TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 89743b5db562de590e0b205d4604ab1697298fe8 / . / library / ssl_tls12_server.c
blob: 16866fd5549c0fe546d629f9fd2c7120caac5b53 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6 */
7
Harry Ramsey0f6bc412024-10-04 10:36:54 +0100[diff] [blame]8#include "ssl_misc.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]11
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]12#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]13
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]14#include "mbedtls/ssl.h"
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame]15#include "debug_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]16#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]17#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]18#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]19#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]20
21#include <string.h>
22
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]23/* Define a local translating function to save code size by not using too many
24 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]25#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
26 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]34#endif
35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]38#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]41#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
46 const unsigned char *info,
47 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]48{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]49 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
50 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
51 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]52
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]53 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]54
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]55 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
56 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
57 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]58
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]59 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]60 ssl->cli_id_len = ilen;
61
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]62 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
66 mbedtls_ssl_cookie_write_t *f_cookie_write,
67 mbedtls_ssl_cookie_check_t *f_cookie_check,
68 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]69{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]70 conf->f_cookie_write = f_cookie_write;
71 conf->f_cookie_check = f_cookie_check;
72 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]73}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]74#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]76#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]77MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]79{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 if (conf->f_psk != NULL) {
81 return 1;
82 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]83
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]84 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
85 return 0;
86 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]87
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]88
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]89 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
90 return 1;
91 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]92
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if (conf->psk != NULL && conf->psk_len != 0) {
94 return 1;
95 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]96
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]97 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]99#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]100
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]101MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
103 const unsigned char *buf,
104 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]105{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]106#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]108 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]110 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]111 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
112 ssl->verify_data_len) != 0) {
113 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
114 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
115 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
116 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]117 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]119#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]120 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 if (len != 1 || buf[0] != 0x0) {
122 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
125 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]126 }
127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]128 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]129 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]132}
133
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]134#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]135 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]136 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]137/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]138 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
139 * curves (TLS 1.2) extension.
140 *
141 * The "extension_data" field of a supported groups extension contains a
142 * "NamedGroupList" value (TLS 1.3 RFC8446):
143 * enum {
144 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
145 * x25519(0x001D), x448(0x001E),
146 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
147 * ffdhe6144(0x0103), ffdhe8192(0x0104),
148 * ffdhe_private_use(0x01FC..0x01FF),
149 * ecdhe_private_use(0xFE00..0xFEFF),
150 * (0xFFFF)
151 * } NamedGroup;
152 * struct {
153 * NamedGroup named_group_list<2..2^16-1>;
154 * } NamedGroupList;
155 *
156 * The "extension_data" field of a supported elliptic curves extension contains
157 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
158 * enum {
159 * deprecated(1..22),
160 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
161 * x25519(29), x448(30),
162 * reserved (0xFE00..0xFEFF),
163 * deprecated(0xFF01..0xFF02),
164 * (0xFFFF)
165 * } NamedCurve;
166 * struct {
167 * NamedCurve named_curve_list<2..2^16-1>
168 * } NamedCurveList;
169 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]170 * The TLS 1.3 supported groups extension was defined to be a compatible
171 * generalization of the TLS 1.2 supported elliptic curves extension. They both
172 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]173 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]174 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]175MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]176static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
177 const unsigned char *buf,
178 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]179{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]180 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]181 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]182 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]183
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]184 if (len < 2) {
185 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
186 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
187 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
188 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]189 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]190 list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (list_size + 2 != len ||
192 list_size % 2 != 0) {
193 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
194 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
195 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
196 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]197 }
198
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]199 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]200 if (ssl->handshake->curves_tls_id != NULL) {
201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
204 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]205 }
206
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]207 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]208 * and leave room for a final 0 */
209 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]214 if ((curves_tls_id = mbedtls_calloc(our_size,
215 sizeof(*curves_tls_id))) == NULL) {
216 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
217 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
218 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]219 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]220
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]221 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]222
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]223 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]224 while (list_size > 0 && our_size > 1) {
225 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
228 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]229 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]230 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]231 }
232
233 list_size -= 2;
234 p += 2;
235 }
236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]237 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]238}
239
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]240MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
242 const unsigned char *buf,
243 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]244{
245 size_t list_size;
246 const unsigned char *p;
247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]248 if (len == 0 || (size_t) (buf[0] + 1) != len) {
249 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
250 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
251 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
252 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]253 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]254 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]255
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]256 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]257 while (list_size > 0) {
258 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
259 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]260 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
261 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]262 }
263
264 list_size--;
265 p++;
266 }
267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]269}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]270#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]271 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]272 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]273
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]274#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]275MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
277 const unsigned char *buf,
278 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]279{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]280 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]281
Manuel Pégourié-Gonnard58916762025-01-23 10:48:45 +0100[diff] [blame]282 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
284 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]285 }
286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 if ((ret = mbedtls_psa_ecjpake_read_round(
288 &ssl->handshake->psa_pake_ctx, buf, len,
289 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
290 psa_destroy_key(ssl->handshake->psa_pake_password);
291 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]293 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]294 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]295 ssl,
296 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
297 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]300 }
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]301
302 /* Only mark the extension as OK when we're sure it is */
303 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]305 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]306}
307#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
308
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]309#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]310MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]311static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
312 const unsigned char *buf,
313 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]314{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
316 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
317 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
318 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
319 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]320 }
321
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]322 ssl->session_negotiate->mfl_code = buf[0];
323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]325}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]326#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]327
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]328#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]329MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
331 const unsigned char *buf,
332 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]333{
334 size_t peer_cid_len;
335
336 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
338 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
339 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
340 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
341 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]342 }
343
344 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]345 * struct {
346 * opaque cid<0..2^8-1>;
347 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]350 if (len < 1) {
351 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
352 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
353 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
354 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]355 }
356
357 peer_cid_len = *buf++;
358 len--;
359
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]360 if (len != peer_cid_len) {
361 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
362 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
363 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
364 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]365 }
366
367 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]368 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]369 /* Leave ssl->handshake->cid_in_use in its default
370 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
372 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]373 }
374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]375 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
377 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
378 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
379 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]380 }
381
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]382 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]383 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
387 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]390}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]391#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]393#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]394MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
396 const unsigned char *buf,
397 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]398{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 if (len != 0) {
400 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
401 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
402 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
403 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]404 }
405
406 ((void) buf);
407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]410 }
411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]413}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]414#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]416#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]417MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
419 const unsigned char *buf,
420 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]421{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 if (len != 0) {
423 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
424 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
425 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
426 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]427 }
428
429 ((void) buf);
430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]431 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]432 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]433 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]436}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]439#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]440MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
442 unsigned char *buf,
443 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]444{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]446 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]450 if (ssl->conf->f_ticket_parse == NULL ||
451 ssl->conf->f_ticket_write == NULL) {
452 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]453 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]454
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]455 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]456 ssl->handshake->new_session_ticket = 1;
457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (len == 0) {
461 return 0;
462 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
466 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
467 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]468 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]470
471 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]472 * Failures are ok: just ignore the ticket and proceed.
473 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
475 buf, len)) != 0) {
476 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]478 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
479 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
480 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
481 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
482 } else {
483 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
484 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]486 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]487 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]488
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]489 /*
490 * Keep the session ID sent by the client, since we MUST send it back to
491 * inform them we're accepting the ticket (RFC 5077 section 3.4)
492 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]493 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496 mbedtls_ssl_session_free(ssl->session_negotiate);
497 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]498
499 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]502 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]503
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]504 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]505
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]506 /* Don't send a new ticket after all, this one is OK */
507 ssl->handshake->new_session_ticket = 0;
508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]510}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]512
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]513#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]514MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
516 const unsigned char *buf,
517 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]518{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]519 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]520 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]521 size_t profile_length;
522 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]523 /*! 2 bytes for profile length and 1 byte for mki len */
524 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]525
526 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
528 (ssl->conf->dtls_srtp_profile_list == NULL) ||
529 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
530 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]531 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]532
533 /* RFC5764 section 4.1.1
534 * uint8 SRTPProtectionProfile[2];
535 *
536 * struct {
537 * SRTPProtectionProfiles SRTPProtectionProfiles;
538 * opaque srtp_mki<0..255>;
539 * } UseSRTPData;
540
541 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]542 */
543
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]544 /*
545 * Min length is 5: at least one protection profile(2 bytes)
546 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]547 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]548 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]549 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]550 if (len < size_of_lengths) {
551 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
552 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
553 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]554 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]556 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]557
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]558 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]559 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]560 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]561
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]562 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if (profile_length > len - size_of_lengths ||
564 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
565 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
566 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
567 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]568 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]569 /*
570 * parse the extension list values are defined in
571 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
572 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]573 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]574 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]577 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
578 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
579 mbedtls_ssl_get_srtp_profile_as_string(
580 client_protection)));
581 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]582 continue;
583 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]584 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]585 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
586 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]587 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
589 mbedtls_ssl_get_srtp_profile_as_string(
590 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]591 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]592 }
593 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]595 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]597 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]598 buf += profile_length; /* buf points to the mki length */
599 mki_length = *buf;
600 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
603 mki_length + profile_length + size_of_lengths != len) {
604 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
605 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
606 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]607 }
608
609 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
611 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]612 ssl->dtls_srtp_info.mki_len = mki_length;
613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]616 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
617 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]618 }
619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]621}
622#endif /* MBEDTLS_SSL_DTLS_SRTP */
623
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]624/*
625 * Auxiliary functions for ServerHello parsing and related actions
626 */
627
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]628#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]629/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]630 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]631 */
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]632#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]633MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634static int ssl_check_key_curve(mbedtls_pk_context *pk,
635 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]636{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]637 uint16_t *curr_tls_id = curves_tls_id;
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]638 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]639 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]641 while (*curr_tls_id != 0) {
642 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
643 if (curr_grp_id == grp_id) {
644 return 0;
645 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]646 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]647 }
648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]649 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]650}
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]651#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]652
653/*
654 * Try picking a certificate for this ciphersuite,
655 * return 0 on success and -1 on failure.
656 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]657MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658static int ssl_pick_cert(mbedtls_ssl_context *ssl,
659 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]660{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]661 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]662 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]664 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]665 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]666 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]670 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]671 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]672#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]673 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]674
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]675 int pk_alg_is_none = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]677 if (pk_alg_is_none) {
678 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]679 }
680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]681 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
682
683 if (list == NULL) {
684 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
685 return -1;
686 }
687
688 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]689 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]690 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
691 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]692
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]693 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]694#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
696 ssl->conf->f_async_decrypt_start != NULL ||
697 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
698 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]699#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]700 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]702#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if (!key_type_matches) {
704 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]705 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]706 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]707
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]708 /*
709 * This avoids sending the client a cert it'll reject based on
710 * keyUsage or other extensions.
711 *
712 * It also allows the user to provision different certificates for
713 * different uses based on keyUsage, eg if they want to avoid signing
714 * and decrypting with the same RSA key.
715 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
Manuel Pégourié-Gonnard7a4aa4d2024-08-09 11:49:12 +0200[diff] [blame]717 MBEDTLS_SSL_IS_CLIENT,
718 MBEDTLS_SSL_VERSION_TLS1_2,
719 &flags) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
721 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]722 continue;
723 }
724
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]725#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 if (pk_alg == MBEDTLS_PK_ECDSA &&
727 ssl_check_key_curve(&cur->cert->pk,
728 ssl->handshake->curves_tls_id) != 0) {
729 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]730 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]731 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]732#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]733
734 /* If we get there, we got a winner */
735 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]736 }
737
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]738 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]740 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]741 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
742 ssl->handshake->key_cert->cert);
743 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]744 }
745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]746 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]747}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]748#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]749
750/*
751 * Check if a given ciphersuite is suitable for use with our config/keys/etc
752 * Sets ciphersuite_info only if the suite matches.
753 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]754MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]755static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
756 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]757{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]759
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]760#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]761 mbedtls_pk_type_t sig_type;
762#endif
763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]764 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
765 if (suite_info == NULL) {
766 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
767 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]768 }
769
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
771 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]772
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 if (suite_info->min_tls_version > ssl->tls_version ||
774 suite_info->max_tls_version < ssl->tls_version) {
775 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
776 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]777 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]778
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]779#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
781 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
782 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
783 "not configured or ext missing"));
784 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]785 }
786#endif
787
788
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]789#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]790 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]791 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
792 (ssl->handshake->curves_tls_id == NULL ||
793 ssl->handshake->curves_tls_id[0] == 0)) {
794 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
795 "no common elliptic curve"));
796 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]797 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]798#endif
799
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]800#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]801 /* If the ciphersuite requires a pre-shared key and we don't
802 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]803 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
804 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
805 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
806 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]807 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808#endif
809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]810#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]811 /*
812 * Final check: if ciphersuite requires us to have a
813 * certificate/key of a particular type:
814 * - select the appropriate certificate if we have one, or
815 * - try the next ciphersuite if we don't
816 * This must be done last since we modify the key_cert list.
817 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]818 if (ssl_pick_cert(ssl, suite_info) != 0) {
819 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
820 "no suitable certificate"));
821 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]822 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]823#endif
824
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]825#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
826 /* If the ciphersuite requires signing, check whether
827 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
829 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]830 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
832 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
833 "for signature algorithm %u", (unsigned) sig_type));
834 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]835 }
836
837#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
838
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]839 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]840 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]841}
842
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]843/* This function doesn't alert on errors that happen early during
844 ClientHello parsing because they might indicate that the client is
845 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]846MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]847static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]849 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]850 size_t i, j;
851 size_t ciph_offset, comp_offset, ext_offset;
852 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]853#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]854 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]855#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]856 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]857#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]858 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]859#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]860 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]861 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]862 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]864 /* If there is no signature-algorithm extension present,
865 * we need to fall back to the default values for allowed
866 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]867#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]868 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]869#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]870
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]873 int renegotiating;
874
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]875#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]876read_record_header:
877#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]878 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]879 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]880 * otherwise read it ourselves manually in order to support SSLv2
881 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]882 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
883 * ClientHello has been already fully fetched by the TLS 1.3 code and the
884 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]885 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]886 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]887#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]888 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]889#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]890 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]892 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]893 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
894 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]895 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896 }
897
898 buf = ssl->in_hdr;
899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]900 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]901
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]902 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]903 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]904 *
905 * Record layer:
906 * 0 . 0 message type
907 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]908 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]909 * 3 . 4 message length
910 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
912 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]913
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]914 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
915 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
916 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]917 }
918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]919 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]920 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
923 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]924
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]925 /* For DTLS if this is the initial handshake, remember the client sequence
926 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]928 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]929#if defined(MBEDTLS_SSL_RENEGOTIATION)
930 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]931#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]932 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]933 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]934 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
935 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
936 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]937 }
938
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
940 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]943 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
944 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]945 ssl->next_record_offset = 0;
946 ssl->in_left = 0;
947 goto read_record_header;
948 }
949
950 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]952#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]953 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]955
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]956 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]960 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]961 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]963#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]964 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]965 if (ssl->keep_current_message) {
966 ssl->keep_current_message = 0;
967 } else {
968 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
969 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
970 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
971 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]972
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]973 if ((ret = mbedtls_ssl_fetch_input(ssl,
974 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
975 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
976 return ret;
977 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]978
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]979 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]981 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
982 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
983 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]984#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]985 ssl->in_left = 0;
986 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]987 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]988
989 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]992
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]993 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
994 if (0 != ret) {
995 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
996 return ret;
997 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]998
999 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1000 * Handshake layer:
1001 * 0 . 0 handshake type
1002 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1003 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1004 * 6 . 8 DTLS only: fragment offset
1005 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1006 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1008 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1009 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1010 }
1011
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1012 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1013
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1014 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1015 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1016 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1017 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1018 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1019 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1020 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1021 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1022
1023 /* The record layer has a record size limit of 2^14 - 1 and
1024 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1025 if (buf[1] != 0) {
1026 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1027 (unsigned) buf[1]));
1028 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1029 }
1030
1031 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1032 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1033 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1034 (unsigned) msg_len,
1035 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1036 (unsigned) handshake_len));
1037 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1038 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1039 }
1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1042 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1043 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1044 * Copy the client's handshake message_seq on initial handshakes,
1045 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1046 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1047#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1048 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1049 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1050 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1051 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1052 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1053 "%u (expected %u)", cli_msg_seq,
1054 ssl->handshake->in_msg_seq));
1055 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1056 }
1057
1058 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1060#endif
1061 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1062 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1063 ssl->handshake->out_msg_seq = cli_msg_seq;
1064 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1065 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1066 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1067 /*
1068 * For now we don't support fragmentation, so make sure
1069 * fragment_offset == 0 and fragment_length == length
1070 */
1071 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1072 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1073 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1074 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1075 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1076 4, ("fragment_offset=%u fragment_length=%u length=%u",
1077 (unsigned) fragment_offset, (unsigned) fragment_length,
1078 (unsigned) length));
1079 if (fragment_offset != 0 || length != fragment_length) {
1080 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1081 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1082 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1083 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1084 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1086
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1087 buf += mbedtls_ssl_hs_hdr_len(ssl);
1088 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1089
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1090 /*
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1091 * ClientHello layout:
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1092 * 0 . 1 protocol version
1093 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1094 * 34 . 34 session id length (1 byte)
1095 * 35 . 34+x session id, where x = session id length from byte 34
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1096 * 35+x . 35+x DTLS only: cookie length (1 byte)
1097 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1098 * .. . .. ciphersuite list length (2 bytes)
1099 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1100 * .. . .. compression alg. list length (1 byte)
1101 * .. . .. compression alg. list
1102 * .. . .. extensions length (2 bytes, optional)
1103 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1104 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1105
1106 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1107 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1108 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1109 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1110 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1111 if (msg_len < 38) {
1112 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1113 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1114 }
1115
1116 /*
1117 * Check and save the protocol version
1118 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1119 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1120
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1121 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1122 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1123 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame]1124 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1125
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1126 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1127 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1128 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1129 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1130 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1131 }
1132
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1133 /*
1134 * Save client random (inc. Unix time)
1135 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1136 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1137
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1138 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1139
1140 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1141 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1142 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1143 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1145 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1146 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1147 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1148 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1149 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1150 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1151 }
1152
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1153 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1154
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1155 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1156 memset(ssl->session_negotiate->id, 0,
1157 sizeof(ssl->session_negotiate->id));
1158 memcpy(ssl->session_negotiate->id, buf + 35,
1159 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1160
1161 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1162 * Check the cookie length and content
1163 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1164#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1165 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1166 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1167 cookie_len = buf[cookie_offset];
1168
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1169 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1170 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1171 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1172 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1173 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1174 }
1175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1176 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1177 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1178
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1179#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1180 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1181#if defined(MBEDTLS_SSL_RENEGOTIATION)
1182 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1183#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1184 ) {
1185 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1186 buf + cookie_offset + 1, cookie_len,
1187 ssl->cli_id, ssl->cli_id_len) != 0) {
1188 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1189 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1190 } else {
1191 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1192 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1193 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1194 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1195#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1196 {
1197 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1198 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1199 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1200 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1201 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1202 }
1203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1204 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1205 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1207 /*
1208 * Check the ciphersuitelist length (will be parsed later)
1209 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1210 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1212#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1213 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1214
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1215 ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1216
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1217 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1218 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1219 (ciph_len % 2) != 0) {
1220 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1222 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1223 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1224 }
1225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1226 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1227 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1228
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1229 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1230 * Check the compression algorithm's length.
1231 * The list contents are ignored because implementing
1232 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1233 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1234 */
1235 comp_offset = ciph_offset + 2 + ciph_len;
1236
1237 comp_len = buf[comp_offset];
1238
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1240 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1241 comp_len + comp_offset + 1 > msg_len) {
1242 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1243 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1244 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1245 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1246 }
1247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1248 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1249 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1251 /*
1252 * Check the extension length
1253 */
1254 ext_offset = comp_offset + 1 + comp_len;
1255 if (msg_len > ext_offset) {
1256 if (msg_len < ext_offset + 2) {
1257 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1258 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1259 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1260 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1261 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1262
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1263 ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 if (msg_len != ext_offset + 2 + ext_len) {
1266 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1267 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1268 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1269 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1270 }
1271 } else {
1272 ext_len = 0;
1273 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1275 ext = buf + ext_offset + 2;
1276 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1277
1278 while (ext_len != 0) {
1279 unsigned int ext_id;
1280 unsigned int ext_size;
1281 if (ext_len < 4) {
1282 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1283 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1284 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1285 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1286 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1287 ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1288 ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289
1290 if (ext_size + 4 > ext_len) {
1291 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1292 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1293 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1294 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1295 }
1296 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1298 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1299 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1300 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1301 ext + 4 + ext_size);
1302 if (ret != 0) {
1303 return ret;
1304 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1305 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1307
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1308 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1309 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1311 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1312#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1313
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1314 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1315 if (ret != 0) {
1316 return ret;
1317 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1318 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1319
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1320#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1321 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1322 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1325 if (ret != 0) {
1326 return ret;
1327 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1328
1329 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1330 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1331#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1332
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1333#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1334 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1336 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1337 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1338
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1339 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1340 if (ret != 0) {
1341 return ret;
1342 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1343 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1344
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1345 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1346 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1347 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1349 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1350 if (ret != 0) {
1351 return ret;
1352 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1353 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1354#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1355 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1357
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1358#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1359 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1360 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1361
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1362 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1363 if (ret != 0) {
1364 return ret;
1365 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1366 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1367#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1370 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1373 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1374 if (ret != 0) {
1375 return ret;
1376 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1377 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1379
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1380#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1381 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1384 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1385 if (ret != 0) {
1386 return ret;
1387 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1388 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1389#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1392 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1395 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1396 if (ret != 0) {
1397 return ret;
1398 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1399 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1400#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1403 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1404 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1406 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1407 if (ret != 0) {
1408 return ret;
1409 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1410 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1412
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1413#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1414 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1415 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1416
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1417 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1418 if (ret != 0) {
1419 return ret;
1420 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1421 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1422#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1423
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1424#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1425 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1426 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1427
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1428 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1429 ext + 4 + ext_size);
1430 if (ret != 0) {
1431 return ret;
1432 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1433 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1434#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1435
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1436#if defined(MBEDTLS_SSL_DTLS_SRTP)
1437 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1438 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1441 if (ret != 0) {
1442 return ret;
1443 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1444 break;
1445#endif /* MBEDTLS_SSL_DTLS_SRTP */
1446
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1447 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1448 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1449 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1450 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1451
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1452 ext_len -= 4 + ext_size;
1453 ext += 4 + ext_size;
1454 }
1455
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1456#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1457
1458 /*
1459 * Try to fall back to default hash SHA1 if the client
1460 * hasn't provided any preferred signature-hash combinations.
1461 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1462 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1463 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1464 const uint16_t default_sig_algs[] = {
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1465#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1466 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1467 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1468#endif
1469#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1470 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1471 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1472#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1473 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1474 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1475
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1476 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1477 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1478 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1480 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1481 }
1482
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1483#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1484
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1485 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1486 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1487 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1489 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1490 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1493 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1494 "during renegotiation"));
1495 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1496 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1497 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1498 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1499#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1500 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1501 break;
1502 }
1503 }
1504
1505 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1506 * Renegotiation security checks
1507 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1508 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1509 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1510 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1511 handshake_failure = 1;
1512 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1514 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1516 renegotiation_info_seen == 0) {
1517 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1518 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1519 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1520 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1521 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1522 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1523 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1524 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1525 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1526 renegotiation_info_seen == 1) {
1527 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1528 handshake_failure = 1;
1529 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1532 if (handshake_failure == 1) {
1533 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1534 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1535 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1536 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1537
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1538 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1539 * Server certification selection (after processing TLS extensions)
1540 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1541 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1542 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1543 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1544 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1545#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1546 ssl->handshake->sni_name = NULL;
1547 ssl->handshake->sni_name_len = 0;
1548#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1549
1550 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1551 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1552 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1553 * and certificate from the SNI callback triggered by the SNI extension
1554 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1555 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1556 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1557 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1558 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1559
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1560 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1561 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1562 for (i = 0; ciphersuites[i] != 0; i++) {
1563 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1564 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1565 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1566
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1567 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1570 &ciphersuite_info)) != 0) {
1571 return ret;
1572 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1573
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1574 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1575 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1576 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1577 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1578 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1579 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580 for (i = 0; ciphersuites[i] != 0; i++) {
1581 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1582 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1583 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1584 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1585
1586 got_common_suite = 1;
1587
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1588 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1589 &ciphersuite_info)) != 0) {
1590 return ret;
1591 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1592
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1593 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1594 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1596 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1597 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1598 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1599
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1600 if (got_common_suite) {
1601 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1602 "but none of them usable"));
1603 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1604 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1605 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1606 } else {
1607 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1608 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1609 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1610 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1611 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1612
1613have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1614 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1615
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1616 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1617 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1618
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1619 ssl->state++;
1620
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1621#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1622 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1623 mbedtls_ssl_recv_flight_completed(ssl);
1624 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1625#endif
1626
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1627 /* Debugging-only output for testsuite */
1628#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1629 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1630 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1631 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1632 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1633 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1634 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1635 sig_hash));
1636 } else {
1637 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1638 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1639 }
1640#endif
1641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1642 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1643
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1644 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1645}
1646
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1647#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1648static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1649 unsigned char *buf,
1650 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1651{
1652 unsigned char *p = buf;
1653 size_t ext_len;
1654 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1655
1656 *olen = 0;
1657
1658 /* Skip writing the extension if we don't want to use it or if
1659 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1660 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1661 return;
1662 }
1663
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1664 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1665 * which is at most 255, so the increment cannot overflow. */
1666 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1667 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1668 return;
1669 }
1670
1671 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1672
1673 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1674 * struct {
1675 * opaque cid<0..2^8-1>;
1676 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1677 */
1678 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1679 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1680 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1681 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1682 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1683
1684 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1685 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1686
1687 *olen = ssl->own_cid_len + 5;
1688}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1689#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1690
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1691#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1692static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1693 unsigned char *buf,
1694 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1695{
1696 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1697 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1698
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1699 /*
1700 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1701 * from a client and then selects a stream or Authenticated Encryption
1702 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1703 * encrypt-then-MAC response extension back to the client."
1704 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1705 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1706 ssl->session_negotiate->ciphersuite);
1707 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1708 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1709 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1710 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1711 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1712 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1713 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1715 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1716 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1717 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1718 }
1719
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1720 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1721 *olen = 0;
1722 return;
1723 }
1724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1725 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1727 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1728 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1729
1730 *p++ = 0x00;
1731 *p++ = 0x00;
1732
1733 *olen = 4;
1734}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1735#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1738static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1739 unsigned char *buf,
1740 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1741{
1742 unsigned char *p = buf;
1743
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1744 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1745 *olen = 0;
1746 return;
1747 }
1748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1749 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1750 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1753 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1754
1755 *p++ = 0x00;
1756 *p++ = 0x00;
1757
1758 *olen = 4;
1759}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1760#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1763static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1764 unsigned char *buf,
1765 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1766{
1767 unsigned char *p = buf;
1768
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1769 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1770 *olen = 0;
1771 return;
1772 }
1773
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1774 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1776 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1777 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1778
1779 *p++ = 0x00;
1780 *p++ = 0x00;
1781
1782 *olen = 4;
1783}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1785
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1786static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1787 unsigned char *buf,
1788 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1789{
1790 unsigned char *p = buf;
1791
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1792 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1793 *olen = 0;
1794 return;
1795 }
1796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1797 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1798
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1799 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1800 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1803 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1804 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1805 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1806 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1807
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1808 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1809 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1810 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1811 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1812 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1813#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1814 {
1815 *p++ = 0x00;
1816 *p++ = 0x01;
1817 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1818 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1819
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1820 *olen = (size_t) (p - buf);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1821}
1822
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1823#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1824static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1825 unsigned char *buf,
1826 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1827{
1828 unsigned char *p = buf;
1829
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1830 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1831 *olen = 0;
1832 return;
1833 }
1834
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1835 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1838 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1839
1840 *p++ = 0x00;
1841 *p++ = 1;
1842
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1843 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1844
1845 *olen = 5;
1846}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1848
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1849#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1850 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1851 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1852static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1853 unsigned char *buf,
1854 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1855{
1856 unsigned char *p = buf;
1857 ((void) ssl);
1858
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 if ((ssl->handshake->cli_exts &
1860 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1861 *olen = 0;
1862 return;
1863 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1864
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1865 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1866
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1867 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1868 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1869
1870 *p++ = 0x00;
1871 *p++ = 2;
1872
1873 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1874 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1875
1876 *olen = 6;
1877}
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1878#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1879 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1880 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1881
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1882#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1883static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1884 unsigned char *buf,
1885 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1886{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1887 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1888 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1889 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1890 size_t kkpp_len;
1891
1892 *olen = 0;
1893
1894 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1895 if (ssl->handshake->ciphersuite_info->key_exchange !=
1896 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1897 return;
1898 }
1899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1900 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1901
1902 if (end - p < 4) {
1903 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1904 return;
1905 }
1906
1907 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1908 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1909
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1910 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1911 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1912 MBEDTLS_ECJPAKE_ROUND_ONE);
1913 if (ret != 0) {
1914 psa_destroy_key(ssl->handshake->psa_pake_password);
1915 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1916 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1917 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1918 }
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1919
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1920 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1921 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1922
1923 *olen = kkpp_len + 4;
1924}
1925#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1926
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1927#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1928static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1929 unsigned char *buf,
1930 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1931{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1932 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1933 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1934 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1935
1936 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1937
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1938 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1939 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1940 return;
1941 }
1942
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1943 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1944
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1945 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1946 mki_len = ssl->dtls_srtp_info.mki_len;
1947 }
1948
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]1949 /* The extension total size is 9 bytes :
1950 * - 2 bytes for the extension tag
1951 * - 2 bytes for the total size
1952 * - 2 bytes for the protection profile length
1953 * - 2 bytes for the protection profile
1954 * - 1 byte for the mki length
1955 * + the actual mki length
1956 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1957 if ((size_t) (end - buf) < mki_len + 9) {
1958 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1959 return;
1960 }
1961
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1962 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1963 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1964 /*
1965 * total length 5 and mki value: only one profile(2 bytes)
1966 * and length(2 bytes) and srtp_mki )
1967 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1968 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1969 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1970
1971 /* protection profile length: 2 */
1972 buf[4] = 0x00;
1973 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1974 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1975 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
1976 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
1977 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
1978 } else {
1979 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1980 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1981 }
1982
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1983 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1984 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1985
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1986 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1987}
1988#endif /* MBEDTLS_SSL_DTLS_SRTP */
1989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1990#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1991MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1993{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1994 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1995 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]1996 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1997
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1998 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1999
2000 /*
2001 * struct {
2002 * ProtocolVersion server_version;
2003 * opaque cookie<0..2^8-1>;
2004 * } HelloVerifyRequest;
2005 */
2006
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2007 /* The RFC is not clear on this point, but sending the actual negotiated
2008 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2009 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2010 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2011 p += 2;
2012
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2013 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2014 if (ssl->conf->f_cookie_write == NULL) {
2015 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2016 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2017 }
2018
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2019 /* Skip length byte until we know the length */
2020 cookie_len_byte = p++;
2021
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2022 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2023 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2024 ssl->cli_id, ssl->cli_id_len)) != 0) {
2025 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2026 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2027 }
2028
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2029 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2030
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2031 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2032
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2033 ssl->out_msglen = (size_t) (p - ssl->out_msg);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2035 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2038
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2039 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2040 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2041 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2042 }
2043
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2044#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2045 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2046 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2047 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2048 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2049 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2050#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2052 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2053
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2054 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2055}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2058static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2059{
2060 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2061 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2062 mbedtls_ssl_session * const session = ssl->session_negotiate;
2063
2064 /* Resume is 0 by default, see ssl_handshake_init().
2065 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2066 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2067 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2068 }
2069 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2070 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2071 }
2072 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2073 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2074 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2075#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2076 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2077 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2079#endif
2080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2081 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2082
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2083 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2084 session->id,
2085 session->id_len,
2086 &session_tmp);
2087 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2088 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2089 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2090
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2091 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2092 /* Mismatch between cached and negotiated session */
2093 goto exit;
2094 }
2095
2096 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2097 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2098 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2099 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2100
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2101 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2102 ssl->handshake->resume = 1;
2103
2104exit:
2105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2106 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2107}
2108
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2109MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2110static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2111{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2113 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2114#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2115 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2116 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2117 unsigned char *buf, *p;
2118
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2119 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2122 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2123 ssl->handshake->cookie_verify_result != 0) {
2124 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2125 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2126
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2128 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2129#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2130
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2131 /*
2132 * 0 . 0 handshake type
2133 * 1 . 3 handshake length
2134 * 4 . 5 protocol version
2135 * 6 . 9 UNIX time()
2136 * 10 . 37 random bytes
2137 */
2138 buf = ssl->out_msg;
2139 p = buf + 4;
2140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2141 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2142 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2144 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2145 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2147#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2148 t = mbedtls_time(NULL);
2149 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2150 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2152 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2153 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2154#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2155 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2156 return ret;
2157 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2158
2159 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2160#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2161
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2162 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2163 return ret;
2164 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2165 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2166
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2167#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2168 /*
2169 * RFC 8446
2170 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2171 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2172 * response to a ClientHello MUST set the last 8 bytes of their Random
2173 * value specially in their ServerHello.
2174 */
2175 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2176 static const unsigned char magic_tls12_downgrade_string[] =
2177 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2178
2179 MBEDTLS_STATIC_ASSERT(
2180 sizeof(magic_tls12_downgrade_string) == 8,
2181 "magic_tls12_downgrade_string does not have the expected size");
2182
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2183 memcpy(p, magic_tls12_downgrade_string,
2184 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2185 } else
2186#endif
2187 {
2188 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2189 return ret;
2190 }
2191 }
2192 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2194 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2196 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2198 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2200 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2202 * New session, create a new session id,
2203 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205 ssl->state++;
2206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2208 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2209#endif
2210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2212 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2213 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2214 memset(ssl->session_negotiate->id, 0, 32);
2215 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2216#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2217 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2218 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2219 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2220 n)) != 0) {
2221 return ret;
2222 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2223 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2224 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2225 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2226 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2228 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2229 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2230
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2231 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2232 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2233 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2234 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235 }
2236
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2237 /*
2238 * 38 . 38 session id length
2239 * 39 . 38+n session id
2240 * 39+n . 40+n chosen ciphersuite
2241 * 41+n . 41+n chosen compression alg.
2242 * 42+n . 43+n extensions length
2243 * 44+n . 43+n+m extensions
2244 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2245 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2246 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2247 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2248
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2249 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2250 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2251 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2252 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2254 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2255 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2256 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2259 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2260 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2261 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2262
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2263 /*
2264 * First write extensions, then the total length
2265 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2266 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2267 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2270 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2271 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2272#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2273
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2274#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2275 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2276 ext_len += olen;
2277#endif
2278
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2279#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2280 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2281 ext_len += olen;
2282#endif
2283
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2284#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2285 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2286 ext_len += olen;
2287#endif
2288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2289#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2290 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2291 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2292#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2293
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2294#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]2295 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2296 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2297 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2298 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2299 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2300 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2301 ext_len += olen;
2302 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2303#endif
2304
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2305#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2306 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2307 ext_len += olen;
2308#endif
2309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2311 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2312 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2313 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2314 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2315 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2316
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2317 ext_len += olen;
2318#endif
2319
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2320#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2321 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2322 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2323#endif
2324
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2325 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2326 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2327
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2328 if (ext_len > 0) {
2329 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2330 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2331 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2332
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2333 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2335 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2337 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2338
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2339 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2340
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2341 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2342}
2343
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2344#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2345MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2346static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2347{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2348 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2349 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2351 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2353 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2354 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2355 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2356 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2357 }
2358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2359 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2360 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2361}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2362#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2363MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2364static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2365{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2366 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2367 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2368 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2369 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2370 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2371 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2372 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2373 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2374 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2376 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2377
2378 ssl->state++;
2379
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2380#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2381 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2382 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2384#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2385 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2387 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2388 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2389 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2390 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2391 }
2392
2393 /*
2394 * 0 . 0 handshake type
2395 * 1 . 3 handshake length
2396 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2397 * 5 .. m-1 cert types
2398 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2399 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400 * n .. n+1 length of all DNs
2401 * n+2 .. n+3 length of DN 1
2402 * n+4 .. ... Distinguished Name #1
2403 * ... .. ... length of DN 2, etc.
2404 */
2405 buf = ssl->out_msg;
2406 p = buf + 4;
2407
2408 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2409 * Supported certificate types
2410 *
2411 * ClientCertificateType certificate_types<1..2^8-1>;
2412 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2414 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2416#if defined(MBEDTLS_RSA_C)
2417 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2418#endif
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2419#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2420 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2421#endif
2422
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2423 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2424 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2425
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2426 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2427
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2428 /*
2429 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2430 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2431 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2432 *
2433 * struct {
2434 * HashAlgorithm hash;
2435 * SignatureAlgorithm signature;
2436 * } SignatureAndHashAlgorithm;
2437 *
2438 * enum { (255) } HashAlgorithm;
2439 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2440 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2441 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2442 if (sig_alg == NULL) {
2443 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2444 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2446 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2447 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2449 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2450 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2451 }
2452 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2453 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2454 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2455
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2456 /* Write elements at offsets starting from 1 (offset 0 is for the
2457 * length). Thus the offset of each element is the length of the
2458 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2459 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2460 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2461
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2462 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2463
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2464 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2465 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2466 sa_len += 2;
2467 p += sa_len;
2468
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2469 /*
2470 * DistinguishedName certificate_authorities<0..2^16-1>;
2471 * opaque DistinguishedName<1..2^16-1>;
2472 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2474
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2475 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2477 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2478 /* NOTE: If trusted certificates are provisioned
2479 * via a CA callback (configured through
2480 * `mbedtls_ssl_conf_ca_cb()`, then the
2481 * CertificateRequest is currently left empty. */
2482
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2483#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2484#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2485 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2486 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2487 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2488#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2489 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2490 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2491 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2492#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2493#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2494 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2495 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2496 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2497#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2498 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2500 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2501 /* It follows from RFC 5280 A.1 that this length
2502 * can be represented in at most 11 bits. */
2503 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2505 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2506 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2507 break;
2508 }
2509
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2510 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2511 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2513 p += dn_size;
2514
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2515 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2516
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2517 total_dn_size += (unsigned short) (2 + dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2518 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2519 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2520 }
2521
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2522 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2523 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2524 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2525 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2527 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2529 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2531 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2532}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2533#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2534
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2535#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2537MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2538static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2539{
2540 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2541 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2542 mbedtls_pk_context *pk;
2543 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2544 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2545 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2546 size_t key_len;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2547#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2548 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2549 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2550 mbedtls_ecp_group_id grp_id;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2551 mbedtls_ecp_keypair *key;
2552#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2553
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2556 if (pk == NULL) {
2557 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2558 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2559
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2560 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2561
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2562 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2563 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2564#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2565 case MBEDTLS_PK_ECKEY:
2566 case MBEDTLS_PK_ECKEY_DH:
2567 case MBEDTLS_PK_ECDSA:
2568#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2569 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2570 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2571 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2572
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2573 /* Get the attributes of the key previously parsed by PK module in
2574 * order to extract its type and length (in bits). */
2575 status = psa_get_key_attributes(pk->priv_id, &key_attributes);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2576 if (status != PSA_SUCCESS) {
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2577 ret = PSA_TO_MBEDTLS_ERR(status);
2578 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2579 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2580 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2581 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2582
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2583#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2584 if (pk_type != MBEDTLS_PK_OPAQUE) {
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2585 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2586 * module and only have ECDSA capabilities. Since we need
2587 * them for ECDH later, we export and then re-import them with
2588 * proper flags and algorithm. Of course We also set key's type
2589 * and bits that we just got above. */
2590 key_attributes = psa_key_attributes_init();
2591 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2592 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2593 psa_set_key_type(&key_attributes,
2594 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2595 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2596
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2597 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2598 if (status != PSA_SUCCESS) {
2599 ret = PSA_TO_MBEDTLS_ERR(status);
2600 goto exit;
2601 }
2602 status = psa_import_key(&key_attributes, buf, key_len,
2603 &ssl->handshake->xxdh_psa_privkey);
2604 if (status != PSA_SUCCESS) {
2605 ret = PSA_TO_MBEDTLS_ERR(status);
2606 goto exit;
2607 }
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2608
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2609 /* Set this key as owned by the TLS library: it will be its duty
2610 * to clear it exit. */
2611 ssl->handshake->xxdh_psa_privkey_is_external = 0;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2612
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2613 ret = 0;
2614 break;
2615 }
2616#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2617
2618 /* Opaque key is created by the user (externally from Mbed TLS)
2619 * so we assume it already has the right algorithm and flags
2620 * set. Just copy its ID as reference. */
2621 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2622 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2623 ret = 0;
2624 break;
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2625
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2626#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2627 case MBEDTLS_PK_ECKEY:
2628 case MBEDTLS_PK_ECKEY_DH:
2629 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2630 key = mbedtls_pk_ec_rw(*pk);
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]2631 grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2632 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2633 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2634 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2635 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2636 if (tls_id == 0) {
2637 /* This elliptic curve is not supported */
2638 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2639 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2641 /* If the above conversion to TLS ID was fine, then also this one will
2642 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2643 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2644 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2645
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2646 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2647
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2648 key_attributes = psa_key_attributes_init();
2649 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2650 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2651 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2652 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2653 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2654
Gilles Peskine84b9f1b2024-02-19 16:44:29 +0100[diff] [blame]2655 ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2656 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2657 mbedtls_platform_zeroize(buf, sizeof(buf));
2658 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2659 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2661 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2662 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2663 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2664 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2665 mbedtls_platform_zeroize(buf, sizeof(buf));
2666 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2667 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2668
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2669 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2670 ret = 0;
2671 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2672#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2673 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2674 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2675 }
2676
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2677exit:
2678 psa_reset_key_attributes(&key_attributes);
2679 mbedtls_platform_zeroize(buf, sizeof(buf));
2680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2681 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2682}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2683#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2684 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2685
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2686#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2687 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2688MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2689static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2690 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2691{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2692 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2693 * signature length which will be added in ssl_write_server_key_exchange
2694 * after the call to ssl_prepare_server_key_exchange.
2695 * ssl_write_server_key_exchange also takes care of incrementing
2696 * ssl->out_msglen. */
2697 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2698 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2699 - sig_start);
2700 int ret = ssl->conf->f_async_resume(ssl,
2701 sig_start, signature_len, sig_max_len);
2702 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2703 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2704 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2705 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2706 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2707 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2708}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2709#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2710 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2711
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2712/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2713 * calculating the signature if any, but excluding formatting the
2714 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2715MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2716static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2717 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2718{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2719 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2720 ssl->handshake->ciphersuite_info;
2721
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2722#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2723#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2724 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2725#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2726#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2727
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2728 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2729#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2730 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2731#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2732
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2733#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2734#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2735 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2736#else
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2737 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2738#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2739#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2740
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2741 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2742
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2743 /*
2744 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2745 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2746 *
2747 */
2748
2749 /*
2750 * - ECJPAKE key exchanges
2751 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2752#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2753 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2754 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2755 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2756 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2757 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2758 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2759 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2760
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2761 /*
2762 * The first 3 bytes are:
2763 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2764 * [1, 2] elliptic curve's TLS ID
2765 *
2766 * However since we only support secp256r1 for now, we hardcode its
2767 * TLS ID here
2768 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2769 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2770 MBEDTLS_ECP_DP_SECP256R1);
2771 if (tls_id == 0) {
2772 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2773 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2774 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2775 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2776 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2777
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2778 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2779 out_p + output_offset,
2780 end_p - out_p - output_offset, &output_len,
2781 MBEDTLS_ECJPAKE_ROUND_TWO);
2782 if (ret != 0) {
2783 psa_destroy_key(ssl->handshake->psa_pake_password);
2784 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2785 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2786 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2787 }
2788
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2789 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2790 ssl->out_msglen += output_offset;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2791 }
2792#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2793
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2794 /*
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2795 * For ECDHE key exchanges with PSK, parameters are prefixed by support
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2796 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2797 * we use empty support identity hints here.
2798 **/
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2799#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2800 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2801 ssl->out_msg[ssl->out_msglen++] = 0x00;
2802 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2803 }
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2804#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2805
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2806 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2807 * - DHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2808 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2809#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2810 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2811 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2812 size_t len = 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2814 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2815 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2816 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]2817 }
2818
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2819 /*
2820 * Ephemeral DH parameters:
2821 *
2822 * struct {
2823 * opaque dh_p<1..2^16-1>;
2824 * opaque dh_g<1..2^16-1>;
2825 * opaque dh_Ys<1..2^16-1>;
2826 * } ServerDHParams;
2827 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2828 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2829 &ssl->conf->dhm_P,
2830 &ssl->conf->dhm_G)) != 0) {
2831 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2832 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2833 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2834
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2835 if ((ret = mbedtls_dhm_make_params(
2836 &ssl->handshake->dhm_ctx,
2837 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2838 ssl->out_msg + ssl->out_msglen, &len,
2839 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2840 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2841 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2842 }
2843
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2844#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2845 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2846#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2847
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2848 ssl->out_msglen += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2849
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2850 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2851 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2852 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2853 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2854 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2855#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2856
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2857 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2858 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2859 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2860#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2861 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2862 /*
2863 * Ephemeral ECDH parameters:
2864 *
2865 * struct {
2866 * ECParameters curve_params;
2867 * ECPoint public;
2868 * } ServerECDHParams;
2869 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2870 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Manuel Pégourié-Gonnard6402c352025-01-14 12:23:56 +0100[diff] [blame]2871 const uint16_t *group_list = ssl->conf->group_list;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2872 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2873 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2874
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2875 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2876 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2877 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2878 }
2879 for (; *group_list != 0; group_list++) {
2880 for (curr_tls_id = ssl->handshake->curves_tls_id;
2881 *curr_tls_id != 0; curr_tls_id++) {
2882 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2883 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2884 }
2885 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2886 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2887
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2888curve_matching_done:
2889 if (*curr_tls_id == 0) {
2890 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2891 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2892 }
2893
2894 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2895 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2896
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2897 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2898 psa_key_attributes_t key_attributes;
2899 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2900 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2901 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2902 // data length(1)
2903 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2904 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2905 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2906
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2907 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2908
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2909 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2910 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2911 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2912 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2913 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2914 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2915 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2916 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2917 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2918
2919 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2920 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2921 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2922 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2923 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2924
2925 /*
2926 * ECParameters curve_params
2927 *
2928 * First byte is curve_type, always named_curve
2929 */
2930 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
2931
2932 /*
2933 * Next two bytes are the namedcurve value
2934 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2935 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2936 p += 2;
2937
2938 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2939 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2940 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2941 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2942 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2943 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
2944 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2945 }
2946
2947 /*
2948 * ECPoint public
2949 *
2950 * First byte is data length.
2951 * It will be filled later. p holds now the data length location.
2952 */
2953
2954 /* Export the public part of the ECDH private key from PSA.
2955 * Make one byte space for the length.
2956 */
2957 unsigned char *own_pubkey = p + data_length_size;
2958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2959 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
2960 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2961
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2962 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2963 own_pubkey, own_pubkey_max_len,
2964 &len);
2965 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2966 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2967 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2968 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
2969 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2970 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2971 }
2972
2973 /* Store the length of the exported public key. */
2974 *p = (uint8_t) len;
2975
2976 /* Determine full message length. */
2977 len += header_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2978
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2979#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2980 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2981#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2982
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2983 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2984 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2985#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2986
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2987 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2988 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2989 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2990 * exchange parameters, compute and add the signature here.
2991 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2992 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2993#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2994 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
2995 if (dig_signed == NULL) {
2996 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2997 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]2998 }
2999
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3000 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3001 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]3002 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]3003
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3004 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3005
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3006 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3007 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]3008 * For TLS 1.2, obey signature-hash-algorithm extension
3009 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3010 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3011
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3012 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3013 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3014
Dave Rodgmanc37ad442023-11-03 23:36:06 +0000[diff] [blame]3015 unsigned char sig_hash =
3016 (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3017 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3018
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3019 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3020
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3021 /* For TLS 1.2, obey signature-hash-algorithm extension
3022 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3023 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3024 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3025 /* (... because we choose a cipher suite
3026 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3027 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3028 }
3029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3030 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3031
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3032 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3033 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3034 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3035 if (md_alg != MBEDTLS_MD_NONE) {
3036 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3037 dig_signed,
3038 dig_signed_len,
3039 md_alg);
3040 if (ret != 0) {
3041 return ret;
3042 }
3043 } else {
3044 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3045 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3046 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3047
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3048 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3049
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3050 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3051 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3052 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3053 /*
3054 * We need to specify signature and hash algorithm explicitly through
3055 * a prefix to the signature.
3056 *
3057 * struct {
3058 * HashAlgorithm hash;
3059 * SignatureAlgorithm signature;
3060 * } SignatureAndHashAlgorithm;
3061 *
3062 * struct {
3063 * SignatureAndHashAlgorithm algorithm;
3064 * opaque signature<0..2^16-1>;
3065 * } DigitallySigned;
3066 *
3067 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3068
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3069 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3070 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3071
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3072#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3073 if (ssl->conf->f_async_sign_start != NULL) {
3074 ret = ssl->conf->f_async_sign_start(ssl,
3075 mbedtls_ssl_own_cert(ssl),
3076 md_alg, hash, hashlen);
3077 switch (ret) {
3078 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3079 /* act as if f_async_sign was null */
3080 break;
3081 case 0:
3082 ssl->handshake->async_in_progress = 1;
3083 return ssl_resume_server_key_exchange(ssl, signature_len);
3084 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3085 ssl->handshake->async_in_progress = 1;
3086 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3087 default:
3088 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3089 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3090 }
3091 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3092#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3093
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3094 if (mbedtls_ssl_own_key(ssl) == NULL) {
3095 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3096 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3097 }
3098
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3099 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3100 * signature length which will be added in ssl_write_server_key_exchange
3101 * after the call to ssl_prepare_server_key_exchange.
3102 * ssl_write_server_key_exchange also takes care of incrementing
3103 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3104 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3105 md_alg, hash, hashlen,
3106 ssl->out_msg + ssl->out_msglen + 2,
3107 out_buf_len - ssl->out_msglen - 2,
3108 signature_len,
3109 ssl->conf->f_rng,
3110 ssl->conf->p_rng)) != 0) {
3111 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3112 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3113 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3114 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3115#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3116
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3117 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3118}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3119
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3120/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3121 * that do not include a ServerKeyExchange message, do nothing. Either
3122 * way, if successful, move on to the next step in the SSL state
3123 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3124MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3125static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3126{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3127 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3128 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3129#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3130 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3131 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3132#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3133
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3134 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3135
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3136#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3137 /* Extract static ECDH parameters and abort if ServerKeyExchange
3138 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3139 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3140 /* For suites involving ECDH, extract DH parameters
3141 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3142#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3143 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3144 ret = ssl_get_ecdh_params_from_cert(ssl);
3145 if (ret != 0) {
3146 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3147 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3148 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3149 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3150#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3151
3152 /* Key exchanges not involving ephemeral keys don't use
3153 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3154 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3155 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3156 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3157 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3158#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3159
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3160#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3161 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3162 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3163 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3164 if (ssl->handshake->async_in_progress != 0) {
3165 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3166 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3167 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3168#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3169 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3170 {
3171 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3172 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3173 }
3174
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3175 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3176 /* If we're starting to write a new message, set ssl->out_msglen
3177 * to 0. But if we're resuming after an asynchronous message,
3178 * out_msglen is the amount of data written so far and mst be
3179 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3180 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3181 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3182 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3183 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3184 }
3185 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3186 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3187
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3188 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3189 * ssl_prepare_server_key_exchange already wrote the signature
3190 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3191#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3192 if (signature_len != 0) {
3193 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3194 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3195
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3196 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3197 ssl->out_msg + ssl->out_msglen,
3198 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3199
3200 /* Skip over the already-written signature */
3201 ssl->out_msglen += signature_len;
3202 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3203#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3204
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3205 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3206 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3207 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3208
3209 ssl->state++;
3210
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3211 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3212 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3213 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3214 }
3215
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3216 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3217 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3218}
3219
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3220MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3221static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3222{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3223 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3224
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3225 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3226
3227 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3228 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3229 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3230
3231 ssl->state++;
3232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3233#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3234 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3235 mbedtls_ssl_send_flight_completed(ssl);
3236 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3237#endif
3238
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3239 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3240 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3241 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3242 }
3243
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3244#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3245 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3246 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3247 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3248 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3249 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3250#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3251
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3252 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3254 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3255}
3256
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3257#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3258
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3259#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3260MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3261static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3262 unsigned char *peer_pms,
3263 size_t *peer_pmslen,
3264 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3265{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3266 int ret = ssl->conf->f_async_resume(ssl,
3267 peer_pms, peer_pmslen, peer_pmssize);
3268 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3269 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3270 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3271 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3272 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3273 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3274}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3275#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3276
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3277MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3278static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3279 const unsigned char *p,
3280 const unsigned char *end,
3281 unsigned char *peer_pms,
3282 size_t *peer_pmslen,
3283 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3284{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3287 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3288 if (own_cert == NULL) {
3289 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3290 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3291 }
3292 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3293 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3294 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3295
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3296#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3297 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3298 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3299 if (ssl->handshake->async_in_progress != 0) {
3300 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3301 return ssl_resume_decrypt_pms(ssl,
3302 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3303 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3304#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3305
3306 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3307 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3308 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3309 if (p + 2 > end) {
3310 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3311 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3312 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3313 if (*p++ != MBEDTLS_BYTE_1(len) ||
3314 *p++ != MBEDTLS_BYTE_0(len)) {
3315 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3316 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3317 }
3318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3319 if (p + len != end) {
3320 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3321 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3322 }
3323
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3324 /*
3325 * Decrypt the premaster secret
3326 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3327#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3328 if (ssl->conf->f_async_decrypt_start != NULL) {
3329 ret = ssl->conf->f_async_decrypt_start(ssl,
3330 mbedtls_ssl_own_cert(ssl),
3331 p, len);
3332 switch (ret) {
3333 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3334 /* act as if f_async_decrypt_start was null */
3335 break;
3336 case 0:
3337 ssl->handshake->async_in_progress = 1;
3338 return ssl_resume_decrypt_pms(ssl,
3339 peer_pms,
3340 peer_pmslen,
3341 peer_pmssize);
3342 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3343 ssl->handshake->async_in_progress = 1;
3344 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3345 default:
3346 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3347 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3348 }
3349 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3350#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3351
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3352 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3353 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3354 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3355 }
3356
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3357 ret = mbedtls_pk_decrypt(private_key, p, len,
3358 peer_pms, peer_pmslen, peer_pmssize,
3359 ssl->conf->f_rng, ssl->conf->p_rng);
3360 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3361}
3362
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3363MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3364static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3365 const unsigned char *p,
3366 const unsigned char *end,
3367 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3368{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3369 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3370 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3371 unsigned char ver[2];
3372 unsigned char fake_pms[48], peer_pms[48];
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3373 size_t peer_pmslen;
3374 mbedtls_ct_condition_t diff;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3375
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3376 /* In case of a failure in decryption, the decryption may write less than
3377 * 2 bytes of output, but we always read the first two bytes. It doesn't
3378 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3379 * ret being nonzero, and we only care whether diff is 0.
3380 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3381 * also makes memory analyzers happy (don't access uninitialized memory,
3382 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3383 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3384 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3386 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3387 peer_pms,
3388 &peer_pmslen,
3389 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3390
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3391#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3392 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3393 return ret;
3394 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3395#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3397 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3398 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3399
3400 /* Avoid data-dependent branches while checking for invalid
3401 * padding, to protect against timing-based Bleichenbacher-type
3402 * attacks. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3403 diff = mbedtls_ct_bool(ret);
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100[diff] [blame]3404 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3405 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3406 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3407
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3408 /*
3409 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3410 * must not cause the connection to end immediately; instead, send a
3411 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3412 * To protect against timing-based variants of the attack, we must
3413 * not have any branch that depends on whether the decryption was
3414 * successful. In particular, always generate the fake premaster secret,
3415 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3416 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3417 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3418 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3419 /* It's ok to abort on an RNG failure, since this does not reveal
3420 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3421 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3422 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3423
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3424#if defined(MBEDTLS_SSL_DEBUG_ALL)
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3425 if (diff != MBEDTLS_CT_FALSE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3426 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3427 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3428#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3430 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3431 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3432 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3433 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3434 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3435 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3436
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3437 /* Set pms to either the true or the fake PMS, without
3438 * data-dependent branches. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3439 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3440
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3441 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3442}
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3443#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3444
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3445#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3446MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3447static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3448 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3449{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3450 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3451 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3452
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3453 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3454 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3455 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3456 }
3457
3458 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3459 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3460 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3461 if (end - *p < 2) {
3462 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3463 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3464 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3465
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3466 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3467 *p += 2;
3468
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3469 if (n == 0 || n > end - *p) {
3470 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3471 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3472 }
3473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3474 if (ssl->conf->f_psk != NULL) {
3475 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3476 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3477 }
3478 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3479 /* Identity is not a big secret since clients send it in the clear,
3480 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3481 if (n != ssl->conf->psk_identity_len ||
3482 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3483 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3484 }
3485 }
3486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3487 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3488 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3489 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3490 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3491 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3492 }
3493
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3494 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3496 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3497}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3498#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3499
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3500MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3501static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3502{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3503 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3504 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3505 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3506
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3507 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3509 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3510
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3511#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3512 defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine712e9a12024-09-20 18:11:31 +0200[diff] [blame]3513 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3514 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3515 /* We've already read a record and there is an asynchronous
3516 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3517 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3518 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3519 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3520#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3521 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3522 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3523 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3524 }
3525
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3526 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3527 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3529 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3530 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3531 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3532 }
3533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3534 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3535 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3536 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3537 }
3538
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3539#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3540 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3541 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3542 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3543 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3544 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3545 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3546 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3547 size_t data_len = (size_t) (*p++);
3548 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3549 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3550 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3551
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3552 MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3553
3554 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3555 * We must have at least two bytes (1 for length, at least 1 for data)
3556 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3557 if (buf_len < 2) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3558 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3559 buf_len));
3560 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3561 }
3562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3563 if (data_len < 1 || data_len > buf_len) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3564 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3565 " > %" MBEDTLS_PRINTF_SIZET,
3566 data_len, buf_len));
3567 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3568 }
3569
3570 /* Store peer's ECDH public key. */
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3571 if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3572 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3573 " > %" MBEDTLS_PRINTF_SIZET,
3574 data_len,
3575 sizeof(handshake->xxdh_psa_peerkey)));
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3576 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3577 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3578 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3579 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3580
3581 /* Compute ECDH shared secret. */
3582 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3583 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3584 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3585 handshake->premaster, sizeof(handshake->premaster),
3586 &handshake->pmslen);
3587 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3588 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3589 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3590 if (handshake->xxdh_psa_privkey_is_external == 0) {
3591 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3592 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3593 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3594 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3595 }
3596
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3597 if (handshake->xxdh_psa_privkey_is_external == 0) {
3598 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3599
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3600 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3601 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3602 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3603 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3604 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3605 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3606 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3607 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3608#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3609 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3610 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3611 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3612#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3613 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3614 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3615 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3616 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3617 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3618
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3619 if (p != end) {
3620 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3621 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3622 }
3623
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3624 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3625#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3626#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3627 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3628 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3629 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Michael Schuster7e390282024-05-27 20:07:05 +0200[diff] [blame]3630 size_t ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3631
3632 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3633
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3634 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3635 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3636 psa_destroy_key(handshake->xxdh_psa_privkey);
3637 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3638 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3639 }
3640
3641 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3642 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3643 psa_destroy_key(handshake->xxdh_psa_privkey);
3644 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3645 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3646 }
3647
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3648 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3649 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3650 psa_destroy_key(handshake->xxdh_psa_privkey);
3651 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3652 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3653 }
3654
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3655 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3656 the sizes of the FFDH keys which are at least 2048 bits.
3657 The size of the array is thus greater than 256 bytes which is greater than any
3658 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3659#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3660 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3661 psa_destroy_key(handshake->xxdh_psa_privkey);
3662 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3663 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3664 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3665#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3666 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3667 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3668#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3669
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3670 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3671 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3672 p += ecpoint_len;
3673
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3674 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3675 * - a uint16 containing the length (in octets) of the ECDH computation
3676 * - the octet string produced by the ECDH computation
3677 * - a uint16 containing the length (in octets) of the PSK
3678 * - the PSK itself
3679 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3680 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3681 const unsigned char * const psm_end =
3682 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3683 /* uint16 to store length (in octets) of the ECDH computation */
3684 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3685 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3686
3687 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3688 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3689 handshake->xxdh_psa_privkey,
3690 handshake->xxdh_psa_peerkey,
3691 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3692 psm + zlen_size,
3693 psm_end - (psm + zlen_size),
3694 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3695
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3696 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3697 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3698
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3699 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3700 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3701 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3702 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3703 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3704
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3705 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3706 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3707 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3708
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3709 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3710#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3711#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3712 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3713 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3714 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3715 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3716 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3717 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3718#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3719#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3720 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3721 if ((ret = mbedtls_psa_ecjpake_read_round(
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3722 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3723 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
3724 psa_destroy_key(ssl->handshake->psa_pake_password);
3725 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3727 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
3728 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3729 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3730 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3731#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3732 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3733 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3734 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3735 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3736
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3737 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3738 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3739 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3740 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3741
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3742 ssl->state++;
3743
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3744 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3746 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3747}
3748
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3749#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3750MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3751static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3752{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3753 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3754 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3755
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3756 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3757
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3758 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3759 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3760 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3761 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3762 }
3763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3764 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3765 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3766}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3767#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3768MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3769static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3770{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3771 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3772 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3773 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3774 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3775 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3776 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3777 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3778 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3779 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3780 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3781
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3782 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3783
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3784 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3785 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3786 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3787 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3788 }
3789
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3790#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3791 if (ssl->session_negotiate->peer_cert == NULL) {
3792 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3793 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3794 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3795 }
3796#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3797 if (ssl->session_negotiate->peer_cert_digest == NULL) {
3798 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3799 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3800 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3801 }
3802#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3803
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3804 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3805 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
3806 if (0 != ret) {
3807 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
3808 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3809 }
3810
3811 ssl->state++;
3812
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3813 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3814 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
3815 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
3816 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3817 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3818 }
3819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3820 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3821
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3822#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3823 peer_pk = &ssl->handshake->peer_pubkey;
3824#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3825 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3826 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3827 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3828 }
3829 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3830#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3831
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3832 /*
3833 * struct {
3834 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3835 * opaque signature<0..2^16-1>;
3836 * } DigitallySigned;
3837 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3838 if (i + 2 > ssl->in_hslen) {
3839 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3840 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3841 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3842
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3843 /*
3844 * Hash
3845 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3846 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3847
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3848 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
3849 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3850 " for verify message"));
3851 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3852 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3853
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3854#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3855 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3856 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3857 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3858#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3859
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3860 /* Info from md_alg will be used instead */
3861 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3862
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3863 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3864
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3865 /*
3866 * Signature
3867 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3868 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
3869 == MBEDTLS_PK_NONE) {
3870 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3871 " for verify message"));
3872 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]3873 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3874
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3875 /*
3876 * Check the certificate's key type matches the signature alg
3877 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3878 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
3879 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
3880 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3881 }
3882
3883 i++;
3884
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3885 if (i + 2 > ssl->in_hslen) {
3886 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3887 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3888 }
3889
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3890 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3891 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3892
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3893 if (i + sig_len != ssl->in_hslen) {
3894 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3895 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3896 }
3897
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3898 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3899 {
3900 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3901 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
3902 if (0 != ret) {
3903 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3904 return ret;
3905 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3906 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3908 if ((ret = mbedtls_pk_verify(peer_pk,
3909 md_alg, hash_start, hashlen,
3910 ssl->in_msg + i, sig_len)) != 0) {
3911 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3912 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3913 }
3914
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3915 ret = mbedtls_ssl_update_handshake_status(ssl);
3916 if (0 != ret) {
3917 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
3918 return ret;
3919 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3920
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3921 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3922
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3923 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3924}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3925#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3926
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3927#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3928MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3929static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3930{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3931 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3932 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]3933 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3934
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3935 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3937 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3938 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3939
3940 /*
3941 * struct {
3942 * uint32 ticket_lifetime_hint;
3943 * opaque ticket<0..2^16-1>;
3944 * } NewSessionTicket;
3945 *
3946 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3947 * 8 . 9 ticket_len (n)
3948 * 10 . 9+n ticket content
3949 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]3950
Ronald Cron3c0072b2023-11-22 10:00:14 +0100[diff] [blame]3951#if defined(MBEDTLS_HAVE_TIME)
3952 ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
3953#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3954 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
3955 ssl->session_negotiate,
3956 ssl->out_msg + 10,
3957 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
3958 &tlen, &lifetime)) != 0) {
3959 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]3960 tlen = 0;
3961 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3962
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3963 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
3964 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3965 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3966
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]3967 /*
3968 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3969 * ChangeCipherSpec share the same state.
3970 */
3971 ssl->handshake->new_session_ticket = 0;
3972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3973 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3974 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3975 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3976 }
3977
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3978 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3979
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3980 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3981}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3982#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3983
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3984/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3985 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3986 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3987int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3988{
3989 int ret = 0;
3990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3991 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3993 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3994 case MBEDTLS_SSL_HELLO_REQUEST:
3995 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3996 break;
3997
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3998 /*
3999 * <== ClientHello
4000 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4001 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4002 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4003 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4005#if defined(MBEDTLS_SSL_PROTO_DTLS)
4006 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4007 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4008#endif
4009
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4010 /*
4011 * ==> ServerHello
4012 * Certificate
4013 * ( ServerKeyExchange )
4014 * ( CertificateRequest )
4015 * ServerHelloDone
4016 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4017 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4018 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4019 break;
4020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4021 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4022 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4023 break;
4024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4025 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4026 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4027 break;
4028
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4029 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4030 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4031 break;
4032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4033 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4034 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4035 break;
4036
4037 /*
4038 * <== ( Certificate/Alert )
4039 * ClientKeyExchange
4040 * ( CertificateVerify )
4041 * ChangeCipherSpec
4042 * Finished
4043 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4044 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4045 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4046 break;
4047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4048 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4049 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4050 break;
4051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4052 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4053 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4054 break;
4055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4056 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4057 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4058 break;
4059
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4060 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4061 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4062 break;
4063
4064 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4065 * ==> ( NewSessionTicket )
4066 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4067 * Finished
4068 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4069 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4070#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4071 if (ssl->handshake->new_session_ticket != 0) {
4072 ret = ssl_write_new_session_ticket(ssl);
4073 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4074#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4075 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4076 break;
4077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4078 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4079 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4080 break;
4081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4082 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4083 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4084 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4085 break;
4086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4087 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4088 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4089 break;
4090
4091 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4092 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4093 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4094 }
4095
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4096 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4097}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4098
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4099void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4100{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4101 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4102}
4103
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4104#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */