 0 )
2384 return( ret );
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2385
2386 break;
2387#endif /* MBEDTLS_SSL_DTLS_SRTP */
2388
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2389 default:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2390 MBEDTLS_SSL_DEBUG_MSG( 3,
Paul Elliott9f352112020-12-09 14:55:45 +0000[diff] [blame]2391 ( "unknown extension found: %u (ignoring)", ext_id ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2392 }
2393
2394 ext_len -= 4 + ext_size;
2395 ext += 4 + ext_size;
2396
2397 if( ext_len > 0 && ext_len < 4 )
2398 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2400 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2401 }
2402 }
2403
2404 /*
2405 * Renegotiation security checks
2406 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2407 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2408 ssl->conf->allow_legacy_renegotiation ==
2409 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2410 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2411 MBEDTLS_SSL_DEBUG_MSG( 1,
2412 ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2413 handshake_failure = 1;
2414 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2415#if defined(MBEDTLS_SSL_RENEGOTIATION)
2416 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2417 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2418 renegotiation_info_seen == 0 )
2419 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2420 MBEDTLS_SSL_DEBUG_MSG( 1,
2421 ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2422 handshake_failure = 1;
2423 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2424 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2425 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2426 ssl->conf->allow_legacy_renegotiation ==
2427 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2428 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2429 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2430 handshake_failure = 1;
2431 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2432 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2433 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2434 renegotiation_info_seen == 1 )
2435 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2436 MBEDTLS_SSL_DEBUG_MSG( 1,
2437 ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2438 handshake_failure = 1;
2439 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2440#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2441
2442 if( handshake_failure == 1 )
2443 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2444 mbedtls_ssl_send_alert_message(
2445 ssl,
2446 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2447 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Beckerc3411d42021-06-24 11:09:00 +0100[diff] [blame]2448 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2449 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2451 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2452
2453 return( 0 );
2454}
2455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2456#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2457 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2458static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
2459 unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2460 unsigned char *end )
2461{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2462 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]2463 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2464
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2465 /*
2466 * Ephemeral DH parameters:
2467 *
2468 * struct {
2469 * opaque dh_p<1..2^16-1>;
2470 * opaque dh_g<1..2^16-1>;
2471 * opaque dh_Ys<1..2^16-1>;
2472 * } ServerDHParams;
2473 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2474 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
2475 p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2476 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2477 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2478 return( ret );
2479 }
2480
Gilles Peskine487bbf62021-05-27 22:17:07 +0200[diff] [blame]2481 dhm_actual_bitlen = mbedtls_dhm_get_bitlen( &ssl->handshake->dhm_ctx );
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]2482 if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2483 {
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]2484 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]2485 dhm_actual_bitlen,
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2486 ssl->conf->dhm_min_bitlen ) );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2487 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2488 }
2489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2490 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2491 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2492 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2493
2494 return( ret );
2495}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2496#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2497 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2499#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2500 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2501 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2502 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2503 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2504static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2505{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2506 const mbedtls_ecp_curve_info *curve_info;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2507 mbedtls_ecp_group_id grp_id;
2508#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2509 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2510#else
2511 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2512#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2513
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2514 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2515 if( curve_info == NULL )
2516 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2517 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2518 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2519 }
2520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2521 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2522
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2523#if defined(MBEDTLS_ECP_C)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2524 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2525#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2526 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2527 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2528#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2529 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2530
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2531 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2532 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2533
2534 return( 0 );
2535}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2536#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2537 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2538 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2539 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2540 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2541
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2542#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2543 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2544 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2545static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
2546 unsigned char **p,
2547 unsigned char *end )
2548{
2549 uint16_t tls_id;
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2550 size_t ecdh_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2551 uint8_t ecpoint_len;
2552 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2553
2554 /*
2555 * Parse ECC group
2556 */
2557
2558 if( end - *p < 4 )
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2559 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2560
2561 /* First byte is curve_type; only named_curve is handled */
2562 if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
Hanno Becker2fc9a652021-06-24 15:40:11 +0100[diff] [blame]2563 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2564
2565 /* Next two bytes are the namedcurve value */
2566 tls_id = *(*p)++;
2567 tls_id <<= 8;
2568 tls_id |= *(*p)++;
2569
2570 /* Convert EC group to PSA key type. */
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2571 if( ( handshake->ecdh_psa_type =
2572 mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2573 {
Hanno Becker2fc9a652021-06-24 15:40:11 +0100[diff] [blame]2574 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2575 }
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2576 if( ecdh_bits > 0xffff )
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2577 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2578 handshake->ecdh_bits = (uint16_t) ecdh_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2579
2580 /*
2581 * Put peer's ECDH public key in the format understood by PSA.
2582 */
2583
2584 ecpoint_len = *(*p)++;
2585 if( (size_t)( end - *p ) < ecpoint_len )
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2586 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2587
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2588 if( mbedtls_psa_tls_ecpoint_to_psa_ec(
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2589 *p, ecpoint_len,
2590 handshake->ecdh_psa_peerkey,
2591 sizeof( handshake->ecdh_psa_peerkey ),
2592 &handshake->ecdh_psa_peerkey_len ) != 0 )
2593 {
2594 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2595 }
2596
2597 *p += ecpoint_len;
2598 return( 0 );
2599}
2600#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2601 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2602 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2603
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2604#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2605 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2606 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2607static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2608 unsigned char **p,
2609 unsigned char *end )
2610{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2611 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2612
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2613 /*
2614 * Ephemeral ECDH parameters:
2615 *
2616 * struct {
2617 * ECParameters curve_params;
2618 * ECPoint public;
2619 * } ServerECDHParams;
2620 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2621 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2622 (const unsigned char **) p, end ) ) != 0 )
2623 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2624 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2625#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2626 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2627 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2628#endif
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2629 return( ret );
2630 }
2631
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2632 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2633 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2634 MBEDTLS_SSL_DEBUG_MSG( 1,
2635 ( "bad server key exchange message (ECDHE curve)" ) );
Hanno Becker2fc9a652021-06-24 15:40:11 +0100[diff] [blame]2636 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2637 }
2638
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2639 return( ret );
2640}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2641#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2642 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2643 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2644
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2645#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2646static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2647 unsigned char **p,
2648 unsigned char *end )
2649{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2650 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]2651 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2652 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2653
2654 /*
2655 * PSK parameters:
2656 *
2657 * opaque psk_identity_hint<0..2^16-1>;
2658 */
Hanno Becker0c161d12018-10-08 13:40:50 +0100[diff] [blame]2659 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2660 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2661 MBEDTLS_SSL_DEBUG_MSG( 1,
2662 ( "bad server key exchange message (psk_identity_hint length)" ) );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2663 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2664 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2665 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2666 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2667
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]2668 if( end - (*p) < len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2669 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2670 MBEDTLS_SSL_DEBUG_MSG( 1,
2671 ( "bad server key exchange message (psk_identity_hint length)" ) );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2672 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2673 }
2674
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2675 /*
2676 * Note: we currently ignore the PKS identity hint, as we only allow one
2677 * PSK to be provisionned on the client. This could be changed later if
2678 * someone needs that feature.
2679 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2680 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2681 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2682
2683 return( ret );
2684}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2685#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2687#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2688 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2689/*
2690 * Generate a pre-master secret and encrypt it with the server's RSA key
2691 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2692static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2693 size_t offset, size_t *olen,
2694 size_t pms_offset )
2695{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2696 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2697 size_t len_bytes = 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2698 unsigned char *p = ssl->handshake->premaster + pms_offset;
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2699 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2700
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2701 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2702 {
2703 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2704 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2705 }
2706
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2707 /*
2708 * Generate (part of) the pre-master as
2709 * struct {
2710 * ProtocolVersion client_version;
2711 * opaque random[46];
2712 * } PreMasterSecret;
2713 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2714 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
2715 ssl->conf->max_minor_ver,
2716 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2717
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2718 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2719 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2720 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2721 return( ret );
2722 }
2723
2724 ssl->handshake->pmslen = 48;
2725
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2726#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2727 peer_pk = &ssl->handshake->peer_pubkey;
2728#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2729 if( ssl->session_negotiate->peer_cert == NULL )
2730 {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2731 /* Should never happen */
Hanno Becker62d58ed2019-02-26 11:51:06 +0000[diff] [blame]2732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2733 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2734 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2735 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2736#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2737
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2738 /*
2739 * Now write it out, encrypted
2740 */
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2741 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2742 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2744 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2745 }
2746
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2747 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2748 p, ssl->handshake->pmslen,
2749 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2750 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2751 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2752 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2753 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2754 return( ret );
2755 }
2756
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]2757#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2758 if( len_bytes == 2 )
2759 {
2760 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2761 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2762 *olen += 2;
2763 }
2764#endif
2765
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2766#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2767 /* We don't need the peer's public key anymore. Free it. */
2768 mbedtls_pk_free( peer_pk );
2769#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2770 return( 0 );
2771}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2772#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2773 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2774
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2775#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2776#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2777 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2778 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2779static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2780 unsigned char **p,
2781 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2782 mbedtls_md_type_t *md_alg,
2783 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2784{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2785 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2786 *md_alg = MBEDTLS_MD_NONE;
2787 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2788
2789 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2790 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2791 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2792 return( 0 );
2793 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2794
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2795 if( (*p) + 2 > end )
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2796 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2797
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2798 /*
2799 * Get hash algorithm
2800 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2801 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
2802 == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2803 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2804 MBEDTLS_SSL_DEBUG_MSG( 1,
2805 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
Hanno Becker2fc9a652021-06-24 15:40:11 +0100[diff] [blame]2806 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2807 }
2808
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2809 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2810 * Get signature algorithm
2811 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2812 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
2813 == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2814 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2815 MBEDTLS_SSL_DEBUG_MSG( 1,
2816 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
Dave Rodgman5f8c18b2021-06-28 11:58:00 +0100[diff] [blame]2817 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2818 }
2819
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2820 /*
2821 * Check if the hash is acceptable
2822 */
2823 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2824 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2825 MBEDTLS_SSL_DEBUG_MSG( 1,
2826 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]2827 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2828 }
2829
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2830 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
2831 (*p)[1] ) );
2832 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
2833 (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2834 *p += 2;
2835
2836 return( 0 );
2837}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2838#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2839 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2840 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2841#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2842
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2843#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2844 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2845static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2846{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2847 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2848 const mbedtls_ecp_keypair *peer_key;
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2849 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2850
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2851#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2852 peer_pk = &ssl->handshake->peer_pubkey;
2853#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2854 if( ssl->session_negotiate->peer_cert == NULL )
2855 {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2856 /* Should never happen */
Hanno Beckerbd5580a2019-02-26 12:36:01 +0000[diff] [blame]2857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2858 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2859 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2860 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2861#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2862
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2863 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2864 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2865 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2866 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2867 }
2868
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2869 peer_key = mbedtls_pk_ec( *peer_pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2870
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2871 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2872 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2873 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2874 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2875 return( ret );
2876 }
2877
2878 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2879 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Hanno Becker9ed1ba52021-06-24 11:03:13 +0100[diff] [blame]2881 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2882 }
2883
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2884#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2885 /* We don't need the peer's public key anymore. Free it,
2886 * so that more RAM is available for upcoming expensive
2887 * operations like ECDHE. */
2888 mbedtls_pk_free( peer_pk );
2889#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2890
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2891 return( ret );
2892}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2893#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2894 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2895
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2896static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2897{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2899 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2900 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2901 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2902
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2903 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2904
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2905#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2906 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2907 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2908 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2909 ssl->state++;
2910 return( 0 );
2911 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2912 ((void) p);
2913 ((void) end);
2914#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2915
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2916#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2917 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2918 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2919 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2920 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2921 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2922 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2923 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2924 mbedtls_ssl_send_alert_message(
2925 ssl,
2926 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2927 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2928 return( ret );
2929 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2930
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2931 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2932 ssl->state++;
2933 return( 0 );
2934 }
2935 ((void) p);
2936 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2937#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2938 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2939
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2940#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2941 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2942 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2943 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2944 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2945 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2946#endif
2947
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2948 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2949 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2950 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2951 return( ret );
2952 }
2953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2954 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2955 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2956 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2957 mbedtls_ssl_send_alert_message(
2958 ssl,
2959 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2960 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2961 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2962 }
2963
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2964 /*
2965 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2966 * doesn't use a psk_identity_hint
2967 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2968 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2969 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2970 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2971 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2972 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2973 /* Current message is probably either
2974 * CertificateRequest or ServerHelloDone */
2975 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2976 goto exit;
2977 }
2978
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2979 MBEDTLS_SSL_DEBUG_MSG( 1,
2980 ( "server key exchange message must not be skipped" ) );
2981 mbedtls_ssl_send_alert_message(
2982 ssl,
2983 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2984 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2985
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2986 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2987 }
2988
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2989#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2990 if( ssl->handshake->ecrs_enabled )
2991 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2992
2993start_processing:
2994#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2995 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2996 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2997 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2998
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2999#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3000 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3001 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3002 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3003 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3004 {
3005 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
3006 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3007 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3008 mbedtls_ssl_send_alert_message(
3009 ssl,
3010 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman8f127392021-06-28 12:02:21 +0100[diff] [blame]3011 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]3012 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3013 }
3014 } /* FALLTROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3015#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3017#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
3018 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3019 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3020 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3021 ; /* nothing more to do */
3022 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3023#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
3024 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3025#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3026 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3027 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
3028 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3029 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3030 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3031 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3032 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3033 mbedtls_ssl_send_alert_message(
3034 ssl,
3035 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3036 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Dave Rodgmanbed89272021-06-29 12:06:32 +0100[diff] [blame]3037 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3038 }
3039 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3040 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3041#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3042 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]3043#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3044 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3045 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3046 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3047 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3048 {
3049 if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 )
3050 {
3051 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3052 mbedtls_ssl_send_alert_message(
3053 ssl,
3054 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3055 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Dave Rodgmanc50b7172021-06-29 14:40:23 +0100[diff] [blame]3056 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]3057 }
3058 }
3059 else
3060#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3061 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3062 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3063#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3064 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
3065 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3066 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3067 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3068 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3069 {
3070 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
3071 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3072 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3073 mbedtls_ssl_send_alert_message(
3074 ssl,
3075 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3076 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Dave Rodgman39bd5a62021-06-29 15:25:21 +0100[diff] [blame]3077 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3078 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3079 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3080 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3081#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3082 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
3083 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3084#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3085 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3086 {
3087 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
3088 p, end - p );
3089 if( ret != 0 )
3090 {
3091 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3092 mbedtls_ssl_send_alert_message(
3093 ssl,
3094 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker77b4a652021-06-24 16:27:09 +0100[diff] [blame]3095 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
3096 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3097 }
3098 }
3099 else
3100#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3101 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3102 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3103 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3104 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3105
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3106#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3107 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3108 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]3109 size_t sig_len, hashlen;
3110 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3111 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3112 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
3113 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]3114 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3115 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3116
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3117 mbedtls_pk_context * peer_pk;
3118
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3119 /*
3120 * Handle the digitally-signed structure
3121 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3122#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3123 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3124 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3125 if( ssl_parse_signature_algorithm( ssl, &p, end,
3126 &md_alg, &pk_alg ) != 0 )
3127 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3128 MBEDTLS_SSL_DEBUG_MSG( 1,
3129 ( "bad server key exchange message" ) );
3130 mbedtls_ssl_send_alert_message(
3131 ssl,
3132 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3133 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]3134 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3135 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3136
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3137 if( pk_alg !=
3138 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3139 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3140 MBEDTLS_SSL_DEBUG_MSG( 1,
3141 ( "bad server key exchange message" ) );
3142 mbedtls_ssl_send_alert_message(
3143 ssl,
3144 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3145 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]3146 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3147 }
3148 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]3149 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3150#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3151 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3153 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3154 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3155
3156 /*
3157 * Read signature
3158 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]3159
3160 if( p > end - 2 )
3161 {
3162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3163 mbedtls_ssl_send_alert_message(
3164 ssl,
3165 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3166 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]3167 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]3168 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3169 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3170 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3171
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +0100[diff] [blame]3172 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3173 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3174 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3175 mbedtls_ssl_send_alert_message(
3176 ssl,
3177 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3178 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Beckercbc8f6f2021-06-24 10:32:31 +0100[diff] [blame]3179 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3180 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3181
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3182 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3183
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3184 /*
3185 * Compute the hash that has been signed
3186 */
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]3187#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3188 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3189 {
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3190 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3191 params, params_len,
3192 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]3193 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3194 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3195 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3196 else
TRodziewicz0f82ec62021-05-12 17:49:18 +0200[diff] [blame]3197#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3198 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3199 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3200 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3201 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3202
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3203 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3204
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3205#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3206 peer_pk = &ssl->handshake->peer_pubkey;
3207#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]3208 if( ssl->session_negotiate->peer_cert == NULL )
3209 {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]3210 /* Should never happen */
Hanno Beckerbd5580a2019-02-26 12:36:01 +0000[diff] [blame]3211 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]3212 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]3213 }
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3214 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3215#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]3216
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3217 /*
3218 * Verify signature
3219 */
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3220 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3221 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3223 mbedtls_ssl_send_alert_message(
3224 ssl,
3225 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3226 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3227 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3228 }
3229
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3230#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3231 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3232 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3233#endif
3234
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3235 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3236 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3237 {
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3238#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3239 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
3240#endif
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3241 mbedtls_ssl_send_alert_message(
3242 ssl,
3243 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3244 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3245 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3246#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3247 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3248 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3249#endif
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3250 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]3251 }
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]3252
3253#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3254 /* We don't need the peer's public key anymore. Free it,
3255 * so that more RAM is available for upcoming expensive
3256 * operations like ECDHE. */
3257 mbedtls_pk_free( peer_pk );
3258#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3259 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3260#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3261
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3262exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3263 ssl->state++;
3264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3265 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3266
3267 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3268}
3269
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3270#if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3271static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3272{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3273 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3274 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3277
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3278 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3279 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3280 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3281 ssl->state++;
3282 return( 0 );
3283 }
3284
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3286 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3287}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3288#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3289static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3290{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3291 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3292 unsigned char *buf;
3293 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3294 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3295 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3296 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3298 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3299
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3300 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3301 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3302 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3303 ssl->state++;
3304 return( 0 );
3305 }
3306
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3307 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3308 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3309 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3310 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3311 }
3312
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3313 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3314 {
3315 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3316 mbedtls_ssl_send_alert_message(
3317 ssl,
3318 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3319 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3320 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3321 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3322
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3323 ssl->state++;
3324 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3326 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3327 ssl->client_auth ? "a" : "no" ) );
3328
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3329 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3330 {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3331 /* Current message is probably the ServerHelloDone */
3332 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3333 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3334 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3335
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3336 /*
3337 * struct {
3338 * ClientCertificateType certificate_types<1..2^8-1>;
3339 * SignatureAndHashAlgorithm
3340 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3341 * DistinguishedName certificate_authorities<0..2^16-1>;
3342 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3343 *
3344 * Since we only support a single certificate on clients, let's just
3345 * ignore all the information that's supposed to help us pick a
3346 * certificate.
3347 *
3348 * We could check that our certificate matches the request, and bail out
3349 * if it doesn't, but it's simpler to just send the certificate anyway,
3350 * and give the server the opportunity to decide if it should terminate
3351 * the connection when it doesn't like our certificate.
3352 *
3353 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3354 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]3355 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3356 *
3357 * However, we still minimally parse the message to check it is at least
3358 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3359 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3360 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3361
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3362 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3363 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3364 {
3365 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3366 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3367 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker5697af02021-06-24 10:33:51 +0100[diff] [blame]3368 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3369 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3370 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3371 n = cert_type_len;
3372
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3373 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3374 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3375 * * the length of the signature algorithms field (if minor version of
3376 * SSL is 3),
3377 * * distinguished name length otherwise.
3378 * Both reach at most the index:
3379 * ...hdr_len + 2 + n,
3380 * therefore the buffer length at this point must be greater than that
3381 * regardless of the actual code path.
3382 */
3383 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3384 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3385 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3386 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3387 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker5697af02021-06-24 10:33:51 +0100[diff] [blame]3388 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3389 }
3390
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3391 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3392#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3393 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3394 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3395 size_t sig_alg_len =
3396 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3397 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3398#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3399 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3400 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3401#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3402
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3403 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3404 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3405 * sig_alg[i + 1],
3406 * where:
3407 * sig_alg = buf + ...hdr_len + 3 + n,
3408 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3409 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3410 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3411 * which reduces to:
3412 * buf[...hdr_len + 3 + n + sig_alg_len],
3413 * which is one less than we need the buf to be.
3414 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3415 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
3416 + 3 + n + sig_alg_len )
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3417 {
3418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3419 mbedtls_ssl_send_alert_message(
3420 ssl,
3421 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3422 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker5697af02021-06-24 10:33:51 +0100[diff] [blame]3423 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3424 }
3425
3426#if defined(MBEDTLS_DEBUG_C)
3427 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3428 for( i = 0; i < sig_alg_len; i += 2 )
3429 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3430 MBEDTLS_SSL_DEBUG_MSG( 3,
3431 ( "Supported Signature Algorithm found: %d,%d",
3432 sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3433 }
3434#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3435
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3436 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3437 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3438#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3439
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3440 /* certificate_authorities */
3441 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3442 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3443
3444 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3445 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3446 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3448 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3449 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker5697af02021-06-24 10:33:51 +0100[diff] [blame]3450 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3451 }
3452
3453exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3454 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3455
3456 return( 0 );
3457}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3458#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3460static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3461{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3462 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3465
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3466 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3467 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3468 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3469 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3470 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3471
3472 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3473 {
3474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3475 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3476 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3478 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3479 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3480 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3482 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3483 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker029cc2f2021-06-24 10:09:50 +0100[diff] [blame]3484 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3485 }
3486
3487 ssl->state++;
3488
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3489#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3490 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3491 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3492#endif
3493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3494 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3495
3496 return( 0 );
3497}
3498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3499static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3500{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3501 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3502
3503 size_t header_len;
3504 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3505 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3506 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3508 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3509
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3510#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3511 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3512 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3513 /*
3514 * DHM key exchange -- send G^X mod P
3515 */
Gilles Peskine487bbf62021-05-27 22:17:07 +0200[diff] [blame]3516 content_len = mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3517
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3518 ssl->out_msg[4] = (unsigned char)( content_len >> 8 );
3519 ssl->out_msg[5] = (unsigned char)( content_len );
3520 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3522 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Gilles Peskine487bbf62021-05-27 22:17:07 +0200[diff] [blame]3523 (int) mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx ),
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3524 &ssl->out_msg[header_len], content_len,
3525 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3526 if( ret != 0 )
3527 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3528 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3529 return( ret );
3530 }
3531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3532 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3533 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3535 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3536 ssl->handshake->premaster,
3537 MBEDTLS_PREMASTER_SIZE,
3538 &ssl->handshake->pmslen,
3539 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3540 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3541 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3542 return( ret );
3543 }
3544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3545 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3546 }
3547 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3548#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3549#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3550 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3551 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3552 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3553 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3554 {
3555 psa_status_t status;
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]3556 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3557
3558 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3559
3560 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3561 size_t own_pubkey_len;
3562 unsigned char *own_pubkey_ecpoint;
3563 size_t own_pubkey_ecpoint_len;
3564
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3565 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3566
Hanno Becker0a94a642019-01-11 14:35:30 +0000[diff] [blame]3567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
3568
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3569 /*
3570 * Generate EC private key for ECDHE exchange.
3571 */
3572
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3573 /* The master secret is obtained from the shared ECDH secret by
3574 * applying the TLS 1.2 PRF with a specific salt and label. While
3575 * the PSA Crypto API encourages combining key agreement schemes
3576 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3577 * yet support the provisioning of salt + label to the KDF.
3578 * For the time being, we therefore need to split the computation
3579 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]3580 key_attributes = psa_key_attributes_init();
3581 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]3582 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]3583 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
3584 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3585
3586 /* Generate ECDH private key. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]3587 status = psa_generate_key( &key_attributes,
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]3588 &handshake->ecdh_psa_privkey );
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3589 if( status != PSA_SUCCESS )
3590 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3591
3592 /* Export the public part of the ECDH private key from PSA
3593 * and convert it to ECPoint format used in ClientKeyExchange. */
3594 status = psa_export_public_key( handshake->ecdh_psa_privkey,
3595 own_pubkey, sizeof( own_pubkey ),
3596 &own_pubkey_len );
3597 if( status != PSA_SUCCESS )
3598 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3599
3600 if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey,
3601 own_pubkey_len,
3602 &own_pubkey_ecpoint,
3603 &own_pubkey_ecpoint_len ) != 0 )
3604 {
3605 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3606 }
3607
3608 /* Copy ECPoint structure to outgoing message buffer. */
Andrzej Kurekade9e282019-05-07 08:19:33 -0400[diff] [blame]3609 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3610 memcpy( ssl->out_msg + header_len + 1,
3611 own_pubkey_ecpoint, own_pubkey_ecpoint_len );
3612 content_len = own_pubkey_ecpoint_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3613
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3614 /* The ECDH secret is the premaster secret used for key derivation. */
3615
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]3616 /* Compute ECDH shared secret. */
3617 status = psa_raw_key_agreement( PSA_ALG_ECDH,
3618 handshake->ecdh_psa_privkey,
3619 handshake->ecdh_psa_peerkey,
3620 handshake->ecdh_psa_peerkey_len,
3621 ssl->handshake->premaster,
3622 sizeof( ssl->handshake->premaster ),
3623 &ssl->handshake->pmslen );
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3624 if( status != PSA_SUCCESS )
3625 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3626
3627 status = psa_destroy_key( handshake->ecdh_psa_privkey );
3628 if( status != PSA_SUCCESS )
3629 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Ronald Croncf56a0a2020-08-04 09:51:30 +0200[diff] [blame]3630 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3631 }
3632 else
3633#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3634 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3635 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3636#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3637 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3638 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3639 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3640 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3641 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3642 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3643 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3644 {
3645 /*
3646 * ECDH key exchange -- send client public value
3647 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3648 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3649
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3650#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3651 if( ssl->handshake->ecrs_enabled )
3652 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3653 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3654 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3655
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3656 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3657 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3658#endif
3659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3660 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3661 &content_len,
3662 &ssl->out_msg[header_len], 1000,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]3663 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3664 if( ret != 0 )
3665 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3666 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3667#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3668 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3669 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3670#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3671 return( ret );
3672 }
3673
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3674 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3675 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3676
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3677#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3678 if( ssl->handshake->ecrs_enabled )
3679 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3680 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3681 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3682 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3683
3684ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3685 if( ssl->handshake->ecrs_enabled )
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3686 content_len = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3687#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3688 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3689 &ssl->handshake->pmslen,
3690 ssl->handshake->premaster,
3691 MBEDTLS_MPI_MAX_SIZE,
3692 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3693 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3694 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3695#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3696 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3697 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3698#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3699 return( ret );
3700 }
3701
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3702 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3703 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3704 }
3705 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3706#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3707 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3708 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3709 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3710#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3711 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3712 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3713 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3714 * opaque psk_identity<0..2^16-1>;
3715 */
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]3716 if( ssl_conf_has_static_psk( ssl->conf ) == 0 )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3717 {
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]3718 /* We don't offer PSK suites if we don't have a PSK,
3719 * and we check that the server's choice is among the
3720 * ciphersuites we offered, so this should never happen. */
3721 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3722 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3723
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3724 header_len = 4;
3725 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3726
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3727 if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3728 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3729 MBEDTLS_SSL_DEBUG_MSG( 1,
3730 ( "psk identity too long or SSL buffer too short" ) );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3731 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3732 }
3733
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3734 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3735 ssl->out_msg[header_len++] = (unsigned char)( content_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3736
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3737 memcpy( ssl->out_msg + header_len,
3738 ssl->conf->psk_identity,
3739 ssl->conf->psk_identity_len );
3740 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3741
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3742#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3743 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3744 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3745 content_len = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3746 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3747 else
3748#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3749#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3750 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3751 {
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3752#if defined(MBEDTLS_USE_PSA_CRYPTO)
3753 /* Opaque PSKs are currently only supported for PSK-only suites. */
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]3754 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3755 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3756#endif /* MBEDTLS_USE_PSA_CRYPTO */
3757
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3758 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3759 &content_len, 2 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3760 return( ret );
3761 }
3762 else
3763#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3764#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3765 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3766 {
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3767#if defined(MBEDTLS_USE_PSA_CRYPTO)
3768 /* Opaque PSKs are currently only supported for PSK-only suites. */
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]3769 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3770 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3771#endif /* MBEDTLS_USE_PSA_CRYPTO */
3772
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3773 /*
3774 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3775 */
Gilles Peskine487bbf62021-05-27 22:17:07 +0200[diff] [blame]3776 content_len = mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3777
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3778 if( header_len + 2 + content_len >
3779 MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3780 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3781 MBEDTLS_SSL_DEBUG_MSG( 1,
3782 ( "psk identity or DHM size too long or SSL buffer too short" ) );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3783 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3784 }
3785
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3786 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3787 ssl->out_msg[header_len++] = (unsigned char)( content_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3788
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3789 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Gilles Peskine487bbf62021-05-27 22:17:07 +0200[diff] [blame]3790 (int) mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx ),
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3791 &ssl->out_msg[header_len], content_len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]3792 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3793 if( ret != 0 )
3794 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3796 return( ret );
3797 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3798 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3799 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3800#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3801#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3802 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3803 {
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3804#if defined(MBEDTLS_USE_PSA_CRYPTO)
3805 /* Opaque PSKs are currently only supported for PSK-only suites. */
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]3806 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3807 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3808#endif /* MBEDTLS_USE_PSA_CRYPTO */
3809
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3810 /*
3811 * ClientECDiffieHellmanPublic public;
3812 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3813 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3814 &content_len,
3815 &ssl->out_msg[header_len],
3816 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]3817 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3818 if( ret != 0 )
3819 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3820 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3821 return( ret );
3822 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3823
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]3824 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3825 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3826 }
3827 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3828#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3829 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3830 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3831 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3832 }
3833
Hanno Beckerafd311e2018-10-23 15:26:40 +0100[diff] [blame]3834#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3835 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3836 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
3837 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Hanno Becker520224e2018-10-26 11:38:07 +0100[diff] [blame]3838 ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Hanno Beckerafd311e2018-10-23 15:26:40 +0100[diff] [blame]3839 {
Ronald Cron5ee57072020-06-11 09:34:06 +0200[diff] [blame]3840 MBEDTLS_SSL_DEBUG_MSG( 1,
3841 ( "skip PMS generation for opaque PSK" ) );
Hanno Beckerafd311e2018-10-23 15:26:40 +0100[diff] [blame]3842 }
3843 else
3844#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3845 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3846 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3847 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3848 {
Ronald Cron5ee57072020-06-11 09:34:06 +0200[diff] [blame]3849 MBEDTLS_SSL_DEBUG_RET( 1,
3850 "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3851 return( ret );
3852 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3853 }
3854 else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3855#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3856#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3857 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3858 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3859 header_len = 4;
3860 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3861 &content_len, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]3862 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3863 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3864 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3865#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3866#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3867 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3868 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3869 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3870
3871 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3872 ssl->out_msg + header_len,
3873 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3874 &content_len,
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3875 ssl->conf->f_rng, ssl->conf->p_rng );
3876 if( ret != 0 )
3877 {
3878 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3879 return( ret );
3880 }
3881
3882 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3883 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3884 ssl->conf->f_rng, ssl->conf->p_rng );
3885 if( ret != 0 )
3886 {
3887 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3888 return( ret );
3889 }
3890 }
3891 else
3892#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3893 {
3894 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3895 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3896 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3897 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3898
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3899 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3900 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3901 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3902
3903 ssl->state++;
3904
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3905 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3906 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3907 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3908 return( ret );
3909 }
3910
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3911 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3912
3913 return( 0 );
3914}
3915
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3916#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3917static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3918{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3919 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3920 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3921 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3923 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3924
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3925 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3926 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3927 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3928 return( ret );
3929 }
3930
Hanno Becker77adddc2019-02-07 12:32:43 +0000[diff] [blame]3931 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3932 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3933 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3934 ssl->state++;
3935 return( 0 );
3936 }
3937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3939 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3940}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3941#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3942static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3943{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3944 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3945 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3946 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3947 size_t n = 0, offset = 0;
3948 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3949 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3950 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3951 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3952 void *rs_ctx = NULL;
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3953#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3954 size_t out_buf_len = ssl->out_buf_len - ( ssl->out_msg - ssl->out_buf );
3955#else
3956 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - ( ssl->out_msg - ssl->out_buf );
3957#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3958
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3959 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3960
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3961#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3962 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3963 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3964 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3965 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3966 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3967#endif
3968
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3969 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3970 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3971 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3972 return( ret );
3973 }
3974
Hanno Becker77adddc2019-02-07 12:32:43 +0000[diff] [blame]3975 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3976 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3978 ssl->state++;
3979 return( 0 );
3980 }
3981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3982 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3983 {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3984 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3985 ssl->state++;
3986 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3987 }
3988
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3989 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3990 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3992 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3993 }
3994
3995 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3996 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3997 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3998#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3999 if( ssl->handshake->ecrs_enabled )
4000 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
4001
4002sign:
4003#endif
4004
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4005 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4006
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4007#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4008 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4009 {
4010 /*
4011 * digitally-signed struct {
4012 * opaque handshake_messages[handshake_messages_length];
4013 * };
4014 *
4015 * Taking shortcut here. We assume that the server always allows the
4016 * PRF Hash function and has sent it in the allowed signature
4017 * algorithms list received in the Certificate Request message.
4018 *
4019 * Until we encounter a server that does not, we will take this
4020 * shortcut.
4021 *
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]4022 * Reason: Otherwise we should have running hashes for SHA512 and
4023 * SHA224 in order to satisfy 'weird' needs from the server
4024 * side.
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4025 */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4026 if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]4027 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4028 md_alg = MBEDTLS_MD_SHA384;
4029 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]4030 }
4031 else
4032 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4033 md_alg = MBEDTLS_MD_SHA256;
4034 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]4035 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4036 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4037
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]4038 /* Info from md_alg will be used instead */
4039 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4040 offset = 2;
4041 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]4042 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4043#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]4044 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4045 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4046 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]4047 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4048
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4049#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]4050 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]4051 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]4052#endif
4053
4054 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
4055 md_alg, hash_start, hashlen,
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]4056 ssl->out_msg + 6 + offset,
4057 out_buf_len - 6 - offset,
4058 &n,
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]4059 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]4060 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4061 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4062#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]4063 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
4064 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
4065#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]4066 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]4067 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4068
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4069 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
4070 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4071
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4072 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4073 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4074 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4075
4076 ssl->state++;
4077
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4078 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4079 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]4080 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4081 return( ret );
4082 }
4083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4084 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4085
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4086 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4087}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4088#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4089
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4090#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4091static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4092{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4093 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4094 uint32_t lifetime;
4095 size_t ticket_len;
4096 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4097 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4100
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]4101 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4102 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4103 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4104 return( ret );
4105 }
4106
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4107 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4108 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]4110 mbedtls_ssl_send_alert_message(
4111 ssl,
4112 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4113 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4114 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4115 }
4116
4117 /*
4118 * struct {
4119 * uint32 ticket_lifetime_hint;
4120 * opaque ticket<0..2^16-1>;
4121 * } NewSessionTicket;
4122 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4123 * 0 . 3 ticket_lifetime_hint
4124 * 4 . 5 ticket_len (n)
4125 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4126 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4127 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
4128 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4129 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4131 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4132 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker241c1972021-06-24 09:44:26 +0100[diff] [blame]4133 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4134 }
4135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4136 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4137
Philippe Antoineb5b25432018-05-11 11:06:29 +0200[diff] [blame]4138 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
4139 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4140
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4141 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
4142
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4143 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4144 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4146 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4147 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Hanno Becker241c1972021-06-24 09:44:26 +0100[diff] [blame]4148 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4149 }
4150
Paul Elliottd48d5c62021-01-07 14:47:05 +0000[diff] [blame]4151 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4152
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]4153 /* We're not waiting for a NewSessionTicket message any more */
4154 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4155 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]4156
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4157 /*
4158 * Zero-length ticket means the server changed his mind and doesn't want
4159 * to send a ticket after all, so just forget it
4160 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]4161 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4162 return( 0 );
4163
Hanno Beckerb2964cb2019-01-30 14:46:35 +0000[diff] [blame]4164 if( ssl->session != NULL && ssl->session->ticket != NULL )
4165 {
4166 mbedtls_platform_zeroize( ssl->session->ticket,
4167 ssl->session->ticket_len );
4168 mbedtls_free( ssl->session->ticket );
4169 ssl->session->ticket = NULL;
4170 ssl->session->ticket_len = 0;
4171 }
4172
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]4173 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
4174 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4175 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4176 ssl->session_negotiate->ticket = NULL;
4177 ssl->session_negotiate->ticket_len = 0;
4178
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]4179 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4180 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]4181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4182 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4183 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]4184 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4185 }
4186
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4187 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4188
4189 ssl->session_negotiate->ticket = ticket;
4190 ssl->session_negotiate->ticket_len = ticket_len;
4191 ssl->session_negotiate->ticket_lifetime = lifetime;
4192
4193 /*
4194 * RFC 5077 section 3.4:
4195 * "If the client receives a session ticket from the server, then it
4196 * discards any Session ID that was sent in the ServerHello."
4197 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4198 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]4199 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4200
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4201 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4202
4203 return( 0 );
4204}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4205#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4206
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4207/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4208 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4209 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4210int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4211{
4212 int ret = 0;
4213
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]4214 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4215 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4217 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4218
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4219 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4220 return( ret );
4221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4222#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]4223 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4224 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]4225 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]4226 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]4227 return( ret );
4228 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]4229#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]4230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4231 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4232 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4233#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4234 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4235 ssl->handshake->new_session_ticket != 0 )
4236 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4237 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4238 }
4239#endif
4240
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4241 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4242 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4243 case MBEDTLS_SSL_HELLO_REQUEST:
4244 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4245 break;
4246
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4247 /*
4248 * ==> ClientHello
4249 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4250 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4251 ret = ssl_write_client_hello( ssl );
4252 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4253
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4254 /*
4255 * <== ServerHello
4256 * Certificate
4257 * ( ServerKeyExchange )
4258 * ( CertificateRequest )
4259 * ServerHelloDone
4260 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4261 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4262 ret = ssl_parse_server_hello( ssl );
4263 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4265 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4266 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4267 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4269 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4270 ret = ssl_parse_server_key_exchange( ssl );
4271 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4273 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4274 ret = ssl_parse_certificate_request( ssl );
4275 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4277 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4278 ret = ssl_parse_server_hello_done( ssl );
4279 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4280
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4281 /*
4282 * ==> ( Certificate/Alert )
4283 * ClientKeyExchange
4284 * ( CertificateVerify )
4285 * ChangeCipherSpec
4286 * Finished
4287 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4288 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4289 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4290 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4292 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4293 ret = ssl_write_client_key_exchange( ssl );
4294 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4296 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4297 ret = ssl_write_certificate_verify( ssl );
4298 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4299
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4300 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4301 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4302 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4304 case MBEDTLS_SSL_CLIENT_FINISHED:
4305 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4306 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4307
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4308 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4309 * <== ( NewSessionTicket )
4310 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4311 * Finished
4312 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4313#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4314 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4315 ret = ssl_parse_new_session_ticket( ssl );
4316 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4317#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4319 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4320 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4321 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4323 case MBEDTLS_SSL_SERVER_FINISHED:
4324 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4325 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4327 case MBEDTLS_SSL_FLUSH_BUFFERS:
4328 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4329 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4330 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4332 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4333 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4334 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]4335
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4336 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4338 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4339 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4340
4341 return( ret );
4342}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4343#endif /* MBEDTLS_SSL_CLI_C */