TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 615cbcdbdfbb147724c50721013d77a46190911a / . / library / ssl_tls12_client.c
blob: f9c54fedf2601569ccbab03f2790ac415a9f5734 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS client-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]24#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]25
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]26#include "mbedtls/ssl.h"
Ronald Cron7320e642022-03-08 13:34:49 +0100[diff] [blame]27#include "ssl_client.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]28#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]29#include "mbedtls/debug.h"
30#include "mbedtls/error.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]31#include "mbedtls/constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]32
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]33#if defined(MBEDTLS_USE_PSA_CRYPTO)
34#include "mbedtls/psa_util.h"
Ronald Cron69a63422021-10-18 09:47:58 +0200[diff] [blame]35#include "psa/crypto.h"
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]36#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
39static int local_err_translation(psa_status_t status)
40{
41 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]42 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]43 psa_generic_status_to_mbedtls);
44}
45#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]46#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]47#endif /* MBEDTLS_USE_PSA_CRYPTO */
48
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]49#include <string.h>
50
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]51#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]54#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]55#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]58#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]59#endif
60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]62MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
64 unsigned char *buf,
65 const unsigned char *end,
66 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]67{
68 unsigned char *p = buf;
69
70 *olen = 0;
71
Tom Cosgrovece7f18c2022-07-28 05:50:56 +0100[diff] [blame]72 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]73 * initial ClientHello, in which case also adding the renegotiation
74 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]75 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
76 return 0;
77 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]78
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]79 MBEDTLS_SSL_DEBUG_MSG(3,
80 ("client hello, adding renegotiation extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]81
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]82 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]83
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]84 /*
85 * Secure renegotiation
86 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]88 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]89
90 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]91 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
92 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]95
96 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]99}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]100#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]101
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]102#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]103 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]105MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]106static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
107 unsigned char *buf,
108 const unsigned char *end,
109 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110{
111 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]112 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
114 *olen = 0;
115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]116 MBEDTLS_SSL_DEBUG_MSG(3,
117 ("client hello, adding supported_point_formats extension"));
118 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]121 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122
123 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]124 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]125
126 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]127 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]128
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]129 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]132}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]133#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]134 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]135
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]136#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]137MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
139 unsigned char *buf,
140 const unsigned char *end,
141 size_t *olen)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]142{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]144 unsigned char *p = buf;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]145 size_t kkpp_len = 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]146
147 *olen = 0;
148
149 /* Skip costly extension if we can't use EC J-PAKE anyway */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]150#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]151 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
152 return 0;
153 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]154#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]155 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
156 return 0;
157 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]158#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]160 MBEDTLS_SSL_DEBUG_MSG(3,
161 ("client hello, adding ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]162
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]163 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]165 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]166 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]167
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]168 /*
169 * We may need to send ClientHello multiple times for Hello verification.
170 * We don't want to compute fresh values every time (both for performance
171 * and consistency reasons), so cache the extension content.
172 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]173 if (ssl->handshake->ecjpake_cache == NULL ||
174 ssl->handshake->ecjpake_cache_len == 0) {
175 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]176
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]177#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti6b3dab02022-11-17 17:14:54 +0100[diff] [blame]178 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 p + 2, end - p - 2, &kkpp_len,
180 MBEDTLS_ECJPAKE_ROUND_ONE);
181 if (ret != 0) {
182 psa_destroy_key(ssl->handshake->psa_pake_password);
183 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
184 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
185 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]186 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]187#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]188 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
189 p + 2, end - p - 2, &kkpp_len,
190 ssl->conf->f_rng, ssl->conf->p_rng);
191 if (ret != 0) {
192 MBEDTLS_SSL_DEBUG_RET(1,
193 "mbedtls_ecjpake_write_round_one", ret);
194 return ret;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]195 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]196#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
199 if (ssl->handshake->ecjpake_cache == NULL) {
200 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
201 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]202 }
203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]204 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]205 ssl->handshake->ecjpake_cache_len = kkpp_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]206 } else {
207 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]208
209 kkpp_len = ssl->handshake->ecjpake_cache_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]211
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]213 }
214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]215 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]216 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]217
218 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 return 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]221}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]222#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]223
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]224#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]225MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
227 unsigned char *buf,
228 const unsigned char *end,
229 size_t *olen)
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]230{
231 unsigned char *p = buf;
232 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]233
234 /*
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]235 * struct {
236 * opaque cid<0..2^8-1>;
237 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]238 */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]239
240 *olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
242 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
243 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]244 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]245 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]246
247 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
248 * which is at most 255, so the increment cannot overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]249 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]250
251 /* Add extension ID + size */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]252 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]253 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]254 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]255 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]256 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]257
258 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]259 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]260
261 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]262
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]263 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]264}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]265#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]266
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]267#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]268MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]269static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
270 unsigned char *buf,
271 const unsigned char *end,
272 size_t *olen)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]273{
274 unsigned char *p = buf;
275
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]276 *olen = 0;
277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
279 return 0;
280 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_DEBUG_MSG(3,
283 ("client hello, adding max_fragment_length extension"));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]288 p += 2;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]289
290 *p++ = 0x00;
291 *p++ = 1;
292
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]293 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]294
295 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]296
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]297 return 0;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]298}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]301#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]302MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]303static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
304 unsigned char *buf,
305 const unsigned char *end,
306 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]307{
308 unsigned char *p = buf;
309
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]310 *olen = 0;
311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]312 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
313 return 0;
314 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_DEBUG_MSG(3,
317 ("client hello, adding encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]322 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]323
324 *p++ = 0x00;
325 *p++ = 0x00;
326
327 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]328
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]330}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]331#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]332
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]333#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]334MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]335static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
336 unsigned char *buf,
337 const unsigned char *end,
338 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]339{
340 unsigned char *p = buf;
341
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]342 *olen = 0;
343
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
345 return 0;
346 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]347
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_SSL_DEBUG_MSG(3,
349 ("client hello, adding extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]351 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]354 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]355
356 *p++ = 0x00;
357 *p++ = 0x00;
358
359 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]360
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]362}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]365#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]366MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]367static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
368 unsigned char *buf,
369 const unsigned char *end,
370 size_t *olen)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]371{
372 unsigned char *p = buf;
373 size_t tlen = ssl->session_negotiate->ticket_len;
374
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]375 *olen = 0;
376
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
378 return 0;
379 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 MBEDTLS_SSL_DEBUG_MSG(3,
382 ("client hello, adding session ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]383
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]384 /* The addition is safe here since the ticket length is 16 bit. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]387 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]388 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]391 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]392
393 *olen = 4;
394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
396 return 0;
397 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 MBEDTLS_SSL_DEBUG_MSG(3,
400 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 memcpy(p, ssl->session_negotiate->ticket, tlen);
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]403
404 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]407}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]408#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]409
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]410#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]411MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
413 unsigned char *buf,
414 const unsigned char *end,
415 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]416{
417 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]418 size_t protection_profiles_index = 0, ext_len = 0;
419 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]420
421 *olen = 0;
422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]423 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
424 (ssl->conf->dtls_srtp_profile_list == NULL) ||
425 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
426 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]427 }
428
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]429 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]430 * uint8 SRTPProtectionProfile[2];
431 *
432 * struct {
433 * SRTPProtectionProfiles SRTPProtectionProfiles;
434 * opaque srtp_mki<0..255>;
435 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]436 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]437 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]438 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]439 mki_len = ssl->dtls_srtp_info.mki_len;
440 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]441 /* Extension length = 2 bytes for profiles length,
442 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
443 * 1 byte for srtp_mki vector length and the mki_len value
444 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]445 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]446
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]447 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]448
449 /* Check there is room in the buffer for the extension + 4 bytes
450 * - the extension tag (2 bytes)
451 * - the extension length (2 bytes)
452 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]453 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]454
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]455 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]456 p += 2;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]459 p += 2;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]460
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]461 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200[diff] [blame]462 /* micro-optimization:
463 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
464 * which is lower than 127, so the upper byte of the length is always 0
465 * For the documentation, the more generic code is left in comments
466 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
467 * >> 8 ) & 0xFF );
468 */
469 *p++ = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]472 for (protection_profiles_index = 0;
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]473 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 protection_profiles_index++) {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]475 profile_value = mbedtls_ssl_check_srtp_profile_value
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]476 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
477 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
478 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
479 profile_value));
480 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]481 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]482 } else {
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]483 /*
484 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]485 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]486 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_DEBUG_MSG(3,
488 ("client hello, "
489 "illegal DTLS-SRTP protection profile %d",
490 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
491 ));
492 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]493 }
494 }
495
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]496 *p++ = mki_len & 0xFF;
497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (mki_len != 0) {
499 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]500 /*
501 * Increment p to point to the current position.
502 */
503 p += mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]504 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
505 ssl->dtls_srtp_info.mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]506 }
507
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]508 /*
509 * total extension length: extension type (2 bytes)
510 * + extension length (2 bytes)
511 * + protection profile length (2 bytes)
512 * + 2 * number of protection profiles
513 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]514 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]515 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]516 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]519}
520#endif /* MBEDTLS_SSL_DTLS_SRTP */
521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]522int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
523 unsigned char *buf,
524 const unsigned char *end,
525 int uses_ec,
526 size_t *out_len)
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]527{
528 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
529 unsigned char *p = buf;
530 size_t ext_len = 0;
531
532 (void) ssl;
533 (void) end;
534 (void) uses_ec;
535 (void) ret;
536 (void) ext_len;
537
538 *out_len = 0;
539
540 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
541 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
542#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]543 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
544 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
545 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]546 }
547 p += ext_len;
548#endif
549
550#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
551 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]552 if (uses_ec) {
553 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
554 &ext_len)) != 0) {
555 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
556 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]557 }
558 p += ext_len;
559 }
560#endif
561
562#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
564 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
565 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]566 }
567 p += ext_len;
568#endif
569
570#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
572 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
573 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]574 }
575 p += ext_len;
576#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
577
578#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]579 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
580 &ext_len)) != 0) {
581 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
582 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]583 }
584 p += ext_len;
585#endif
586
587#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
589 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
590 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]591 }
592 p += ext_len;
593#endif
594
595#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
597 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
598 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]599 }
600 p += ext_len;
601#endif
602
603#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
605 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
606 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]607 }
608 p += ext_len;
609#endif
610
611#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]612 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
613 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
614 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]615 }
616 p += ext_len;
617#endif
618
619 *out_len = p - buf;
620
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]621 return 0;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]622}
623
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]624MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
626 const unsigned char *buf,
627 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]628{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]630 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]631 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 if (len != 1 + ssl->verify_data_len * 2 ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]633 buf[0] != ssl->verify_data_len * 2 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 mbedtls_ct_memcmp(buf + 1,
635 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
636 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
637 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
638 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]639 mbedtls_ssl_send_alert_message(
640 ssl,
641 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]642 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
643 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]644 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]646#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]647 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648 if (len != 1 || buf[0] != 0x00) {
649 MBEDTLS_SSL_DEBUG_MSG(1,
650 ("non-zero length renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]651 mbedtls_ssl_send_alert_message(
652 ssl,
653 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
655 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]656 }
657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]659 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]661 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]662}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]665MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
667 const unsigned char *buf,
668 size_t len)
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]669{
670 /*
671 * server should use the extension only if we did,
672 * and if so the server's value should match ours (and len is always 1)
673 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]675 len != 1 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 buf[0] != ssl->conf->mfl_code) {
677 MBEDTLS_SSL_DEBUG_MSG(1,
678 ("non-matching max fragment length extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]679 mbedtls_ssl_send_alert_message(
680 ssl,
681 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
683 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]684 }
685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]686 return 0;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]687}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]688#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]689
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]690#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]691MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]692static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
693 const unsigned char *buf,
694 size_t len)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]695{
696 size_t peer_cid_len;
697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698 if ( /* CID extension only makes sense in DTLS */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]699 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
700 /* The server must only send the CID extension if we have offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
702 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
703 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
704 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
705 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]706 }
707
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]708 if (len == 0) {
709 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
710 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
711 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
712 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]713 }
714
715 peer_cid_len = *buf++;
716 len--;
717
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
719 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
720 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
721 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
722 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]723 }
724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]725 if (len != peer_cid_len) {
726 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
727 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
729 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]730 }
731
Hanno Becker5a299902019-05-03 12:47:49 +0100[diff] [blame]732 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]733 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]735
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]736 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
737 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]738
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 return 0;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]740}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]741#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]743#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]744MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
746 const unsigned char *buf,
747 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]748{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
750 len != 0) {
751 MBEDTLS_SSL_DEBUG_MSG(1,
752 ("non-matching encrypt-then-MAC extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]753 mbedtls_ssl_send_alert_message(
754 ssl,
755 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
757 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]758 }
759
760 ((void) buf);
761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]762 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]764 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]765}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]766#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]769MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
771 const unsigned char *buf,
772 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]773{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]774 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
775 len != 0) {
776 MBEDTLS_SSL_DEBUG_MSG(1,
777 ("non-matching extended master secret extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]778 mbedtls_ssl_send_alert_message(
779 ssl,
780 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]781 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
782 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]783 }
784
785 ((void) buf);
786
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]787 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]790}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]791#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]793#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
796 const unsigned char *buf,
797 size_t len)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]798{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]799 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
800 len != 0) {
801 MBEDTLS_SSL_DEBUG_MSG(1,
802 ("non-matching session ticket extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]803 mbedtls_ssl_send_alert_message(
804 ssl,
805 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]806 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
807 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]808 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]809
810 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]811
812 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]814 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]815}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]816#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]817
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]818#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]819 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]820MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]821static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
822 const unsigned char *buf,
823 size_t len)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]824{
825 size_t list_size;
826 const unsigned char *p;
827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 if (len == 0 || (size_t) (buf[0] + 1) != len) {
829 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
830 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
831 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
832 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]833 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]834 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]835
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]836 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]837 while (list_size > 0) {
838 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
839 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti46423162023-03-27 14:33:27 +0200[diff] [blame]840#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]841 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti77a904c2023-03-24 07:28:49 +0100[diff] [blame]842#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]843#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]844 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
845 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
846 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]847#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]848 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
849 return 0;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]850 }
851
852 list_size--;
853 p++;
854 }
855
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
857 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
858 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
859 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]860}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]861#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]862 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]863
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]864#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]865MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]866static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
867 const unsigned char *buf,
868 size_t len)
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]869{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]870 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]871
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]872 if (ssl->handshake->ciphersuite_info->key_exchange !=
873 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
874 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
875 return 0;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]876 }
877
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]878 /* If we got here, we no longer need our cached extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 mbedtls_free(ssl->handshake->ecjpake_cache);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]880 ssl->handshake->ecjpake_cache = NULL;
881 ssl->handshake->ecjpake_cache_len = 0;
882
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]883#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]884 if ((ret = mbedtls_psa_ecjpake_read_round(
885 &ssl->handshake->psa_pake_ctx, buf, len,
886 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
887 psa_destroy_key(ssl->handshake->psa_pake_password);
888 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]889
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]890 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]891 mbedtls_ssl_send_alert_message(
892 ssl,
893 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]894 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
895 return ret;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]896 }
897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 return 0;
899#else
900 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
901 buf, len)) != 0) {
902 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
903 mbedtls_ssl_send_alert_message(
904 ssl,
905 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
906 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
907 return ret;
908 }
909
910 return 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]911#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]912}
913#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]915#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]916MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
918 const unsigned char *buf, size_t len)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]919{
920 size_t list_len, name_len;
921 const char **p;
922
923 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 if (ssl->conf->alpn_list == NULL) {
925 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]926 mbedtls_ssl_send_alert_message(
927 ssl,
928 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
930 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]931 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]932
933 /*
934 * opaque ProtocolName<1..2^8-1>;
935 *
936 * struct {
937 * ProtocolName protocol_name_list<2..2^16-1>
938 * } ProtocolNameList;
939 *
940 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
941 */
942
943 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 if (len < 4) {
945 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
946 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
947 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]948 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]949
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 list_len = (buf[0] << 8) | buf[1];
951 if (list_len != len - 2) {
952 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
953 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
954 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]955 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]956
957 name_len = buf[2];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]958 if (name_len != list_len - 1) {
959 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
960 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
961 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]962 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]963
964 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
966 if (name_len == strlen(*p) &&
967 memcmp(buf + 3, *p, name_len) == 0) {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]968 ssl->alpn_chosen = *p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 return 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]970 }
971 }
972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
974 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
975 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
976 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]977}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]979
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]980#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]981MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]982static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
983 const unsigned char *buf,
984 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]985{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]986 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]987 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]988 uint16_t server_protection_profile_value = 0;
989
990 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
992 (ssl->conf->dtls_srtp_profile_list == NULL) ||
993 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
994 return 0;
995 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]996
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]997 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]998 * uint8 SRTPProtectionProfile[2];
999 *
1000 * struct {
1001 * SRTPProtectionProfiles SRTPProtectionProfiles;
1002 * opaque srtp_mki<0..255>;
1003 * } UseSRTPData;
1004
1005 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1006 *
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1007 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1008 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1009 mki_len = ssl->dtls_srtp_info.mki_len;
1010 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1011
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1012 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]1013 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1014 * + protection profile (2 bytes)
1015 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1016 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1017 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1018 if ((len < 5) || (len != (buf[4] + 5u))) {
1019 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1020 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1021
1022 /*
1023 * get the server protection profile
1024 */
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1025
1026 /*
1027 * protection profile length must be 0x0002 as we must have only
1028 * one protection profile in server Hello
1029 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 if ((buf[0] != 0) || (buf[1] != 2)) {
1031 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1032 }
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1033
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1034 server_protection_profile_value = (buf[2] << 8) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1035 server_protection = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1036 server_protection_profile_value);
1037 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1038 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1039 mbedtls_ssl_get_srtp_profile_as_string(
1040 server_protection)));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1041 }
1042
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1043 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1044
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1045 /*
1046 * Check we have the server profile in our list
1047 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1048 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1049 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1050 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1051 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1052 mbedtls_ssl_get_srtp_profile_as_string(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1053 server_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1054 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1055 }
1056 }
1057
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1058 /* If no match was found : server problem, it shall never answer with incompatible profile */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1060 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1061 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1062 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1063 }
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1064
1065 /* If server does not use mki in its reply, make sure the client won't keep
1066 * one as negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1067 if (len == 5) {
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1068 ssl->dtls_srtp_info.mki_len = 0;
1069 }
1070
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1071 /*
1072 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1073 * If the client detects a nonzero-length MKI in the server's response
1074 * that is different than the one the client offered, then the client
1075 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1076 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1077 if (len > 5 && (buf[4] != mki_len ||
1078 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1079 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1080 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1081 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1082 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1083#if defined(MBEDTLS_DEBUG_C)
1084 if (len > 5) {
1085 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1086 ssl->dtls_srtp_info.mki_len);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1087 }
1088#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1089 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1090}
1091#endif /* MBEDTLS_SSL_DTLS_SRTP */
1092
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1093/*
1094 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1095 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1097MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1098static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1099{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1100 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1101 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1102 uint16_t dtls_legacy_version;
Jerry Yue01304f2022-04-07 10:51:55 +0800[diff] [blame]1103
1104#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
1105 uint8_t cookie_len;
1106#else
1107 uint16_t cookie_len;
1108#endif
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1110 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1111
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1112 /* Check that there is enough room for:
1113 * - 2 bytes of version
1114 * - 1 byte of cookie_len
1115 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1117 MBEDTLS_SSL_DEBUG_MSG(1,
1118 ("incoming HelloVerifyRequest message is too short"));
1119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1120 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1121 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1122 }
1123
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1124 /*
1125 * struct {
1126 * ProtocolVersion server_version;
1127 * opaque cookie<0..2^8-1>;
1128 * } HelloVerifyRequest;
1129 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1130 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1131 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1132 p += 2;
1133
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1134 /*
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1135 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
1136 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
1137 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1138 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1139 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
1140 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1141
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1142 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1143 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1145 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1146 }
1147
1148 cookie_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1149 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1150 MBEDTLS_SSL_DEBUG_MSG(1,
1151 ("cookie length does not match incoming message size"));
1152 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1153 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1154 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1155 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1156 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1157
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1158 mbedtls_free(ssl->handshake->cookie);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1160 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1161 if (ssl->handshake->cookie == NULL) {
1162 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1163 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1164 }
1165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1166 memcpy(ssl->handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1167 ssl->handshake->cookie_len = cookie_len;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1168
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1169 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1170 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1171 ret = mbedtls_ssl_reset_checksum(ssl);
1172 if (0 != ret) {
1173 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
1174 return ret;
1175 }
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1177 mbedtls_ssl_recv_flight_completed(ssl);
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1179 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1181 return 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1182}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1184
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1185MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1186static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1188 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1189 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1190 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1191 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1192 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1193#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1194 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1195#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1196 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1197 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1199 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1201 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1202 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1203 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
1204 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205 }
1206
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]1207 buf = ssl->in_msg;
1208
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1209 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1210#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1212 ssl->renego_records_seen++;
1213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1214 if (ssl->conf->renego_max_records >= 0 &&
1215 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1216 MBEDTLS_SSL_DEBUG_MSG(1,
1217 ("renegotiation requested, but not honored by server"));
1218 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1219 }
1220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1221 MBEDTLS_SSL_DEBUG_MSG(1,
1222 ("non-handshake message during renegotiation"));
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1223
1224 ssl->keep_current_message = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1225 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1226 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1227#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1230 mbedtls_ssl_send_alert_message(
1231 ssl,
1232 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1233 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
1234 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235 }
1236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1238 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1239 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
1240 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
1241 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1242 return ssl_parse_hello_verify_request(ssl);
1243 } else {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1244 /* We made it through the verification process */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1245 mbedtls_free(ssl->handshake->cookie);
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]1246 ssl->handshake->cookie = NULL;
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1247 ssl->handshake->cookie_len = 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1248 }
1249 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1250#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1252 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1253 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
1254 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1255 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1256 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1257 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 }
1259
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1260 /*
1261 * 0 . 1 server_version
1262 * 2 . 33 random (maybe including 4 bytes of Unix time)
1263 * 34 . 34 session_id length = n
1264 * 35 . 34+n session_id
1265 * 35+n . 36+n cipher_suite
1266 * 37+n . 37+n compression_method
1267 *
1268 * 38+n . 39+n extensions length (optional)
1269 * 40+n . .. extensions
1270 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1271 buf += mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1272
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1273 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
1274 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1275 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1277 if (ssl->tls_version < ssl->conf->min_tls_version ||
1278 ssl->tls_version > ssl->conf->max_tls_version) {
1279 MBEDTLS_SSL_DEBUG_MSG(1,
1280 (
1281 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
1282 (unsigned) ssl->conf->min_tls_version,
1283 (unsigned) ssl->tls_version,
1284 (unsigned) ssl->conf->max_tls_version));
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1286 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1287 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1288
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1290 }
1291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1292 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
1293 ((unsigned long) buf[2] << 24) |
1294 ((unsigned long) buf[3] << 16) |
1295 ((unsigned long) buf[4] << 8) |
1296 ((unsigned long) buf[5])));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1298 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1300 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1302 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1304 if (n > 32) {
1305 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1306 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1308 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1309 }
1310
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1311 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1312 ext_len = ((buf[38 + n] << 8)
1313 | (buf[39 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1315 if ((ext_len > 0 && ext_len < 4) ||
1316 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1317 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1318 mbedtls_ssl_send_alert_message(
1319 ssl,
1320 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1321 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1322 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1323 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1325 ext_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1326 } else {
1327 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1328 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1329 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1330 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1331 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1333 /* ciphersuite (used later) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1334 i = (buf[35 + n] << 8) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1335
1336 /*
1337 * Read and check compression
1338 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1339 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1341 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1342 MBEDTLS_SSL_DEBUG_MSG(1,
1343 ("server hello, bad compression: %d", comp));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1344 mbedtls_ssl_send_alert_message(
1345 ssl,
1346 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1347 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1348 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1349 }
1350
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1351 /*
1352 * Initialize update checksum functions
1353 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1354 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1355 if (ssl->handshake->ciphersuite_info == NULL) {
1356 MBEDTLS_SSL_DEBUG_MSG(1,
1357 ("ciphersuite info for %04x not found", (unsigned int) i));
1358 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1359 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1360 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1361 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1363 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1365 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1366 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367
1368 /*
1369 * Check if the session can be resumed
1370 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 if (ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372#if defined(MBEDTLS_SSL_RENEGOTIATION)
1373 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1374#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1375 ssl->session_negotiate->ciphersuite != i ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1376 ssl->session_negotiate->id_len != n ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1377 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1379 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1381 ssl->session_negotiate->start = mbedtls_time(NULL);
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1382#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1383 ssl->session_negotiate->ciphersuite = i;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1384 ssl->session_negotiate->id_len = n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1385 memcpy(ssl->session_negotiate->id, buf + 35, n);
1386 } else {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388 }
1389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1390 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
1391 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
1394 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
1395 buf[37 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1396
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1397 /*
1398 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1399 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1401 while (1) {
1402 if (ssl->conf->ciphersuite_list[i] == 0) {
1403 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1404 mbedtls_ssl_send_alert_message(
1405 ssl,
1406 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1407 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1408 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1409 }
1410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1411 if (ssl->conf->ciphersuite_list[i++] ==
1412 ssl->session_negotiate->ciphersuite) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1414 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1415 }
1416
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1417 suite_info = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1418 ssl->session_negotiate->ciphersuite);
1419 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1420 ssl->tls_version) != 0) {
1421 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1422 mbedtls_ssl_send_alert_message(
1423 ssl,
1424 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1425 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1426 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1427 }
1428
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1429 MBEDTLS_SSL_DEBUG_MSG(3,
1430 ("server hello, chosen ciphersuite: %s", suite_info->name));
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1431
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1432#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1434 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1435 ssl->handshake->ecrs_enabled = 1;
1436 }
1437#endif
1438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1439 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1440 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1441 mbedtls_ssl_send_alert_message(
1442 ssl,
1443 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1445 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1446 }
1447
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1448 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1450 MBEDTLS_SSL_DEBUG_MSG(2,
1451 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1452 ext_len));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1453
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1454 while (ext_len) {
1455 unsigned int ext_id = ((ext[0] << 8)
1456 | (ext[1]));
1457 unsigned int ext_size = ((ext[2] << 8)
1458 | (ext[3]));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1460 if (ext_size + 4 > ext_len) {
1461 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1462 mbedtls_ssl_send_alert_message(
1463 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1464 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1465 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1466 }
1467
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1468 switch (ext_id) {
1469 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1470 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1472 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1473#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1475 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1476 ext_size)) != 0) {
1477 return ret;
1478 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1480 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1482#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1483 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1484 MBEDTLS_SSL_DEBUG_MSG(3,
1485 ("found max_fragment_length extension"));
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1487 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1488 ext + 4, ext_size)) != 0) {
1489 return ret;
1490 }
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1494
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1495#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1496 case MBEDTLS_TLS_EXT_CID:
1497 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1498
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1499 if ((ret = ssl_parse_cid_ext(ssl,
1500 ext + 4,
1501 ext_size)) != 0) {
1502 return ret;
1503 }
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1505 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1506#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1508#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1509 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1510 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1512 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1513 ext + 4, ext_size)) != 0) {
1514 return ret;
1515 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1516
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1517 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1518#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1521 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1522 MBEDTLS_SSL_DEBUG_MSG(3,
1523 ("found extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1525 if ((ret = ssl_parse_extended_ms_ext(ssl,
1526 ext + 4, ext_size)) != 0) {
1527 return ret;
1528 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1529
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1530 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1531#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1533#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1534 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1535 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1536
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1537 if ((ret = ssl_parse_session_ticket_ext(ssl,
1538 ext + 4, ext_size)) != 0) {
1539 return ret;
1540 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1542 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1544
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1545#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1547 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1548 MBEDTLS_SSL_DEBUG_MSG(3,
1549 ("found supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1550
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1551 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1552 ext + 4, ext_size)) != 0) {
1553 return ret;
1554 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1556 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1557#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1558 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1559
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1560#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1561 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1562 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1563
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1564 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1565 ext + 4, ext_size)) != 0) {
1566 return ret;
1567 }
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569 break;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1570#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1571
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1572#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1573 case MBEDTLS_TLS_EXT_ALPN:
1574 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1576 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1577 return ret;
1578 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1582
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1583#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1584 case MBEDTLS_TLS_EXT_USE_SRTP:
1585 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1586
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1587 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1588 return ret;
1589 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1591 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1592#endif /* MBEDTLS_SSL_DTLS_SRTP */
1593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1594 default:
1595 MBEDTLS_SSL_DEBUG_MSG(3,
1596 ("unknown extension found: %u (ignoring)", ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1597 }
1598
1599 ext_len -= 4 + ext_size;
1600 ext += 4 + ext_size;
1601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1602 if (ext_len > 0 && ext_len < 4) {
1603 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1604 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1605 }
1606 }
1607
1608 /*
Andrzej Kurek21b50802022-07-06 03:26:55 -0400[diff] [blame]1609 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
1610 * extensions. It sets the transform data for the resumed session which in
1611 * case of DTLS includes the server CID extracted from the CID extension.
1612 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1613 if (ssl->handshake->resume) {
1614 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1615 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1616 mbedtls_ssl_send_alert_message(
1617 ssl,
1618 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1619 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1620 return ret;
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1621 }
1622 }
1623
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1624 /*
1625 * Renegotiation security checks
1626 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1627 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1628 ssl->conf->allow_legacy_renegotiation ==
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1629 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1630 MBEDTLS_SSL_DEBUG_MSG(1,
1631 ("legacy renegotiation, breaking off handshake"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1632 handshake_failure = 1;
1633 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1634#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1635 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1637 renegotiation_info_seen == 0) {
1638 MBEDTLS_SSL_DEBUG_MSG(1,
1639 ("renegotiation_info extension missing (secure)"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1640 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1641 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1642 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1643 ssl->conf->allow_legacy_renegotiation ==
1644 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1645 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1646 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1647 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1648 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1649 renegotiation_info_seen == 1) {
1650 MBEDTLS_SSL_DEBUG_MSG(1,
1651 ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1652 handshake_failure = 1;
1653 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1654#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1655
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1656 if (handshake_failure == 1) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1657 mbedtls_ssl_send_alert_message(
1658 ssl,
1659 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1660 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1661 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1662 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1663
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1664 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1666 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1667}
1668
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1669#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1670 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1671MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1672static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1673 unsigned char **p,
1674 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1675{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]1677 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1678
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1679 /*
1680 * Ephemeral DH parameters:
1681 *
1682 * struct {
1683 * opaque dh_p<1..2^16-1>;
1684 * opaque dh_g<1..2^16-1>;
1685 * opaque dh_Ys<1..2^16-1>;
1686 * } ServerDHParams;
1687 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1688 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1689 p, end)) != 0) {
1690 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
1691 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1692 }
1693
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1694 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1695 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1696 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
1697 dhm_actual_bitlen,
1698 ssl->conf->dhm_min_bitlen));
1699 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1700 }
1701
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1702 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1703 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1704 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1705
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1706 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1707}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1708#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1709 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1710
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1711#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1712#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1713 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1714 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1715MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1716static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1717 unsigned char **p,
1718 unsigned char *end)
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1719{
1720 uint16_t tls_id;
1721 uint8_t ecpoint_len;
1722 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]1723 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1724 size_t ec_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1725
1726 /*
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1727 * struct {
1728 * ECParameters curve_params;
1729 * ECPoint public;
1730 * } ServerECDHParams;
1731 *
Manuel Pégourié-Gonnard422370d2022-02-07 11:55:21 +0100[diff] [blame]1732 * 1 curve_type (must be "named_curve")
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1733 * 2..3 NamedCurve
1734 * 4 ECPoint.len
1735 * 5+ ECPoint contents
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1736 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1737 if (end - *p < 4) {
1738 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1739 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1740
1741 /* First byte is curve_type; only named_curve is handled */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
1743 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1744 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1745
1746 /* Next two bytes are the namedcurve value */
1747 tls_id = *(*p)++;
1748 tls_id <<= 8;
1749 tls_id |= *(*p)++;
1750
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1751 /* Check it's a curve we offered */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1753 MBEDTLS_SSL_DEBUG_MSG(2,
1754 ("bad server key exchange message (ECDHE curve): %u",
1755 (unsigned) tls_id));
1756 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardff229cf2022-02-07 12:00:32 +0100[diff] [blame]1757 }
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1758
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1759 /* Convert EC's TLS ID to PSA key type. */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]1760 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1761 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
1762 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1763 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1764 handshake->xxdh_psa_type = key_type;
1765 handshake->xxdh_bits = ec_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1766
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1767 /* Keep a copy of the peer's public key */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1768 ecpoint_len = *(*p)++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1769 if ((size_t) (end - *p) < ecpoint_len) {
1770 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1771 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1772
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame^]1773 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
1774 the sizes of the FFDH keys which are at least 2048 bits.
1775 The size of the array is thus greater than 256 bytes which is greater than any
1776 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1777#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1778 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1779 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1780 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame^]1781#else
1782 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX, "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1783#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1784
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1785 memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
1786 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1787 *p += ecpoint_len;
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1789 return 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1790}
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1791#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1792 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1793 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1794#else
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1795#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1796 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1797 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1798 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1799 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1800MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1801static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1802{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]1803 uint16_t tls_id;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1804 mbedtls_ecp_group_id grp_id;
1805#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
1806 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1807#else
1808 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1809#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1811 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
1812 if (tls_id == 0) {
1813 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1814 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1815 }
1816
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1817 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
1818 mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1820 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1821 return -1;
1822 }
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1823
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1824 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1825 MBEDTLS_DEBUG_ECDH_QP);
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1826
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1827 return 0;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1828}
1829
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1830#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1831 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1832 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1833 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1834 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1835
1836#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1837 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1838 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1839MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1840static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1841 unsigned char **p,
1842 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1843{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1844 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1845
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1846 /*
1847 * Ephemeral ECDH parameters:
1848 *
1849 * struct {
1850 * ECParameters curve_params;
1851 * ECPoint public;
1852 * } ServerECDHParams;
1853 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1854 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1855 (const unsigned char **) p, end)) != 0) {
1856 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1857#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1858 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]1859 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1860 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]1861#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1862 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1863 }
1864
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1865 if (ssl_check_server_ecdh_params(ssl) != 0) {
1866 MBEDTLS_SSL_DEBUG_MSG(1,
1867 ("bad server key exchange message (ECDHE curve)"));
1868 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1869 }
1870
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1871 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1872}
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1873#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
1874 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1875 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1876#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1877#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1878MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1879static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1880 unsigned char **p,
1881 unsigned char *end)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1882{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1883 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]1884 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]1885 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1886
1887 /*
1888 * PSK parameters:
1889 *
1890 * opaque psk_identity_hint<0..2^16-1>;
1891 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1892 if (end - (*p) < 2) {
1893 MBEDTLS_SSL_DEBUG_MSG(1,
1894 ("bad server key exchange message (psk_identity_hint length)"));
1895 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]1896 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]1897 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1898 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1900 if (end - (*p) < len) {
1901 MBEDTLS_SSL_DEBUG_MSG(1,
1902 ("bad server key exchange message (psk_identity_hint length)"));
1903 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1904 }
1905
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1906 /*
Tom Cosgroveed4f59e2022-12-05 12:07:50 +0000[diff] [blame]1907 * Note: we currently ignore the PSK identity hint, as we only allow one
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]1908 * PSK to be provisioned on the client. This could be changed later if
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1909 * someone needs that feature.
1910 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1911 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1912 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1913
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1914 return ret;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1915}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1916#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1917
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1919 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1920/*
1921 * Generate a pre-master secret and encrypt it with the server's RSA key
1922 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1923MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1924static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1925 size_t offset, size_t *olen,
1926 size_t pms_offset)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1927{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1928 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1929 size_t len_bytes = 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1930 unsigned char *p = ssl->handshake->premaster + pms_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1931 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1932
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1933 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1934 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
1935 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]1936 }
1937
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1938 /*
1939 * Generate (part of) the pre-master as
1940 * struct {
1941 * ProtocolVersion client_version;
1942 * opaque random[46];
1943 * } PreMasterSecret;
1944 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1945 mbedtls_ssl_write_version(p, ssl->conf->transport,
1946 MBEDTLS_SSL_VERSION_TLS1_2);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1948 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1949 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1950 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1951 }
1952
1953 ssl->handshake->pmslen = 48;
1954
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1955#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1956 peer_pk = &ssl->handshake->peer_pubkey;
1957#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1958 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]1959 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1960 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1961 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1962 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1963 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1964#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1965
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1966 /*
1967 * Now write it out, encrypted
1968 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1969 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
1970 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
1971 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1972 }
1973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1974 if ((ret = mbedtls_pk_encrypt(peer_pk,
1975 p, ssl->handshake->pmslen,
1976 ssl->out_msg + offset + len_bytes, olen,
1977 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
1978 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1979 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
1980 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1981 }
1982
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1983 if (len_bytes == 2) {
1984 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1985 *olen += 2;
1986 }
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1987
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1988#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1989 /* We don't need the peer's public key anymore. Free it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1990 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1991#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992 return 0;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1993}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1994#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1995 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1996
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1997#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1998 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1999MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2000static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2001{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2002 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2003 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2004
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2005#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2006 peer_pk = &ssl->handshake->peer_pubkey;
2007#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2008 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2009 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2010 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2011 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2012 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2013 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2014#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2015
Manuel Pégourié-Gonnard66b0d612022-06-17 10:49:29 +0200[diff] [blame]2016 /* This is a public key, so it can't be opaque, so can_do() is a good
2017 * enough check to ensure pk_ec() is safe to use below. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2018 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2019 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2020 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2021 }
2022
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2023#if defined(MBEDTLS_ECP_C)
2024 const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
2025#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2026
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2027#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2028 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2029 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2030 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2031
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2032 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2033 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2034 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2035 }
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2036
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2037 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2038 if (tls_id == 0) {
2039 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2040 grp_id));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2041 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2042 }
2043
Valerio Setti1e868cc2023-01-09 17:30:01 +0100[diff] [blame]2044 /* If the above conversion to TLS ID was fine, then also this one will be,
2045 so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2046 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2047 &ssl->handshake->xxdh_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2048
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2049 ssl->handshake->xxdh_psa_type = key_type;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2050
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2051 /* Store peer's public key in psa format. */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2052#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2053 memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
2054 ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2055 ret = 0;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2056#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2057 size_t olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2058 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
2059 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2060 ssl->handshake->xxdh_psa_peerkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2061 MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2062
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2063 if (ret != 0) {
2064 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
2065 return ret;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2066 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2067 ssl->handshake->xxdh_psa_peerkey_len = olen;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2068#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2069#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2070 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2071 MBEDTLS_ECDH_THEIRS)) != 0) {
2072 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2073 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2074 }
2075
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2076 if (ssl_check_server_ecdh_params(ssl) != 0) {
2077 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2078 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2079 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2080#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2081#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2082 /* We don't need the peer's public key anymore. Free it,
2083 * so that more RAM is available for upcoming expensive
2084 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2085 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2086#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2088 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2089}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2090#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2091 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2092
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2093MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2094static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2095{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2096 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2097 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2098 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2099 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2100
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2101 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2103#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2104 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2105 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2106 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2107 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2109 ((void) p);
2110 ((void) end);
2111#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2113#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2114 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2115 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2116 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2117 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2118 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2119 mbedtls_ssl_send_alert_message(
2120 ssl,
2121 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2122 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2123 return ret;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2124 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2125
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2126 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2127 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2128 return 0;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2129 }
2130 ((void) p);
2131 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2132#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2133 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2134
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2135#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2136 if (ssl->handshake->ecrs_enabled &&
2137 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2138 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2139 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2140#endif
2141
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2142 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2143 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2144 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2145 }
2146
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2147 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2148 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2149 mbedtls_ssl_send_alert_message(
2150 ssl,
2151 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2152 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2153 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2154 }
2155
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2156 /*
2157 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2158 * doesn't use a psk_identity_hint
2159 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2160 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2161 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2162 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2163 /* Current message is probably either
2164 * CertificateRequest or ServerHelloDone */
2165 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2166 goto exit;
2167 }
2168
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2169 MBEDTLS_SSL_DEBUG_MSG(1,
2170 ("server key exchange message must not be skipped"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2171 mbedtls_ssl_send_alert_message(
2172 ssl,
2173 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2174 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177 }
2178
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2179#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2180 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2181 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2182 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2183
2184start_processing:
2185#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2186 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2187 end = ssl->in_msg + ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2188 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2189
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2190#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2191 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2192 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2193 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2194 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2195 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2196 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2197 mbedtls_ssl_send_alert_message(
2198 ssl,
2199 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2200 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2201 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2202 }
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]2203 } /* FALLTHROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2204#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2205
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2206#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2207 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2208 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2209 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2210 ; /* nothing more to do */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2211 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2212#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2213 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2214#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2215 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2216 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2217 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
2218 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2219 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2220 mbedtls_ssl_send_alert_message(
2221 ssl,
2222 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2223 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2224 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2225 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2226 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2227#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2228 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2229#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2230 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2231 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2232 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2234 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
2235 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2236 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2237 mbedtls_ssl_send_alert_message(
2238 ssl,
2239 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2240 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2241 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2242 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2243 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2244#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2245 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2246 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2247#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2248 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2249#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2250 /*
2251 * The first 3 bytes are:
2252 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2253 * [1, 2] elliptic curve's TLS ID
2254 *
2255 * However since we only support secp256r1 for now, we check only
2256 * that TLS ID here
2257 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2259 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2260 MBEDTLS_ECP_DP_SECP256R1);
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2261
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2262 if (exp_tls_id == 0) {
2263 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2264 }
2265
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2266 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
2267 (read_tls_id != exp_tls_id)) {
2268 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Valerio Setti5151bdf2022-11-21 14:30:02 +0100[diff] [blame]2269 }
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2270
2271 p += 3;
2272
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2273 if ((ret = mbedtls_psa_ecjpake_read_round(
2274 &ssl->handshake->psa_pake_ctx, p, end - p,
2275 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
2276 psa_destroy_key(ssl->handshake->psa_pake_password);
2277 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2278
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2279 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2280 mbedtls_ssl_send_alert_message(
2281 ssl,
2282 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2283 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2284 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2285 }
2286#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2287 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2288 p, end - p);
2289 if (ret != 0) {
2290 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2291 mbedtls_ssl_send_alert_message(
2292 ssl,
2293 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2294 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2295 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2296 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2297#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2298 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2299#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2300 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2301 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2302 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2303 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2304
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2305#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2306 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2307 size_t sig_len, hashlen;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2308 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]2309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2311 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2312 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2313 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2314 void *rs_ctx = NULL;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2315 uint16_t sig_alg;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2317 mbedtls_pk_context *peer_pk;
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]2318
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2319#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2320 peer_pk = &ssl->handshake->peer_pubkey;
2321#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2322 if (ssl->session_negotiate->peer_cert == NULL) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2323 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2324 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2325 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2326 }
2327 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2328#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2329
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2330 /*
2331 * Handle the digitally-signed structure
2332 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2333 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2334 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
2335 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2336 sig_alg, &pk_alg, &md_alg) != 0 &&
2337 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2338 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2339 MBEDTLS_SSL_DEBUG_MSG(1,
2340 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2341 mbedtls_ssl_send_alert_message(
2342 ssl,
2343 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2344 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2345 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2346 }
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2347 p += 2;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2349 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2350 MBEDTLS_SSL_DEBUG_MSG(1,
2351 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2352 mbedtls_ssl_send_alert_message(
2353 ssl,
2354 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2355 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2356 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2357 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2358
2359 /*
2360 * Read signature
2361 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2363 if (p > end - 2) {
2364 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2365 mbedtls_ssl_send_alert_message(
2366 ssl,
2367 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2368 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2369 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2370 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2371 sig_len = (p[0] << 8) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2372 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2373
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2374 if (p != end - sig_len) {
2375 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2376 mbedtls_ssl_send_alert_message(
2377 ssl,
2378 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2379 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2380 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2381 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2382
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2384
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2385 /*
2386 * Compute the hash that has been signed
2387 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2388 if (md_alg != MBEDTLS_MD_NONE) {
2389 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2390 params, params_len,
2391 md_alg);
2392 if (ret != 0) {
2393 return ret;
2394 }
2395 } else {
2396 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2397 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2398 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2400 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2401
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2402 /*
2403 * Verify signature
2404 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2405 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2406 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2407 mbedtls_ssl_send_alert_message(
2408 ssl,
2409 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2410 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2411 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2412 }
2413
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2414#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2415 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2416 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2417 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2418#endif
2419
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2420#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2421 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2422 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
2423 rsassa_pss_options.mgf1_hash_id = md_alg;
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2424 rsassa_pss_options.expected_salt_len =
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +0200[diff] [blame]2425 mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2426 if (rsassa_pss_options.expected_salt_len == 0) {
2427 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2428 }
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2430 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
2431 peer_pk,
2432 md_alg, hash, hashlen,
2433 p, sig_len);
2434 } else
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2435#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2436 ret = mbedtls_pk_verify_restartable(peer_pk,
2437 md_alg, hash, hashlen, p, sig_len, rs_ctx);
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 if (ret != 0) {
David Horstmannb21bbef2022-10-06 17:49:31 +0100[diff] [blame]2440 int send_alert_msg = 1;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2441#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2442 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2443#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2444 if (send_alert_msg) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2445 mbedtls_ssl_send_alert_message(
2446 ssl,
2447 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2448 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
2449 }
2450 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2451#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2452 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2453 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2454 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2455#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2456 return ret;
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2457 }
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2458
2459#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2460 /* We don't need the peer's public key anymore. Free it,
2461 * so that more RAM is available for upcoming expensive
2462 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2463 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2464#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2465 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2466#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2468exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2469 ssl->state++;
2470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2471 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2472
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2473 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2474}
2475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2476#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2477MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2478static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2479{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2480 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2481 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2482
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2483 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2484
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2485 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2486 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2487 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2488 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2489 }
2490
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2491 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2492 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2493}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2494#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2495MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2496static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2497{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2498 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2499 unsigned char *buf;
2500 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2501 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2502 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2503 ssl->handshake->ciphersuite_info;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2504 size_t sig_alg_len;
2505#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2506 unsigned char *sig_alg;
2507 unsigned char *dn;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2508#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2509
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2510 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2513 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2514 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2515 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2516 }
2517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2518 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2519 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2520 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2521 }
2522
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2523 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2524 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2525 mbedtls_ssl_send_alert_message(
2526 ssl,
2527 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2528 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2529 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2530 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2531
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2532 ssl->state++;
Jerry Yufb28b882022-01-28 11:05:58 +0800[diff] [blame]2533 ssl->handshake->client_auth =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2534 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
2537 ssl->handshake->client_auth ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2538
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2539 if (ssl->handshake->client_auth == 0) {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]2540 /* Current message is probably the ServerHelloDone */
2541 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2542 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2543 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2544
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2545 /*
2546 * struct {
2547 * ClientCertificateType certificate_types<1..2^8-1>;
2548 * SignatureAndHashAlgorithm
2549 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2550 * DistinguishedName certificate_authorities<0..2^16-1>;
2551 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2552 *
2553 * Since we only support a single certificate on clients, let's just
2554 * ignore all the information that's supposed to help us pick a
2555 * certificate.
2556 *
2557 * We could check that our certificate matches the request, and bail out
2558 * if it doesn't, but it's simpler to just send the certificate anyway,
2559 * and give the server the opportunity to decide if it should terminate
2560 * the connection when it doesn't like our certificate.
2561 *
2562 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2563 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]2564 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2565 *
2566 * However, we still minimally parse the message to check it is at least
2567 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2568 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2569 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2570
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2571 /* certificate_types */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2572 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2573 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2574 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2575 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2576 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]2577 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2578 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2579 n = cert_type_len;
2580
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2581 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2582 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2583 * * the length of the signature algorithms field (if minor version of
2584 * SSL is 3),
2585 * * distinguished name length otherwise.
2586 * Both reach at most the index:
2587 * ...hdr_len + 2 + n,
2588 * therefore the buffer length at this point must be greater than that
2589 * regardless of the actual code path.
2590 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2591 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2592 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2593 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2594 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2595 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2596 }
2597
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2598 /* supported_signature_algorithms */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2599 sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2600 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2601
2602 /*
2603 * The furthest access in buf is in the loop few lines below:
2604 * sig_alg[i + 1],
2605 * where:
2606 * sig_alg = buf + ...hdr_len + 3 + n,
2607 * max(i) = sig_alg_len - 1.
2608 * Therefore the furthest access is:
2609 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2610 * which reduces to:
2611 * buf[...hdr_len + 3 + n + sig_alg_len],
2612 * which is one less than we need the buf to be.
2613 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2614 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2615 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2616 mbedtls_ssl_send_alert_message(
2617 ssl,
2618 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2619 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2620 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2621 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2622
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2623#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2624 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2625 for (size_t i = 0; i < sig_alg_len; i += 2) {
2626 MBEDTLS_SSL_DEBUG_MSG(3,
2627 ("Supported Signature Algorithm found: %02x %02x",
2628 sig_alg[i], sig_alg[i + 1]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2629 }
2630#endif
2631
2632 n += 2 + sig_alg_len;
2633
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2634 /* certificate_authorities */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2635 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2636 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2637
2638 n += dn_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2639 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2640 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2641 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2642 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2643 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2644 }
2645
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2646#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2647 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2648 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2649 unsigned char *p = dn + i + 2;
2650 mbedtls_x509_name name;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2651 size_t asn1_len;
2652 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2653 memset(&name, 0, sizeof(name));
2654 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
2655 if (dni_len > dn_len - i - 2 ||
2656 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
2657 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
2658 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
2659 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2660 mbedtls_ssl_send_alert_message(
2661 ssl,
2662 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2663 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2664 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2665 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2666 MBEDTLS_SSL_DEBUG_MSG(3,
2667 ("DN hint: %.*s",
2668 mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
2669 mbedtls_asn1_free_named_data_list_shallow(name.next);
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2670 }
2671#endif
2672
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2673exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2674 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2675
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2676 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2677}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2678#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2679
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2680MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2681static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2682{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2683 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2684
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2685 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2686
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2687 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2688 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2689 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2690 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2691
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2692 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2693 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2694 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2695 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2696
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2697 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2698 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2699 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2700 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2701 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2702 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2703 }
2704
2705 ssl->state++;
2706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2707#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2708 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2709 mbedtls_ssl_recv_flight_completed(ssl);
2710 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2711#endif
2712
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2713 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2715 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2716}
2717
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2718MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2719static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2720{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2721 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2722
2723 size_t header_len;
2724 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2725 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2726 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2727
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2728 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2730#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2731 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2732 /*
2733 * DHM key exchange -- send G^X mod P
2734 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2735 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2736
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2737 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2738 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2739
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2740 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2741 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2742 &ssl->out_msg[header_len], content_len,
2743 ssl->conf->f_rng, ssl->conf->p_rng);
2744 if (ret != 0) {
2745 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
2746 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2747 }
2748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2749 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2750 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2752 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2753 ssl->handshake->premaster,
2754 MBEDTLS_PREMASTER_SIZE,
2755 &ssl->handshake->pmslen,
2756 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2757 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
2758 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2759 }
2760
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2761 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2762 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2763#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2764#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2765 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2766 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2767 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2768 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Przemek Stekield905d332022-03-16 09:50:56 +0100[diff] [blame]2769 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2771 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2772#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2773 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2774 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2775 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2776
2777 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2778
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2779 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2780
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2781 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Hanno Becker0a94a642019-01-11 14:35:30 +0000[diff] [blame]2782
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2783 /*
2784 * Generate EC private key for ECDHE exchange.
2785 */
2786
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2787 /* The master secret is obtained from the shared ECDH secret by
2788 * applying the TLS 1.2 PRF with a specific salt and label. While
2789 * the PSA Crypto API encourages combining key agreement schemes
2790 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2791 * yet support the provisioning of salt + label to the KDF.
2792 * For the time being, we therefore need to split the computation
2793 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2794 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2795 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2796 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2797 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2798 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2799
2800 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2801 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2802 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2803 if (status != PSA_SUCCESS) {
2804 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2805 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2806
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2807 /* Export the public part of the ECDH private key from PSA.
Manuel Pégourié-Gonnard5d6053f2022-02-08 10:26:19 +0100[diff] [blame]2808 * The export format is an ECPoint structure as expected by TLS,
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2809 * but we just need to add a length byte before that. */
2810 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2811 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2812 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2813 size_t own_pubkey_len;
2814
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2815 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2816 own_pubkey, own_pubkey_max_len,
2817 &own_pubkey_len);
2818 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2819 psa_destroy_key(handshake->xxdh_psa_privkey);
2820 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2821 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2822 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2823
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2824 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2825 content_len = own_pubkey_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2826
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2827 /* The ECDH secret is the premaster secret used for key derivation. */
2828
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]2829 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2830 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2831 handshake->xxdh_psa_privkey,
2832 handshake->xxdh_psa_peerkey,
2833 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2834 ssl->handshake->premaster,
2835 sizeof(ssl->handshake->premaster),
2836 &ssl->handshake->pmslen);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2837
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2838 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
2839 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2840
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2841 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
2842 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2843 }
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2844#else
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2845 /*
2846 * ECDH key exchange -- send client public value
2847 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2848 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2849
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2850#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2851 if (ssl->handshake->ecrs_enabled) {
2852 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2853 goto ecdh_calc_secret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2854 }
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]2855
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2856 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2857 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2858#endif
2859
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2860 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2861 &content_len,
2862 &ssl->out_msg[header_len], 1000,
2863 ssl->conf->f_rng, ssl->conf->p_rng);
2864 if (ret != 0) {
2865 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2866#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2867 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2868 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2869 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2870#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2871 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2872 }
2873
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2874 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2875 MBEDTLS_DEBUG_ECDH_Q);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2876
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2877#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2878 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2879 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]2880 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2881 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2882
2883ecdh_calc_secret:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2884 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2885 content_len = ssl->handshake->ecrs_n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2886 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2887#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2888 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2889 &ssl->handshake->pmslen,
2890 ssl->handshake->premaster,
2891 MBEDTLS_MPI_MAX_SIZE,
2892 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2893 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2894#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2895 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2896 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2897 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2898#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2899 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2900 }
2901
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2902 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2903 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2904#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2905 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2906#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2907 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2908 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2909 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2910#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2911 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2912 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2913 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2914 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2915 psa_key_attributes_t key_attributes;
2916
2917 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2918
2919 /*
2920 * opaque psk_identity<0..2^16-1>;
2921 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2922 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2923 /* We don't offer PSK suites if we don't have a PSK,
2924 * and we check that the server's choice is among the
2925 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2926 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2927 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2928
Neil Armstrongfc834f22022-03-23 17:54:38 +0100[diff] [blame]2929 /* uint16 to store content length */
2930 const size_t content_len_size = 2;
2931
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2932 header_len = 4;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2933
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2934 if (header_len + content_len_size + ssl->conf->psk_identity_len
2935 > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2936 MBEDTLS_SSL_DEBUG_MSG(1,
2937 ("psk identity too long or SSL buffer too short"));
2938 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2939 }
2940
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2941 unsigned char *p = ssl->out_msg + header_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2942
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2943 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2944 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2945 header_len += content_len_size;
2946
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2947 memcpy(p, ssl->conf->psk_identity,
2948 ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2949 p += ssl->conf->psk_identity_len;
2950
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2951 header_len += ssl->conf->psk_identity_len;
2952
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2953 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2954
2955 /*
2956 * Generate EC private key for ECDHE exchange.
2957 */
2958
2959 /* The master secret is obtained from the shared ECDH secret by
2960 * applying the TLS 1.2 PRF with a specific salt and label. While
2961 * the PSA Crypto API encourages combining key agreement schemes
2962 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2963 * yet support the provisioning of salt + label to the KDF.
2964 * For the time being, we therefore need to split the computation
2965 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2966 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2967 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2968 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2969 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2970 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2971
2972 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2973 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2974 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2975 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2976 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2977 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2978
2979 /* Export the public part of the ECDH private key from PSA.
2980 * The export format is an ECPoint structure as expected by TLS,
2981 * but we just need to add a length byte before that. */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2982 unsigned char *own_pubkey = p + 1;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2983 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2984 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]2985 size_t own_pubkey_len = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2986
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2987 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2988 own_pubkey, own_pubkey_max_len,
2989 &own_pubkey_len);
2990 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2991 psa_destroy_key(handshake->xxdh_psa_privkey);
2992 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2993 return PSA_TO_MBEDTLS_ERR(status);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2994 }
2995
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2996 *p = (unsigned char) own_pubkey_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2997 content_len = own_pubkey_len + 1;
2998
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]2999 /* As RFC 5489 section 2, the premaster secret is formed as follows:
3000 * - a uint16 containing the length (in octets) of the ECDH computation
3001 * - the octet string produced by the ECDH computation
3002 * - a uint16 containing the length (in octets) of the PSK
3003 * - the PSK itself
3004 */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3005 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3006 const unsigned char * const pms_end = pms +
3007 sizeof(ssl->handshake->premaster);
Neil Armstrong0bdb68a2022-03-23 17:46:32 +0100[diff] [blame]3008 /* uint16 to store length (in octets) of the ECDH computation */
3009 const size_t zlen_size = 2;
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]3010 size_t zlen = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3011
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3012 /* Perform ECDH computation after the uint16 reserved for the length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3013 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3014 handshake->xxdh_psa_privkey,
3015 handshake->xxdh_psa_peerkey,
3016 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3017 pms + zlen_size,
3018 pms_end - (pms + zlen_size),
3019 &zlen);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3020
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3021 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3022 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3023
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3024 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3025 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3026 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3027 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3028 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3029
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3030 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3031 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3032 pms += zlen_size + zlen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3033 } else
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3034#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3035 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3036#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3037 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3038 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3039 * opaque psk_identity<0..2^16-1>;
3040 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3041 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]3042 /* We don't offer PSK suites if we don't have a PSK,
3043 * and we check that the server's choice is among the
3044 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3045 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3046 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3047
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3048 header_len = 4;
3049 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3050
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3051 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3052 MBEDTLS_SSL_DEBUG_MSG(1,
3053 ("psk identity too long or SSL buffer too short"));
3054 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3055 }
3056
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3057 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3058 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3059
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3060 memcpy(ssl->out_msg + header_len,
3061 ssl->conf->psk_identity,
3062 ssl->conf->psk_identity_len);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3063 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3064
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3065#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3066 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3067 content_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3068 } else
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3069#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3070#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3071 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3072 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3073 &content_len, 2)) != 0) {
3074 return ret;
3075 }
3076 } else
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3077#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3078#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3079 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3080 /*
3081 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3082 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3083 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3084
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3085 if (header_len + 2 + content_len >
3086 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3087 MBEDTLS_SSL_DEBUG_MSG(1,
3088 ("psk identity or DHM size too long or SSL buffer too short"));
3089 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3090 }
3091
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3092 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3093 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3094
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3095 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3096 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3097 &ssl->out_msg[header_len], content_len,
3098 ssl->conf->f_rng, ssl->conf->p_rng);
3099 if (ret != 0) {
3100 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3101 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3102 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3103
3104#if defined(MBEDTLS_USE_PSA_CRYPTO)
3105 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3106 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3107 size_t pms_len;
3108
3109 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3110 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3111 pms + 2, pms_end - (pms + 2), &pms_len,
3112 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3113 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3114 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3115 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3116 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3117 pms += 2 + pms_len;
3118
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3119 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3120#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3121 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3122#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3123#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3124 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3125 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3126 /*
3127 * ClientECDiffieHellmanPublic public;
3128 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3129 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3130 &content_len,
3131 &ssl->out_msg[header_len],
3132 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3133 ssl->conf->f_rng, ssl->conf->p_rng);
3134 if (ret != 0) {
3135 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3136 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3137 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3138
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3139 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3140 MBEDTLS_DEBUG_ECDH_Q);
3141 } else
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3142#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3143 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3144 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3145 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3146 }
3147
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3148#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3149 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3150 ciphersuite_info->key_exchange)) != 0) {
3151 MBEDTLS_SSL_DEBUG_RET(1,
3152 "mbedtls_ssl_psk_derive_premaster", ret);
3153 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3154 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3155#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3156 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3157#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3158#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3159 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3160 header_len = 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3161 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3162 &content_len, 0)) != 0) {
3163 return ret;
3164 }
3165 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3166#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3167#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3168 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3169 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3170
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3171#if defined(MBEDTLS_USE_PSA_CRYPTO)
3172 unsigned char *out_p = ssl->out_msg + header_len;
3173 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3174 header_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3175 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3176 out_p, end_p - out_p, &content_len,
3177 MBEDTLS_ECJPAKE_ROUND_TWO);
3178 if (ret != 0) {
3179 psa_destroy_key(ssl->handshake->psa_pake_password);
3180 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3181 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
3182 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3183 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3184#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3185 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3186 ssl->out_msg + header_len,
3187 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3188 &content_len,
3189 ssl->conf->f_rng, ssl->conf->p_rng);
3190 if (ret != 0) {
3191 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3192 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3193 }
3194
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3195 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3196 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3197 ssl->conf->f_rng, ssl->conf->p_rng);
3198 if (ret != 0) {
3199 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3200 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3201 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3202#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3203 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3204#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3205 {
3206 ((void) ciphersuite_info);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3207 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3208 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3209 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3210
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3211 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3212 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3213 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3214
3215 ssl->state++;
3216
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3217 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3218 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3219 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3220 }
3221
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3222 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3223
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3224 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3225}
3226
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3227#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3228MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3229static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3230{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3231 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3232 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3233 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3234
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3235 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3237 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3238 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3239 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3240 }
3241
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3242 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3243 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3244 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3245 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3246 }
3247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3248 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3249 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3250}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3251#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3252MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3253static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3254{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3255 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3256 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3257 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3258 size_t n = 0, offset = 0;
3259 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3260 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3261 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3262 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3263 void *rs_ctx = NULL;
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3264#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3265 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3266#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3267 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3268#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3269
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3270 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3271
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3272#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3273 if (ssl->handshake->ecrs_enabled &&
3274 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3275 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3276 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3277#endif
3278
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3279 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3280 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3281 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3282 }
3283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3284 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3285 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3286 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3287 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3288 }
3289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3290 if (ssl->handshake->client_auth == 0 ||
3291 mbedtls_ssl_own_cert(ssl) == NULL) {
3292 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3293 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3294 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3295 }
3296
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3297 if (mbedtls_ssl_own_key(ssl) == NULL) {
3298 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
3299 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3300 }
3301
3302 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3303 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3304 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3305#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3306 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3307 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3308 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3309
3310sign:
3311#endif
3312
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3313 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3314 if (0 != ret) {
3315 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3316 return ret;
3317 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3318
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3319 /*
3320 * digitally-signed struct {
3321 * opaque handshake_messages[handshake_messages_length];
3322 * };
3323 *
3324 * Taking shortcut here. We assume that the server always allows the
3325 * PRF Hash function and has sent it in the allowed signature
3326 * algorithms list received in the Certificate Request message.
3327 *
3328 * Until we encounter a server that does not, we will take this
3329 * shortcut.
3330 *
3331 * Reason: Otherwise we should have running hashes for SHA512 and
3332 * SHA224 in order to satisfy 'weird' needs from the server
3333 * side.
3334 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3335 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3336 md_alg = MBEDTLS_MD_SHA384;
3337 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3338 } else {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3339 md_alg = MBEDTLS_MD_SHA256;
3340 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3341 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3342 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3343
3344 /* Info from md_alg will be used instead */
3345 hashlen = 0;
3346 offset = 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3347
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3348#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3349 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3350 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3351 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3352#endif
3353
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3354 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3355 md_alg, hash_start, hashlen,
3356 ssl->out_msg + 6 + offset,
3357 out_buf_len - 6 - offset,
3358 &n,
3359 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3360 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3361#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3362 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3363 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3364 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3365#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3366 return ret;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3367 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3369 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3370
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3371 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3372 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3373 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3374
3375 ssl->state++;
3376
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3377 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3378 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3379 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3380 }
3381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3382 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3384 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3385}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3386#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3388#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3389MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3390static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3391{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3392 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3393 uint32_t lifetime;
3394 size_t ticket_len;
3395 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3396 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3397
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3398 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3400 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3401 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3402 return ret;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3403 }
3404
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3405 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3406 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3407 mbedtls_ssl_send_alert_message(
3408 ssl,
3409 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3410 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3411 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3412 }
3413
3414 /*
3415 * struct {
3416 * uint32 ticket_lifetime_hint;
3417 * opaque ticket<0..2^16-1>;
3418 * } NewSessionTicket;
3419 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3420 * 0 . 3 ticket_lifetime_hint
3421 * 4 . 5 ticket_len (n)
3422 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3423 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3424 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3425 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3426 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3427 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3428 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3429 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3430 }
3431
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3432 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3434 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
3435 (msg[2] << 8) | (msg[3]);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3437 ticket_len = (msg[4] << 8) | (msg[5]);
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3439 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3440 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3441 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3442 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3443 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3444 }
3445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3446 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3447
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3448 /* We're not waiting for a NewSessionTicket message any more */
3449 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3450 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3451
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3452 /*
3453 * Zero-length ticket means the server changed his mind and doesn't want
3454 * to send a ticket after all, so just forget it
3455 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3456 if (ticket_len == 0) {
3457 return 0;
3458 }
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3460 if (ssl->session != NULL && ssl->session->ticket != NULL) {
3461 mbedtls_platform_zeroize(ssl->session->ticket,
3462 ssl->session->ticket_len);
3463 mbedtls_free(ssl->session->ticket);
Hanno Beckerb2964cb2019-01-30 14:46:35 +0000[diff] [blame]3464 ssl->session->ticket = NULL;
3465 ssl->session->ticket_len = 0;
3466 }
3467
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3468 mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
3469 ssl->session_negotiate->ticket_len);
3470 mbedtls_free(ssl->session_negotiate->ticket);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3471 ssl->session_negotiate->ticket = NULL;
3472 ssl->session_negotiate->ticket_len = 0;
3473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3474 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
3475 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
3476 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3477 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
3478 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3479 }
3480
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3481 memcpy(ticket, msg + 6, ticket_len);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3482
3483 ssl->session_negotiate->ticket = ticket;
3484 ssl->session_negotiate->ticket_len = ticket_len;
3485 ssl->session_negotiate->ticket_lifetime = lifetime;
3486
3487 /*
3488 * RFC 5077 section 3.4:
3489 * "If the client receives a session ticket from the server, then it
3490 * discards any Session ID that was sent in the ServerHello."
3491 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3492 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3493 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3494
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3495 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3496
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3497 return 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3498}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3499#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3500
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3501/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3502 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3503 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3504int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3505{
3506 int ret = 0;
3507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3508 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3509 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3510#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3511 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3512 ssl->handshake->new_session_ticket != 0) {
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]3513 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3514 }
3515#endif
3516
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3517 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3518 case MBEDTLS_SSL_HELLO_REQUEST:
3519 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3520 break;
3521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3522 /*
3523 * ==> ClientHello
3524 */
3525 case MBEDTLS_SSL_CLIENT_HELLO:
3526 ret = mbedtls_ssl_write_client_hello(ssl);
3527 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3529 /*
3530 * <== ServerHello
3531 * Certificate
3532 * ( ServerKeyExchange )
3533 * ( CertificateRequest )
3534 * ServerHelloDone
3535 */
3536 case MBEDTLS_SSL_SERVER_HELLO:
3537 ret = ssl_parse_server_hello(ssl);
3538 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3540 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3541 ret = mbedtls_ssl_parse_certificate(ssl);
3542 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3543
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3544 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3545 ret = ssl_parse_server_key_exchange(ssl);
3546 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3547
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3548 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3549 ret = ssl_parse_certificate_request(ssl);
3550 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3552 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3553 ret = ssl_parse_server_hello_done(ssl);
3554 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3556 /*
3557 * ==> ( Certificate/Alert )
3558 * ClientKeyExchange
3559 * ( CertificateVerify )
3560 * ChangeCipherSpec
3561 * Finished
3562 */
3563 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3564 ret = mbedtls_ssl_write_certificate(ssl);
3565 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3566
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3567 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3568 ret = ssl_write_client_key_exchange(ssl);
3569 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3571 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3572 ret = ssl_write_certificate_verify(ssl);
3573 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3574
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3575 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3576 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3577 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3578
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3579 case MBEDTLS_SSL_CLIENT_FINISHED:
3580 ret = mbedtls_ssl_write_finished(ssl);
3581 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3582
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3583 /*
3584 * <== ( NewSessionTicket )
3585 * ChangeCipherSpec
3586 * Finished
3587 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3588#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3589 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3590 ret = ssl_parse_new_session_ticket(ssl);
3591 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3592#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3594 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3595 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3596 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3597
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3598 case MBEDTLS_SSL_SERVER_FINISHED:
3599 ret = mbedtls_ssl_parse_finished(ssl);
3600 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3602 case MBEDTLS_SSL_FLUSH_BUFFERS:
3603 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3604 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3605 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3606
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3607 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3608 mbedtls_ssl_handshake_wrapup(ssl);
3609 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3610
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3611 default:
3612 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3613 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3614 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3616 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3617}
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3618
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3619#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */