| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2 | * TLS client-side functions |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3 | * |
| Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 4 | * Copyright The Mbed TLS Contributors |
| Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 18 | */ |
| 19 | |
| Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 20 | #include "common.h" |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 22 | #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 23 | |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 24 | #include "mbedtls/platform.h" |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 25 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 26 | #include "mbedtls/ssl.h" |
| Ronald Cron | 7320e64 | 2022-03-08 13:34:49 +0100 | [diff] [blame] | 27 | #include "ssl_client.h" |
| Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 28 | #include "ssl_misc.h" |
| Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 29 | #include "mbedtls/debug.h" |
| 30 | #include "mbedtls/error.h" |
| Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 31 | #include "mbedtls/constant_time.h" |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 32 | |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 33 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 34 | #include "mbedtls/psa_util.h" |
| Ronald Cron | 69a6342 | 2021-10-18 09:47:58 +0200 | [diff] [blame] | 35 | #include "psa/crypto.h" |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame^] | 36 | #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ |
| 37 | psa_to_ssl_errors, \ |
| 38 | psa_generic_status_to_mbedtls) |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 39 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 40 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 41 | #include <string.h> |
| 42 | |
| Manuel Pégourié-Gonnard | 9386664 | 2015-06-22 19:21:23 +0200 | [diff] [blame] | 43 | #include <stdint.h> |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 44 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 45 | #if defined(MBEDTLS_HAVE_TIME) |
| Simon Butcher | b5b6af2 | 2016-07-13 14:46:18 +0100 | [diff] [blame] | 46 | #include "mbedtls/platform_time.h" |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 47 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 48 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 49 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 50 | #include "mbedtls/platform_util.h" |
| Paul Bakker | 3461772 | 2014-06-13 17:20:13 +0200 | [diff] [blame] | 51 | #endif |
| 52 | |
| Andrzej Kurek | 0ce5921 | 2022-08-17 07:54:34 -0400 | [diff] [blame] | 53 | #include "hash_info.h" |
| 54 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 55 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 56 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 57 | static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, |
| 58 | unsigned char *buf, |
| 59 | const unsigned char *end, |
| 60 | size_t *olen) |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 61 | { |
| 62 | unsigned char *p = buf; |
| 63 | |
| 64 | *olen = 0; |
| 65 | |
| Tom Cosgrove | ce7f18c | 2022-07-28 05:50:56 +0100 | [diff] [blame] | 66 | /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the |
| Hanno Becker | 40f8b51 | 2017-10-12 14:58:55 +0100 | [diff] [blame] | 67 | * initial ClientHello, in which case also adding the renegotiation |
| 68 | * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 69 | if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| 70 | return 0; |
| 71 | } |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 72 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 73 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 74 | ("client hello, adding renegotiation extension")); |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 75 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 76 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 77 | |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 78 | /* |
| 79 | * Secure renegotiation |
| 80 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 81 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 82 | p += 2; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 83 | |
| 84 | *p++ = 0x00; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 85 | *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1); |
| 86 | *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len); |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 87 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 88 | memcpy(p, ssl->own_verify_data, ssl->verify_data_len); |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 89 | |
| 90 | *olen = 5 + ssl->verify_data_len; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 91 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 92 | return 0; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 93 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 94 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 95 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 96 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 97 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 98 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 99 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 100 | static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 101 | unsigned char *buf, |
| 102 | const unsigned char *end, |
| 103 | size_t *olen) |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 104 | { |
| 105 | unsigned char *p = buf; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 106 | (void) ssl; /* ssl used for debugging only */ |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 107 | |
| 108 | *olen = 0; |
| 109 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 110 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 111 | ("client hello, adding supported_point_formats extension")); |
| 112 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 113 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 114 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 115 | p += 2; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 116 | |
| 117 | *p++ = 0x00; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 118 | *p++ = 2; |
| Manuel Pégourié-Gonnard | 6b8846d | 2013-08-15 17:42:02 +0200 | [diff] [blame] | 119 | |
| 120 | *p++ = 1; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 121 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 122 | |
| Manuel Pégourié-Gonnard | 6b8846d | 2013-08-15 17:42:02 +0200 | [diff] [blame] | 123 | *olen = 6; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 124 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 125 | return 0; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 126 | } |
| Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 127 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 128 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 129 | |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 130 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 131 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 132 | static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, |
| 133 | unsigned char *buf, |
| 134 | const unsigned char *end, |
| 135 | size_t *olen) |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 136 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 137 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 138 | unsigned char *p = buf; |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 139 | size_t kkpp_len = 0; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 140 | |
| 141 | *olen = 0; |
| 142 | |
| 143 | /* Skip costly extension if we can't use EC J-PAKE anyway */ |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 144 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 145 | if (ssl->handshake->psa_pake_ctx_is_ok != 1) { |
| 146 | return 0; |
| 147 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 148 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 149 | if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) { |
| 150 | return 0; |
| 151 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 152 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 153 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 154 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 155 | ("client hello, adding ecjpake_kkpp extension")); |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 156 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 157 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 158 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 159 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 160 | p += 2; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 161 | |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 162 | /* |
| 163 | * We may need to send ClientHello multiple times for Hello verification. |
| 164 | * We don't want to compute fresh values every time (both for performance |
| 165 | * and consistency reasons), so cache the extension content. |
| 166 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 167 | if (ssl->handshake->ecjpake_cache == NULL || |
| 168 | ssl->handshake->ecjpake_cache_len == 0) { |
| 169 | MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters")); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 170 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 171 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Valerio Setti | 6b3dab0 | 2022-11-17 17:14:54 +0100 | [diff] [blame] | 172 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 173 | p + 2, end - p - 2, &kkpp_len, |
| 174 | MBEDTLS_ECJPAKE_ROUND_ONE); |
| 175 | if (ret != 0) { |
| 176 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 177 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 178 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 179 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 180 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 181 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 182 | ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, |
| 183 | p + 2, end - p - 2, &kkpp_len, |
| 184 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 185 | if (ret != 0) { |
| 186 | MBEDTLS_SSL_DEBUG_RET(1, |
| 187 | "mbedtls_ecjpake_write_round_one", ret); |
| 188 | return ret; |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 189 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 190 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 191 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 192 | ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len); |
| 193 | if (ssl->handshake->ecjpake_cache == NULL) { |
| 194 | MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed")); |
| 195 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 196 | } |
| 197 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 198 | memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 199 | ssl->handshake->ecjpake_cache_len = kkpp_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 200 | } else { |
| 201 | MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters")); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 202 | |
| 203 | kkpp_len = ssl->handshake->ecjpake_cache_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 204 | MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 205 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 206 | memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len); |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 207 | } |
| 208 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 209 | MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 210 | p += 2; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 211 | |
| 212 | *olen = kkpp_len + 4; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 213 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 214 | return 0; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 215 | } |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 216 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | c3f177a | 2012-04-11 16:11:49 +0000 | [diff] [blame] | 217 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 218 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 219 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 220 | static int ssl_write_cid_ext(mbedtls_ssl_context *ssl, |
| 221 | unsigned char *buf, |
| 222 | const unsigned char *end, |
| 223 | size_t *olen) |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 224 | { |
| 225 | unsigned char *p = buf; |
| 226 | size_t ext_len; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 227 | |
| 228 | /* |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 229 | * struct { |
| 230 | * opaque cid<0..2^8-1>; |
| 231 | * } ConnectionId; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 232 | */ |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 233 | |
| 234 | *olen = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 235 | if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
| 236 | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| 237 | return 0; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 238 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 239 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension")); |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 240 | |
| 241 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| 242 | * which is at most 255, so the increment cannot overflow. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 243 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5)); |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 244 | |
| 245 | /* Add extension ID + size */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 246 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 247 | p += 2; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 248 | ext_len = (size_t) ssl->own_cid_len + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 249 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 250 | p += 2; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 251 | |
| 252 | *p++ = (uint8_t) ssl->own_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 253 | memcpy(p, ssl->own_cid, ssl->own_cid_len); |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 254 | |
| 255 | *olen = ssl->own_cid_len + 5; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 256 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 257 | return 0; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 258 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 259 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 260 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 261 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 262 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 263 | static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 264 | unsigned char *buf, |
| 265 | const unsigned char *end, |
| 266 | size_t *olen) |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 267 | { |
| 268 | unsigned char *p = buf; |
| 269 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 270 | *olen = 0; |
| 271 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 272 | if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { |
| 273 | return 0; |
| 274 | } |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 275 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 276 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 277 | ("client hello, adding max_fragment_length extension")); |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 278 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 279 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 280 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 281 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 282 | p += 2; |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 283 | |
| 284 | *p++ = 0x00; |
| 285 | *p++ = 1; |
| 286 | |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 287 | *p++ = ssl->conf->mfl_code; |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 288 | |
| 289 | *olen = 5; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 290 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 291 | return 0; |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 292 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 293 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 294 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 295 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 296 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 297 | static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 298 | unsigned char *buf, |
| 299 | const unsigned char *end, |
| 300 | size_t *olen) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 301 | { |
| 302 | unsigned char *p = buf; |
| 303 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 304 | *olen = 0; |
| 305 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 306 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { |
| 307 | return 0; |
| 308 | } |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 309 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 310 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 311 | ("client hello, adding encrypt_then_mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 312 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 313 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 314 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 315 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 316 | p += 2; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 317 | |
| 318 | *p++ = 0x00; |
| 319 | *p++ = 0x00; |
| 320 | |
| 321 | *olen = 4; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 322 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 323 | return 0; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 324 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 325 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 326 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 327 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 328 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 329 | static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 330 | unsigned char *buf, |
| 331 | const unsigned char *end, |
| 332 | size_t *olen) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 333 | { |
| 334 | unsigned char *p = buf; |
| 335 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 336 | *olen = 0; |
| 337 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 338 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { |
| 339 | return 0; |
| 340 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 341 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 342 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 343 | ("client hello, adding extended_master_secret extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 344 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 345 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 346 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 347 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 348 | p += 2; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 349 | |
| 350 | *p++ = 0x00; |
| 351 | *p++ = 0x00; |
| 352 | |
| 353 | *olen = 4; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 354 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 355 | return 0; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 356 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 357 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 358 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 359 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 360 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 361 | static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 362 | unsigned char *buf, |
| 363 | const unsigned char *end, |
| 364 | size_t *olen) |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 365 | { |
| 366 | unsigned char *p = buf; |
| 367 | size_t tlen = ssl->session_negotiate->ticket_len; |
| 368 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 369 | *olen = 0; |
| 370 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 371 | if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) { |
| 372 | return 0; |
| 373 | } |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 374 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 375 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 376 | ("client hello, adding session ticket extension")); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 377 | |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 378 | /* The addition is safe here since the ticket length is 16 bit. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 379 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 380 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 381 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 382 | p += 2; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 383 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 384 | MBEDTLS_PUT_UINT16_BE(tlen, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 385 | p += 2; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 386 | |
| 387 | *olen = 4; |
| 388 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 389 | if (ssl->session_negotiate->ticket == NULL || tlen == 0) { |
| 390 | return 0; |
| 391 | } |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 392 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 393 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 394 | ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen)); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 395 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 396 | memcpy(p, ssl->session_negotiate->ticket, tlen); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 397 | |
| 398 | *olen += tlen; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 399 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 400 | return 0; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 401 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 402 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 403 | |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 404 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 405 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 406 | static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 407 | unsigned char *buf, |
| 408 | const unsigned char *end, |
| 409 | size_t *olen) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 410 | { |
| 411 | unsigned char *p = buf; |
| Johan Pascal | f6417ec | 2020-09-22 15:15:19 +0200 | [diff] [blame] | 412 | size_t protection_profiles_index = 0, ext_len = 0; |
| 413 | uint16_t mki_len = 0, profile_value = 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 414 | |
| 415 | *olen = 0; |
| 416 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 417 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 418 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 419 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 420 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 421 | } |
| 422 | |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 423 | /* RFC 5764 section 4.1.1 |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 424 | * uint8 SRTPProtectionProfile[2]; |
| 425 | * |
| 426 | * struct { |
| 427 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 428 | * opaque srtp_mki<0..255>; |
| 429 | * } UseSRTPData; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 430 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 431 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 432 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 433 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 434 | } |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 435 | /* Extension length = 2 bytes for profiles length, |
| 436 | * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ), |
| 437 | * 1 byte for srtp_mki vector length and the mki_len value |
| 438 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 439 | ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len; |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 440 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 441 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension")); |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 442 | |
| 443 | /* Check there is room in the buffer for the extension + 4 bytes |
| 444 | * - the extension tag (2 bytes) |
| 445 | * - the extension length (2 bytes) |
| 446 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 447 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4); |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 448 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 449 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 450 | p += 2; |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 451 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 452 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 453 | p += 2; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 454 | |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 455 | /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */ |
| Johan Pascal | aae4d22 | 2020-09-22 21:21:39 +0200 | [diff] [blame] | 456 | /* micro-optimization: |
| 457 | * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH |
| 458 | * which is lower than 127, so the upper byte of the length is always 0 |
| 459 | * For the documentation, the more generic code is left in comments |
| 460 | * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len ) |
| 461 | * >> 8 ) & 0xFF ); |
| 462 | */ |
| 463 | *p++ = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 464 | *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 465 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 466 | for (protection_profiles_index = 0; |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 467 | protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 468 | protection_profiles_index++) { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 469 | profile_value = mbedtls_ssl_check_srtp_profile_value |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 470 | (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]); |
| 471 | if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { |
| 472 | MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x", |
| 473 | profile_value)); |
| 474 | MBEDTLS_PUT_UINT16_BE(profile_value, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 475 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 476 | } else { |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 477 | /* |
| 478 | * Note: we shall never arrive here as protection profiles |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 479 | * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 480 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 481 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 482 | ("client hello, " |
| 483 | "illegal DTLS-SRTP protection profile %d", |
| 484 | ssl->conf->dtls_srtp_profile_list[protection_profiles_index] |
| 485 | )); |
| 486 | return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 487 | } |
| 488 | } |
| 489 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 490 | *p++ = mki_len & 0xFF; |
| 491 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 492 | if (mki_len != 0) { |
| 493 | memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len); |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 494 | /* |
| 495 | * Increment p to point to the current position. |
| 496 | */ |
| 497 | p += mki_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 498 | MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value, |
| 499 | ssl->dtls_srtp_info.mki_len); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 500 | } |
| 501 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 502 | /* |
| 503 | * total extension length: extension type (2 bytes) |
| 504 | * + extension length (2 bytes) |
| 505 | * + protection profile length (2 bytes) |
| 506 | * + 2 * number of protection profiles |
| 507 | * + srtp_mki vector length(1 byte) |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 508 | * + mki value |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 509 | */ |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 510 | *olen = p - buf; |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 511 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 512 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 513 | } |
| 514 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 515 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 516 | int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, |
| 517 | unsigned char *buf, |
| 518 | const unsigned char *end, |
| 519 | int uses_ec, |
| 520 | size_t *out_len) |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 521 | { |
| 522 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 523 | unsigned char *p = buf; |
| 524 | size_t ext_len = 0; |
| 525 | |
| 526 | (void) ssl; |
| 527 | (void) end; |
| 528 | (void) uses_ec; |
| 529 | (void) ret; |
| 530 | (void) ext_len; |
| 531 | |
| 532 | *out_len = 0; |
| 533 | |
| 534 | /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added |
| 535 | * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ |
| 536 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 537 | if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) { |
| 538 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret); |
| 539 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 540 | } |
| 541 | p += ext_len; |
| 542 | #endif |
| 543 | |
| 544 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| 545 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 546 | if (uses_ec) { |
| 547 | if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end, |
| 548 | &ext_len)) != 0) { |
| 549 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret); |
| 550 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 551 | } |
| 552 | p += ext_len; |
| 553 | } |
| 554 | #endif |
| 555 | |
| 556 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 557 | if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) { |
| 558 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret); |
| 559 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 560 | } |
| 561 | p += ext_len; |
| 562 | #endif |
| 563 | |
| 564 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 565 | if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) { |
| 566 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret); |
| 567 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 568 | } |
| 569 | p += ext_len; |
| 570 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 571 | |
| 572 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 573 | if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end, |
| 574 | &ext_len)) != 0) { |
| 575 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret); |
| 576 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 577 | } |
| 578 | p += ext_len; |
| 579 | #endif |
| 580 | |
| 581 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 582 | if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) { |
| 583 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret); |
| 584 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 585 | } |
| 586 | p += ext_len; |
| 587 | #endif |
| 588 | |
| 589 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 590 | if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) { |
| 591 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret); |
| 592 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 593 | } |
| 594 | p += ext_len; |
| 595 | #endif |
| 596 | |
| 597 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 598 | if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) { |
| 599 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret); |
| 600 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 601 | } |
| 602 | p += ext_len; |
| 603 | #endif |
| 604 | |
| 605 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 606 | if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) { |
| 607 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret); |
| 608 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 609 | } |
| 610 | p += ext_len; |
| 611 | #endif |
| 612 | |
| 613 | *out_len = p - buf; |
| 614 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 615 | return 0; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 616 | } |
| 617 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 618 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 619 | static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, |
| 620 | const unsigned char *buf, |
| 621 | size_t len) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 622 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 623 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 624 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 31ff1d2 | 2013-10-28 13:46:11 +0100 | [diff] [blame] | 625 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 626 | if (len != 1 + ssl->verify_data_len * 2 || |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 627 | buf[0] != ssl->verify_data_len * 2 || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 628 | mbedtls_ct_memcmp(buf + 1, |
| 629 | ssl->own_verify_data, ssl->verify_data_len) != 0 || |
| 630 | mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len, |
| 631 | ssl->peer_verify_data, ssl->verify_data_len) != 0) { |
| 632 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 633 | mbedtls_ssl_send_alert_message( |
| 634 | ssl, |
| 635 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 636 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 637 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 638 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 639 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 640 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 641 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 642 | if (len != 1 || buf[0] != 0x00) { |
| 643 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 644 | ("non-zero length renegotiation info")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 645 | mbedtls_ssl_send_alert_message( |
| 646 | ssl, |
| 647 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 648 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 649 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 650 | } |
| 651 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 652 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 653 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 654 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 655 | return 0; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 656 | } |
| Manuel Pégourié-Gonnard | 57c2852 | 2013-07-19 11:41:43 +0200 | [diff] [blame] | 657 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 658 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 659 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 660 | static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 661 | const unsigned char *buf, |
| 662 | size_t len) |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 663 | { |
| 664 | /* |
| 665 | * server should use the extension only if we did, |
| 666 | * and if so the server's value should match ours (and len is always 1) |
| 667 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 668 | if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 669 | len != 1 || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 670 | buf[0] != ssl->conf->mfl_code) { |
| 671 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 672 | ("non-matching max fragment length extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 673 | mbedtls_ssl_send_alert_message( |
| 674 | ssl, |
| 675 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 676 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 677 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 678 | } |
| 679 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 680 | return 0; |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 681 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 682 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 683 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 684 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 685 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 686 | static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, |
| 687 | const unsigned char *buf, |
| 688 | size_t len) |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 689 | { |
| 690 | size_t peer_cid_len; |
| 691 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 692 | if ( /* CID extension only makes sense in DTLS */ |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 693 | ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
| 694 | /* The server must only send the CID extension if we have offered it. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 695 | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| 696 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected")); |
| 697 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 698 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 699 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Hanno Becker | 2262648 | 2019-05-03 12:46:59 +0100 | [diff] [blame] | 700 | } |
| 701 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 702 | if (len == 0) { |
| 703 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
| 704 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 705 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 706 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 707 | } |
| 708 | |
| 709 | peer_cid_len = *buf++; |
| 710 | len--; |
| 711 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 712 | if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { |
| 713 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
| 714 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 715 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 716 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 717 | } |
| 718 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 719 | if (len != peer_cid_len) { |
| 720 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
| 721 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 722 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 723 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 724 | } |
| 725 | |
| Hanno Becker | 5a29990 | 2019-05-03 12:47:49 +0100 | [diff] [blame] | 726 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 727 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 728 | memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 729 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 730 | MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); |
| 731 | MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len); |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 732 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 733 | return 0; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 734 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 735 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 736 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 737 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 738 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 739 | static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 740 | const unsigned char *buf, |
| 741 | size_t len) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 742 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 743 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
| 744 | len != 0) { |
| 745 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 746 | ("non-matching encrypt-then-MAC extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 747 | mbedtls_ssl_send_alert_message( |
| 748 | ssl, |
| 749 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 750 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 751 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 752 | } |
| 753 | |
| 754 | ((void) buf); |
| 755 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 756 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 757 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 758 | return 0; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 759 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 760 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 761 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 762 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 763 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 764 | static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 765 | const unsigned char *buf, |
| 766 | size_t len) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 767 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 768 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
| 769 | len != 0) { |
| 770 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 771 | ("non-matching extended master secret extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 772 | mbedtls_ssl_send_alert_message( |
| 773 | ssl, |
| 774 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 775 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 776 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 777 | } |
| 778 | |
| 779 | ((void) buf); |
| 780 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 781 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 782 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 783 | return 0; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 784 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 785 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 786 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 787 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 788 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 789 | static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 790 | const unsigned char *buf, |
| 791 | size_t len) |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 792 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 793 | if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || |
| 794 | len != 0) { |
| 795 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 796 | ("non-matching session ticket extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 797 | mbedtls_ssl_send_alert_message( |
| 798 | ssl, |
| 799 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 800 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 801 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 802 | } |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 803 | |
| 804 | ((void) buf); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 805 | |
| 806 | ssl->handshake->new_session_ticket = 1; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 807 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 808 | return 0; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 809 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 810 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 811 | |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 812 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 813 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 814 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 815 | static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 816 | const unsigned char *buf, |
| 817 | size_t len) |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 818 | { |
| 819 | size_t list_size; |
| 820 | const unsigned char *p; |
| 821 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 822 | if (len == 0 || (size_t) (buf[0] + 1) != len) { |
| 823 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 824 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 825 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 826 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 827 | } |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 828 | list_size = buf[0]; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 829 | |
| Manuel Pégourié-Gonnard | fd35af1 | 2014-06-23 14:10:13 +0200 | [diff] [blame] | 830 | p = buf + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 831 | while (list_size > 0) { |
| 832 | if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| 833 | p[0] == MBEDTLS_ECP_PF_COMPRESSED) { |
| Neil Armstrong | 3ea0149 | 2022-04-12 14:41:50 +0200 | [diff] [blame] | 834 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 835 | (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) |
| Manuel Pégourié-Gonnard | 5734b2d | 2013-08-15 19:04:02 +0200 | [diff] [blame] | 836 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| Neil Armstrong | 3ea0149 | 2022-04-12 14:41:50 +0200 | [diff] [blame] | 837 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && |
| 838 | ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 839 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 840 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 841 | mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, |
| 842 | p[0]); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 843 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 844 | MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); |
| 845 | return 0; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 846 | } |
| 847 | |
| 848 | list_size--; |
| 849 | p++; |
| 850 | } |
| 851 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 852 | MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common")); |
| 853 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 854 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 855 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 856 | } |
| Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 857 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 858 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 859 | |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 860 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 861 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 862 | static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, |
| 863 | const unsigned char *buf, |
| 864 | size_t len) |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 865 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 866 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 867 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 868 | if (ssl->handshake->ciphersuite_info->key_exchange != |
| 869 | MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| 870 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); |
| 871 | return 0; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 872 | } |
| 873 | |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 874 | /* If we got here, we no longer need our cached extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 875 | mbedtls_free(ssl->handshake->ecjpake_cache); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 876 | ssl->handshake->ecjpake_cache = NULL; |
| 877 | ssl->handshake->ecjpake_cache_len = 0; |
| 878 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 879 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 880 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 881 | &ssl->handshake->psa_pake_ctx, buf, len, |
| 882 | MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { |
| 883 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 884 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 885 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 886 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 887 | mbedtls_ssl_send_alert_message( |
| 888 | ssl, |
| 889 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 890 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 891 | return ret; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 892 | } |
| 893 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 894 | return 0; |
| 895 | #else |
| 896 | if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, |
| 897 | buf, len)) != 0) { |
| 898 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); |
| 899 | mbedtls_ssl_send_alert_message( |
| 900 | ssl, |
| 901 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 902 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 903 | return ret; |
| 904 | } |
| 905 | |
| 906 | return 0; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 907 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 908 | } |
| 909 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 57c2852 | 2013-07-19 11:41:43 +0200 | [diff] [blame] | 910 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 911 | #if defined(MBEDTLS_SSL_ALPN) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 912 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 913 | static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, |
| 914 | const unsigned char *buf, size_t len) |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 915 | { |
| 916 | size_t list_len, name_len; |
| 917 | const char **p; |
| 918 | |
| 919 | /* If we didn't send it, the server shouldn't send it */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 920 | if (ssl->conf->alpn_list == NULL) { |
| 921 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 922 | mbedtls_ssl_send_alert_message( |
| 923 | ssl, |
| 924 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 925 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 926 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 927 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 928 | |
| 929 | /* |
| 930 | * opaque ProtocolName<1..2^8-1>; |
| 931 | * |
| 932 | * struct { |
| 933 | * ProtocolName protocol_name_list<2..2^16-1> |
| 934 | * } ProtocolNameList; |
| 935 | * |
| 936 | * the "ProtocolNameList" MUST contain exactly one "ProtocolName" |
| 937 | */ |
| 938 | |
| 939 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 940 | if (len < 4) { |
| 941 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 942 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 943 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 944 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 945 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 946 | list_len = (buf[0] << 8) | buf[1]; |
| 947 | if (list_len != len - 2) { |
| 948 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 949 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 950 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 951 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 952 | |
| 953 | name_len = buf[2]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 954 | if (name_len != list_len - 1) { |
| 955 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 956 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 957 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 958 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 959 | |
| 960 | /* Check that the server chosen protocol was in our list and save it */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 961 | for (p = ssl->conf->alpn_list; *p != NULL; p++) { |
| 962 | if (name_len == strlen(*p) && |
| 963 | memcmp(buf + 3, *p, name_len) == 0) { |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 964 | ssl->alpn_chosen = *p; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 965 | return 0; |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 966 | } |
| 967 | } |
| 968 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 969 | MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol")); |
| 970 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 971 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 972 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 973 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 974 | #endif /* MBEDTLS_SSL_ALPN */ |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 975 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 976 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 977 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 978 | static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 979 | const unsigned char *buf, |
| 980 | size_t len) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 981 | { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 982 | mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 983 | size_t i, mki_len = 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 984 | uint16_t server_protection_profile_value = 0; |
| 985 | |
| 986 | /* If use_srtp is not configured, just ignore the extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 987 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 988 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 989 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 990 | return 0; |
| 991 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 992 | |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 993 | /* RFC 5764 section 4.1.1 |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 994 | * uint8 SRTPProtectionProfile[2]; |
| 995 | * |
| 996 | * struct { |
| 997 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 998 | * opaque srtp_mki<0..255>; |
| 999 | * } UseSRTPData; |
| 1000 | |
| 1001 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| 1002 | * |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1003 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1004 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1005 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 1006 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1007 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1008 | /* |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 1009 | * Length is 5 + optional mki_value : one protection profile length (2 bytes) |
| 1010 | * + protection profile (2 bytes) |
| 1011 | * + mki_len(1 byte) |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 1012 | * and optional srtp_mki |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1013 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1014 | if ((len < 5) || (len != (buf[4] + 5u))) { |
| 1015 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1016 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1017 | |
| 1018 | /* |
| 1019 | * get the server protection profile |
| 1020 | */ |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1021 | |
| 1022 | /* |
| 1023 | * protection profile length must be 0x0002 as we must have only |
| 1024 | * one protection profile in server Hello |
| 1025 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1026 | if ((buf[0] != 0) || (buf[1] != 2)) { |
| 1027 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1028 | } |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1029 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1030 | server_protection_profile_value = (buf[2] << 8) | buf[3]; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1031 | server_protection = mbedtls_ssl_check_srtp_profile_value( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1032 | server_protection_profile_value); |
| 1033 | if (server_protection != MBEDTLS_TLS_SRTP_UNSET) { |
| 1034 | MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", |
| 1035 | mbedtls_ssl_get_srtp_profile_as_string( |
| 1036 | server_protection))); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1037 | } |
| 1038 | |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1039 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1040 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1041 | /* |
| 1042 | * Check we have the server profile in our list |
| 1043 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1044 | for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { |
| 1045 | if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) { |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 1046 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1047 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1048 | mbedtls_ssl_get_srtp_profile_as_string( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1049 | server_protection))); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1050 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1051 | } |
| 1052 | } |
| 1053 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1054 | /* If no match was found : server problem, it shall never answer with incompatible profile */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1055 | if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { |
| 1056 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1057 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1058 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1059 | } |
| Johan Pascal | 20c7db3 | 2020-10-26 22:45:58 +0100 | [diff] [blame] | 1060 | |
| 1061 | /* If server does not use mki in its reply, make sure the client won't keep |
| 1062 | * one as negotiated */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1063 | if (len == 5) { |
| Johan Pascal | 20c7db3 | 2020-10-26 22:45:58 +0100 | [diff] [blame] | 1064 | ssl->dtls_srtp_info.mki_len = 0; |
| 1065 | } |
| 1066 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1067 | /* |
| 1068 | * RFC5764: |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1069 | * If the client detects a nonzero-length MKI in the server's response |
| 1070 | * that is different than the one the client offered, then the client |
| 1071 | * MUST abort the handshake and SHOULD send an invalid_parameter alert. |
| 1072 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1073 | if (len > 5 && (buf[4] != mki_len || |
| 1074 | (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) { |
| 1075 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1076 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1077 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1078 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1079 | #if defined(MBEDTLS_DEBUG_C) |
| 1080 | if (len > 5) { |
| 1081 | MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value, |
| 1082 | ssl->dtls_srtp_info.mki_len); |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 1083 | } |
| 1084 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1085 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1086 | } |
| 1087 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1088 | |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1089 | /* |
| 1090 | * Parse HelloVerifyRequest. Only called after verifying the HS type. |
| 1091 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1092 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1093 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1094 | static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1095 | { |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 1096 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1097 | const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Glenn Strauss | 8315811 | 2022-04-13 14:59:34 -0400 | [diff] [blame] | 1098 | uint16_t dtls_legacy_version; |
| Jerry Yu | e01304f | 2022-04-07 10:51:55 +0800 | [diff] [blame] | 1099 | |
| 1100 | #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) |
| 1101 | uint8_t cookie_len; |
| 1102 | #else |
| 1103 | uint16_t cookie_len; |
| 1104 | #endif |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1105 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1106 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request")); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1107 | |
| Gilles Peskine | b64bf06 | 2019-09-27 14:02:44 +0200 | [diff] [blame] | 1108 | /* Check that there is enough room for: |
| 1109 | * - 2 bytes of version |
| 1110 | * - 1 byte of cookie_len |
| 1111 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1112 | if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) { |
| 1113 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1114 | ("incoming HelloVerifyRequest message is too short")); |
| 1115 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1116 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1117 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | b64bf06 | 2019-09-27 14:02:44 +0200 | [diff] [blame] | 1118 | } |
| 1119 | |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1120 | /* |
| 1121 | * struct { |
| 1122 | * ProtocolVersion server_version; |
| 1123 | * opaque cookie<0..2^8-1>; |
| 1124 | * } HelloVerifyRequest; |
| 1125 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1126 | MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); |
| 1127 | dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1128 | p += 2; |
| 1129 | |
| TRodziewicz | 2d8800e | 2021-05-13 19:14:19 +0200 | [diff] [blame] | 1130 | /* |
| Glenn Strauss | 8315811 | 2022-04-13 14:59:34 -0400 | [diff] [blame] | 1131 | * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff) |
| 1132 | * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to |
| 1133 | * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2) |
| TRodziewicz | 2d8800e | 2021-05-13 19:14:19 +0200 | [diff] [blame] | 1134 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1135 | if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) { |
| 1136 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version")); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1137 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1138 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1139 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1140 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1141 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1142 | } |
| 1143 | |
| 1144 | cookie_len = *p++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1145 | if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) { |
| 1146 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1147 | ("cookie length does not match incoming message size")); |
| 1148 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1149 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1150 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Andres AG | 5a87c93 | 2016-09-26 14:53:05 +0100 | [diff] [blame] | 1151 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1152 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len); |
| Andres AG | 5a87c93 | 2016-09-26 14:53:05 +0100 | [diff] [blame] | 1153 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1154 | mbedtls_free(ssl->handshake->cookie); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1155 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1156 | ssl->handshake->cookie = mbedtls_calloc(1, cookie_len); |
| 1157 | if (ssl->handshake->cookie == NULL) { |
| 1158 | MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len)); |
| 1159 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1160 | } |
| 1161 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1162 | memcpy(ssl->handshake->cookie, p, cookie_len); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1163 | ssl->handshake->cookie_len = cookie_len; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1164 | |
| Manuel Pégourié-Gonnard | 67427c0 | 2014-07-11 13:45:34 +0200 | [diff] [blame] | 1165 | /* Start over at ClientHello */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1166 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 1167 | ret = mbedtls_ssl_reset_checksum(ssl); |
| 1168 | if (0 != ret) { |
| 1169 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret); |
| 1170 | return ret; |
| 1171 | } |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1172 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1173 | mbedtls_ssl_recv_flight_completed(ssl); |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 1174 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1175 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request")); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1176 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1177 | return 0; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1178 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1179 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1180 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1181 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1182 | static int ssl_parse_server_hello(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1183 | { |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1184 | int ret, i; |
| Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1185 | size_t n; |
| Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 1186 | size_t ext_len; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1187 | unsigned char *buf, *ext; |
| Manuel Pégourié-Gonnard | 1cf7b30 | 2015-06-24 22:28:19 +0200 | [diff] [blame] | 1188 | unsigned char comp; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1189 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1190 | int renegotiation_info_seen = 0; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1191 | #endif |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1192 | int handshake_failure = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1193 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1194 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1195 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1196 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1197 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1198 | /* No alert on a read error. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1199 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 1200 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1201 | } |
| 1202 | |
| Hanno Becker | 79594fd | 2019-05-08 09:38:41 +0100 | [diff] [blame] | 1203 | buf = ssl->in_msg; |
| 1204 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1205 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1206 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1207 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 44ade65 | 2014-08-19 13:58:40 +0200 | [diff] [blame] | 1208 | ssl->renego_records_seen++; |
| 1209 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1210 | if (ssl->conf->renego_max_records >= 0 && |
| 1211 | ssl->renego_records_seen > ssl->conf->renego_max_records) { |
| 1212 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1213 | ("renegotiation requested, but not honored by server")); |
| 1214 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | 44ade65 | 2014-08-19 13:58:40 +0200 | [diff] [blame] | 1215 | } |
| 1216 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1217 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1218 | ("non-handshake message during renegotiation")); |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 1219 | |
| 1220 | ssl->keep_current_message = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1221 | return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO; |
| Manuel Pégourié-Gonnard | 6591962 | 2014-08-19 12:50:30 +0200 | [diff] [blame] | 1222 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1223 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 6591962 | 2014-08-19 12:50:30 +0200 | [diff] [blame] | 1224 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1225 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1226 | mbedtls_ssl_send_alert_message( |
| 1227 | ssl, |
| 1228 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1229 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 1230 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1231 | } |
| 1232 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1233 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1234 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1235 | if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) { |
| 1236 | MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request")); |
| 1237 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); |
| 1238 | return ssl_parse_hello_verify_request(ssl); |
| 1239 | } else { |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1240 | /* We made it through the verification process */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1241 | mbedtls_free(ssl->handshake->cookie); |
| XiaokangQian | 9b93c0d | 2022-02-09 06:02:25 +0000 | [diff] [blame] | 1242 | ssl->handshake->cookie = NULL; |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1243 | ssl->handshake->cookie_len = 0; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1244 | } |
| 1245 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1246 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1247 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1248 | if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) || |
| 1249 | buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) { |
| 1250 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1251 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1252 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1253 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1254 | } |
| 1255 | |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1256 | /* |
| 1257 | * 0 . 1 server_version |
| 1258 | * 2 . 33 random (maybe including 4 bytes of Unix time) |
| 1259 | * 34 . 34 session_id length = n |
| 1260 | * 35 . 34+n session_id |
| 1261 | * 35+n . 36+n cipher_suite |
| 1262 | * 37+n . 37+n compression_method |
| 1263 | * |
| 1264 | * 38+n . 39+n extensions length (optional) |
| 1265 | * 40+n . .. extensions |
| 1266 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1267 | buf += mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1268 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1269 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2); |
| 1270 | ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport); |
| Glenn Strauss | 60bfe60 | 2022-03-14 19:04:24 -0400 | [diff] [blame] | 1271 | ssl->session_negotiate->tls_version = ssl->tls_version; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1272 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1273 | if (ssl->tls_version < ssl->conf->min_tls_version || |
| 1274 | ssl->tls_version > ssl->conf->max_tls_version) { |
| 1275 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1276 | ( |
| 1277 | "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]", |
| 1278 | (unsigned) ssl->conf->min_tls_version, |
| 1279 | (unsigned) ssl->tls_version, |
| 1280 | (unsigned) ssl->conf->max_tls_version)); |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1281 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1282 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1283 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1284 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1285 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1286 | } |
| 1287 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1288 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu", |
| 1289 | ((unsigned long) buf[2] << 24) | |
| 1290 | ((unsigned long) buf[3] << 16) | |
| 1291 | ((unsigned long) buf[4] << 8) | |
| 1292 | ((unsigned long) buf[5]))); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1293 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1294 | memcpy(ssl->handshake->randbytes + 32, buf + 2, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1295 | |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1296 | n = buf[34]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1297 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1298 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1299 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1300 | if (n > 32) { |
| 1301 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1302 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1303 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1304 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1305 | } |
| 1306 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1307 | if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) { |
| 1308 | ext_len = ((buf[38 + n] << 8) |
| 1309 | | (buf[39 + n])); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1310 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1311 | if ((ext_len > 0 && ext_len < 4) || |
| 1312 | ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) { |
| 1313 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1314 | mbedtls_ssl_send_alert_message( |
| 1315 | ssl, |
| 1316 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1317 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1318 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1319 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1320 | } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) { |
| Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 1321 | ext_len = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1322 | } else { |
| 1323 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1324 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1325 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1326 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 1327 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1328 | |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1329 | /* ciphersuite (used later) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1330 | i = (buf[35 + n] << 8) | buf[36 + n]; |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1331 | |
| 1332 | /* |
| 1333 | * Read and check compression |
| 1334 | */ |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1335 | comp = buf[37 + n]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1336 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1337 | if (comp != MBEDTLS_SSL_COMPRESS_NULL) { |
| 1338 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1339 | ("server hello, bad compression: %d", comp)); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1340 | mbedtls_ssl_send_alert_message( |
| 1341 | ssl, |
| 1342 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1343 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1344 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1345 | } |
| 1346 | |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1347 | /* |
| 1348 | * Initialize update checksum functions |
| 1349 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1350 | ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i); |
| 1351 | if (ssl->handshake->ciphersuite_info == NULL) { |
| 1352 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1353 | ("ciphersuite info for %04x not found", (unsigned int) i)); |
| 1354 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1355 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 1356 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1357 | } |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1358 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1359 | mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info); |
| Manuel Pégourié-Gonnard | 3c599f1 | 2014-03-10 13:25:07 +0100 | [diff] [blame] | 1360 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1361 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
| 1362 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1363 | |
| 1364 | /* |
| 1365 | * Check if the session can be resumed |
| 1366 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1367 | if (ssl->handshake->resume == 0 || n == 0 || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1368 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1369 | ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1370 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1371 | ssl->session_negotiate->ciphersuite != i || |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1372 | ssl->session_negotiate->id_len != n || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1373 | memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1374 | ssl->state++; |
| Paul Bakker | 0a59707 | 2012-09-25 21:55:46 +0000 | [diff] [blame] | 1375 | ssl->handshake->resume = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1376 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1377 | ssl->session_negotiate->start = mbedtls_time(NULL); |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 1378 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1379 | ssl->session_negotiate->ciphersuite = i; |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1380 | ssl->session_negotiate->id_len = n; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1381 | memcpy(ssl->session_negotiate->id, buf + 35, n); |
| 1382 | } else { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1383 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1384 | } |
| 1385 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1386 | MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", |
| 1387 | ssl->handshake->resume ? "a" : "no")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1388 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1389 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i)); |
| 1390 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d", |
| 1391 | buf[37 + n])); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1392 | |
| Andrzej Kurek | 03bac44 | 2018-04-25 05:06:07 -0400 | [diff] [blame] | 1393 | /* |
| 1394 | * Perform cipher suite validation in same way as in ssl_write_client_hello. |
| Mohammad Azim Khan | 1d3b508 | 2018-04-18 19:35:00 +0100 | [diff] [blame] | 1395 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1396 | i = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1397 | while (1) { |
| 1398 | if (ssl->conf->ciphersuite_list[i] == 0) { |
| 1399 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1400 | mbedtls_ssl_send_alert_message( |
| 1401 | ssl, |
| 1402 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1403 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1404 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1405 | } |
| 1406 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1407 | if (ssl->conf->ciphersuite_list[i++] == |
| 1408 | ssl->session_negotiate->ciphersuite) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1409 | break; |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 1410 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1411 | } |
| 1412 | |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1413 | suite_info = mbedtls_ssl_ciphersuite_from_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1414 | ssl->session_negotiate->ciphersuite); |
| 1415 | if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version, |
| 1416 | ssl->tls_version) != 0) { |
| 1417 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1418 | mbedtls_ssl_send_alert_message( |
| 1419 | ssl, |
| 1420 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1421 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1422 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Mohammad Azim Khan | 1d3b508 | 2018-04-18 19:35:00 +0100 | [diff] [blame] | 1423 | } |
| 1424 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1425 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1426 | ("server hello, chosen ciphersuite: %s", suite_info->name)); |
| Mohammad Azim Khan | 1d3b508 | 2018-04-18 19:35:00 +0100 | [diff] [blame] | 1427 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1428 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1429 | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && |
| 1430 | ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { |
| Manuel Pégourié-Gonnard | da19f4c | 2018-06-12 12:40:54 +0200 | [diff] [blame] | 1431 | ssl->handshake->ecrs_enabled = 1; |
| 1432 | } |
| 1433 | #endif |
| 1434 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1435 | if (comp != MBEDTLS_SSL_COMPRESS_NULL) { |
| 1436 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1437 | mbedtls_ssl_send_alert_message( |
| 1438 | ssl, |
| 1439 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1440 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1441 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1442 | } |
| 1443 | |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1444 | ext = buf + 40 + n; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1445 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1446 | MBEDTLS_SSL_DEBUG_MSG(2, |
| 1447 | ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
| 1448 | ext_len)); |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 1449 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1450 | while (ext_len) { |
| 1451 | unsigned int ext_id = ((ext[0] << 8) |
| 1452 | | (ext[1])); |
| 1453 | unsigned int ext_size = ((ext[2] << 8) |
| 1454 | | (ext[3])); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1455 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1456 | if (ext_size + 4 > ext_len) { |
| 1457 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1458 | mbedtls_ssl_send_alert_message( |
| 1459 | ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1460 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1461 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1462 | } |
| 1463 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1464 | switch (ext_id) { |
| 1465 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| 1466 | MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1467 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1468 | renegotiation_info_seen = 1; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1469 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1470 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1471 | if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4, |
| 1472 | ext_size)) != 0) { |
| 1473 | return ret; |
| 1474 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1475 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1476 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1477 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1478 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1479 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| 1480 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1481 | ("found max_fragment_length extension")); |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 1482 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1483 | if ((ret = ssl_parse_max_fragment_length_ext(ssl, |
| 1484 | ext + 4, ext_size)) != 0) { |
| 1485 | return ret; |
| 1486 | } |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 1487 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1488 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1489 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 1490 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1491 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1492 | case MBEDTLS_TLS_EXT_CID: |
| 1493 | MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 1494 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1495 | if ((ret = ssl_parse_cid_ext(ssl, |
| 1496 | ext + 4, |
| 1497 | ext_size)) != 0) { |
| 1498 | return ret; |
| 1499 | } |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 1500 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1501 | break; |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1502 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 1503 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1504 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1505 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| 1506 | MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1507 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1508 | if ((ret = ssl_parse_encrypt_then_mac_ext(ssl, |
| 1509 | ext + 4, ext_size)) != 0) { |
| 1510 | return ret; |
| 1511 | } |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1512 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1513 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1514 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1515 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1516 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1517 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| 1518 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1519 | ("found extended_master_secret extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1520 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1521 | if ((ret = ssl_parse_extended_ms_ext(ssl, |
| 1522 | ext + 4, ext_size)) != 0) { |
| 1523 | return ret; |
| 1524 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1525 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1526 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1527 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1528 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1529 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1530 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| 1531 | MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension")); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 1532 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1533 | if ((ret = ssl_parse_session_ticket_ext(ssl, |
| 1534 | ext + 4, ext_size)) != 0) { |
| 1535 | return ret; |
| 1536 | } |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 1537 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1538 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1539 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 1540 | |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 1541 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1542 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1543 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| 1544 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1545 | ("found supported_point_formats extension")); |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1546 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1547 | if ((ret = ssl_parse_supported_point_formats_ext(ssl, |
| 1548 | ext + 4, ext_size)) != 0) { |
| 1549 | return ret; |
| 1550 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1551 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1552 | break; |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 1553 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| 1554 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1555 | |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1556 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1557 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| 1558 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension")); |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1559 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1560 | if ((ret = ssl_parse_ecjpake_kkpp(ssl, |
| 1561 | ext + 4, ext_size)) != 0) { |
| 1562 | return ret; |
| 1563 | } |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1564 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1565 | break; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1566 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1567 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1568 | #if defined(MBEDTLS_SSL_ALPN) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1569 | case MBEDTLS_TLS_EXT_ALPN: |
| 1570 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 1571 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1572 | if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) { |
| 1573 | return ret; |
| 1574 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 1575 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1576 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1577 | #endif /* MBEDTLS_SSL_ALPN */ |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 1578 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1579 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1580 | case MBEDTLS_TLS_EXT_USE_SRTP: |
| 1581 | MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1582 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1583 | if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) { |
| 1584 | return ret; |
| 1585 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1586 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1587 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1588 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1589 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1590 | default: |
| 1591 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1592 | ("unknown extension found: %u (ignoring)", ext_id)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1593 | } |
| 1594 | |
| 1595 | ext_len -= 4 + ext_size; |
| 1596 | ext += 4 + ext_size; |
| 1597 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1598 | if (ext_len > 0 && ext_len < 4) { |
| 1599 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1600 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1601 | } |
| 1602 | } |
| 1603 | |
| 1604 | /* |
| Andrzej Kurek | 21b5080 | 2022-07-06 03:26:55 -0400 | [diff] [blame] | 1605 | * mbedtls_ssl_derive_keys() has to be called after the parsing of the |
| 1606 | * extensions. It sets the transform data for the resumed session which in |
| 1607 | * case of DTLS includes the server CID extracted from the CID extension. |
| 1608 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1609 | if (ssl->handshake->resume) { |
| 1610 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 1611 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| Andrzej Kurek | 7cf8725 | 2022-06-14 07:12:33 -0400 | [diff] [blame] | 1612 | mbedtls_ssl_send_alert_message( |
| 1613 | ssl, |
| 1614 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1615 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 1616 | return ret; |
| Andrzej Kurek | 7cf8725 | 2022-06-14 07:12:33 -0400 | [diff] [blame] | 1617 | } |
| 1618 | } |
| 1619 | |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1620 | /* |
| 1621 | * Renegotiation security checks |
| 1622 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1623 | if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1624 | ssl->conf->allow_legacy_renegotiation == |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1625 | MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { |
| 1626 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1627 | ("legacy renegotiation, breaking off handshake")); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1628 | handshake_failure = 1; |
| 1629 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1630 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1631 | else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1632 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1633 | renegotiation_info_seen == 0) { |
| 1634 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1635 | ("renegotiation_info extension missing (secure)")); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1636 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1637 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1638 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1639 | ssl->conf->allow_legacy_renegotiation == |
| 1640 | MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { |
| 1641 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1642 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1643 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1644 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1645 | renegotiation_info_seen == 1) { |
| 1646 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1647 | ("renegotiation_info extension present (legacy)")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1648 | handshake_failure = 1; |
| 1649 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1650 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1651 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1652 | if (handshake_failure == 1) { |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1653 | mbedtls_ssl_send_alert_message( |
| 1654 | ssl, |
| 1655 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1656 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1657 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1658 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1659 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1660 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1661 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1662 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1663 | } |
| 1664 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1665 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 1666 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1667 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1668 | static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl, |
| 1669 | unsigned char **p, |
| 1670 | unsigned char *end) |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1671 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1672 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Gilles Peskine | e8a2fc8 | 2020-12-08 22:46:11 +0100 | [diff] [blame] | 1673 | size_t dhm_actual_bitlen; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1674 | |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1675 | /* |
| 1676 | * Ephemeral DH parameters: |
| 1677 | * |
| 1678 | * struct { |
| 1679 | * opaque dh_p<1..2^16-1>; |
| 1680 | * opaque dh_g<1..2^16-1>; |
| 1681 | * opaque dh_Ys<1..2^16-1>; |
| 1682 | * } ServerDHParams; |
| 1683 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1684 | if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx, |
| 1685 | p, end)) != 0) { |
| 1686 | MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret); |
| 1687 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1688 | } |
| 1689 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1690 | dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx); |
| 1691 | if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) { |
| 1692 | MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u", |
| 1693 | dhm_actual_bitlen, |
| 1694 | ssl->conf->dhm_min_bitlen)); |
| 1695 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1696 | } |
| 1697 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1698 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); |
| 1699 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); |
| 1700 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1701 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1702 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1703 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1704 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 1705 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1706 | |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 1707 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1708 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 1709 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| 1710 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1711 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1712 | static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, |
| 1713 | unsigned char **p, |
| 1714 | unsigned char *end) |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1715 | { |
| 1716 | uint16_t tls_id; |
| 1717 | uint8_t ecpoint_len; |
| 1718 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 1719 | psa_ecc_family_t ec_psa_family = 0; |
| 1720 | size_t ec_bits = 0; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1721 | |
| 1722 | /* |
| Manuel Pégourié-Gonnard | e511989 | 2021-12-09 11:45:03 +0100 | [diff] [blame] | 1723 | * struct { |
| 1724 | * ECParameters curve_params; |
| 1725 | * ECPoint public; |
| 1726 | * } ServerECDHParams; |
| 1727 | * |
| Manuel Pégourié-Gonnard | 422370d | 2022-02-07 11:55:21 +0100 | [diff] [blame] | 1728 | * 1 curve_type (must be "named_curve") |
| Manuel Pégourié-Gonnard | e511989 | 2021-12-09 11:45:03 +0100 | [diff] [blame] | 1729 | * 2..3 NamedCurve |
| 1730 | * 4 ECPoint.len |
| 1731 | * 5+ ECPoint contents |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1732 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1733 | if (end - *p < 4) { |
| 1734 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1735 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1736 | |
| 1737 | /* First byte is curve_type; only named_curve is handled */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1738 | if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) { |
| 1739 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1740 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1741 | |
| 1742 | /* Next two bytes are the namedcurve value */ |
| 1743 | tls_id = *(*p)++; |
| 1744 | tls_id <<= 8; |
| 1745 | tls_id |= *(*p)++; |
| 1746 | |
| Manuel Pégourié-Gonnard | 141be6c | 2022-01-25 11:46:19 +0100 | [diff] [blame] | 1747 | /* Check it's a curve we offered */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1748 | if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) { |
| 1749 | MBEDTLS_SSL_DEBUG_MSG(2, |
| 1750 | ("bad server key exchange message (ECDHE curve): %u", |
| 1751 | (unsigned) tls_id)); |
| 1752 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | ff229cf | 2022-02-07 12:00:32 +0100 | [diff] [blame] | 1753 | } |
| Manuel Pégourié-Gonnard | 141be6c | 2022-01-25 11:46:19 +0100 | [diff] [blame] | 1754 | |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 1755 | /* Convert EC's TLS ID to PSA key type. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1756 | if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ec_psa_family, |
| 1757 | &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { |
| 1758 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1759 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1760 | handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 1761 | handshake->ecdh_bits = ec_bits; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1762 | |
| Manuel Pégourié-Gonnard | 4a0ac1f | 2022-01-18 12:30:40 +0100 | [diff] [blame] | 1763 | /* Keep a copy of the peer's public key */ |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1764 | ecpoint_len = *(*p)++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1765 | if ((size_t) (end - *p) < ecpoint_len) { |
| 1766 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1767 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1768 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1769 | if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { |
| 1770 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1771 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1772 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1773 | memcpy(handshake->ecdh_psa_peerkey, *p, ecpoint_len); |
| Manuel Pégourié-Gonnard | 4a0ac1f | 2022-01-18 12:30:40 +0100 | [diff] [blame] | 1774 | handshake->ecdh_psa_peerkey_len = ecpoint_len; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1775 | *p += ecpoint_len; |
| Manuel Pégourié-Gonnard | 4a0ac1f | 2022-01-18 12:30:40 +0100 | [diff] [blame] | 1776 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1777 | return 0; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1778 | } |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1779 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 1780 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
| 1781 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 1782 | #else |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1783 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 1784 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 1785 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| 1786 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 1787 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1788 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1789 | static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1790 | { |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 1791 | uint16_t tls_id; |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1792 | mbedtls_ecp_group_id grp_id; |
| 1793 | #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) |
| 1794 | grp_id = ssl->handshake->ecdh_ctx.grp.id; |
| 1795 | #else |
| 1796 | grp_id = ssl->handshake->ecdh_ctx.grp_id; |
| 1797 | #endif |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1798 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1799 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); |
| 1800 | if (tls_id == 0) { |
| 1801 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 1802 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1803 | } |
| 1804 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1805 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", |
| 1806 | mbedtls_ssl_get_curve_name_from_tls_id(tls_id))); |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1807 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1808 | if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { |
| 1809 | return -1; |
| 1810 | } |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1811 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1812 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 1813 | MBEDTLS_DEBUG_ECDH_QP); |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1814 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1815 | return 0; |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1816 | } |
| 1817 | |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1818 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 1819 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 1820 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
| 1821 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 1822 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 1823 | |
| 1824 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 1825 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| 1826 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1827 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1828 | static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, |
| 1829 | unsigned char **p, |
| 1830 | unsigned char *end) |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1831 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1832 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1833 | |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1834 | /* |
| 1835 | * Ephemeral ECDH parameters: |
| 1836 | * |
| 1837 | * struct { |
| 1838 | * ECParameters curve_params; |
| 1839 | * ECPoint public; |
| 1840 | * } ServerECDHParams; |
| 1841 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1842 | if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx, |
| 1843 | (const unsigned char **) p, end)) != 0) { |
| 1844 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1845 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1846 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 1c1c20e | 2018-09-12 10:34:43 +0200 | [diff] [blame] | 1847 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1848 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 1849 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1850 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1851 | } |
| 1852 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1853 | if (ssl_check_server_ecdh_params(ssl) != 0) { |
| 1854 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1855 | ("bad server key exchange message (ECDHE curve)")); |
| 1856 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1857 | } |
| 1858 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1859 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1860 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1861 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ |
| 1862 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1863 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| 1864 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1865 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1866 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1867 | static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, |
| 1868 | unsigned char **p, |
| 1869 | unsigned char *end) |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1870 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1871 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 1872 | uint16_t len; |
| Paul Bakker | c5a79cc | 2013-06-26 15:08:35 +0200 | [diff] [blame] | 1873 | ((void) ssl); |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1874 | |
| 1875 | /* |
| 1876 | * PSK parameters: |
| 1877 | * |
| 1878 | * opaque psk_identity_hint<0..2^16-1>; |
| 1879 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1880 | if (end - (*p) < 2) { |
| 1881 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1882 | ("bad server key exchange message (psk_identity_hint length)")); |
| 1883 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Krzysztof Stachowiak | 740b218 | 2018-03-13 11:31:14 +0100 | [diff] [blame] | 1884 | } |
| Manuel Pégourié-Gonnard | 59b9fe2 | 2013-10-15 11:55:33 +0200 | [diff] [blame] | 1885 | len = (*p)[0] << 8 | (*p)[1]; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 1886 | *p += 2; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1887 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1888 | if (end - (*p) < len) { |
| 1889 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1890 | ("bad server key exchange message (psk_identity_hint length)")); |
| 1891 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1892 | } |
| 1893 | |
| Manuel Pégourié-Gonnard | 9d62412 | 2016-02-22 11:10:14 +0100 | [diff] [blame] | 1894 | /* |
| Tom Cosgrove | ed4f59e | 2022-12-05 12:07:50 +0000 | [diff] [blame] | 1895 | * Note: we currently ignore the PSK identity hint, as we only allow one |
| Tom Cosgrove | 1797b05 | 2022-12-04 17:19:59 +0000 | [diff] [blame] | 1896 | * PSK to be provisioned on the client. This could be changed later if |
| Manuel Pégourié-Gonnard | 9d62412 | 2016-02-22 11:10:14 +0100 | [diff] [blame] | 1897 | * someone needs that feature. |
| 1898 | */ |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1899 | *p += len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 1900 | ret = 0; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1901 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1902 | return ret; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1903 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1904 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1905 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1906 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 1907 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1908 | /* |
| 1909 | * Generate a pre-master secret and encrypt it with the server's RSA key |
| 1910 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1911 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1912 | static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl, |
| 1913 | size_t offset, size_t *olen, |
| 1914 | size_t pms_offset) |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1915 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1916 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1917 | size_t len_bytes = 2; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1918 | unsigned char *p = ssl->handshake->premaster + pms_offset; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1919 | mbedtls_pk_context *peer_pk; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1920 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1921 | if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 1922 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms")); |
| 1923 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 1924 | } |
| 1925 | |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1926 | /* |
| 1927 | * Generate (part of) the pre-master as |
| 1928 | * struct { |
| 1929 | * ProtocolVersion client_version; |
| 1930 | * opaque random[46]; |
| 1931 | * } PreMasterSecret; |
| 1932 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1933 | mbedtls_ssl_write_version(p, ssl->conf->transport, |
| 1934 | MBEDTLS_SSL_VERSION_TLS1_2); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1935 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1936 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) { |
| 1937 | MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); |
| 1938 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1939 | } |
| 1940 | |
| 1941 | ssl->handshake->pmslen = 48; |
| 1942 | |
| Hanno Becker | c7d7e29 | 2019-02-06 16:49:54 +0000 | [diff] [blame] | 1943 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 1944 | peer_pk = &ssl->handshake->peer_pubkey; |
| 1945 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1946 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Hanno Becker | 8273df8 | 2019-02-06 17:37:32 +0000 | [diff] [blame] | 1947 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1948 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 1949 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 1950 | } |
| Hanno Becker | c7d7e29 | 2019-02-06 16:49:54 +0000 | [diff] [blame] | 1951 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 1952 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 1953 | |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1954 | /* |
| 1955 | * Now write it out, encrypted |
| 1956 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1957 | if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) { |
| 1958 | MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch")); |
| 1959 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1960 | } |
| 1961 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1962 | if ((ret = mbedtls_pk_encrypt(peer_pk, |
| 1963 | p, ssl->handshake->pmslen, |
| 1964 | ssl->out_msg + offset + len_bytes, olen, |
| 1965 | MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, |
| 1966 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 1967 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret); |
| 1968 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1969 | } |
| 1970 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1971 | if (len_bytes == 2) { |
| 1972 | MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1973 | *olen += 2; |
| 1974 | } |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1975 | |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 1976 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 1977 | /* We don't need the peer's public key anymore. Free it. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1978 | mbedtls_pk_free(peer_pk); |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 1979 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1980 | return 0; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1981 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1982 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| 1983 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1984 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1985 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 1986 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1987 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1988 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 1989 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1990 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1991 | const mbedtls_ecp_keypair *peer_key; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1992 | mbedtls_pk_context *peer_pk; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 1993 | |
| Hanno Becker | be7f508 | 2019-02-06 17:44:07 +0000 | [diff] [blame] | 1994 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 1995 | peer_pk = &ssl->handshake->peer_pubkey; |
| 1996 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1997 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Hanno Becker | 8273df8 | 2019-02-06 17:37:32 +0000 | [diff] [blame] | 1998 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1999 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2000 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 2001 | } |
| Hanno Becker | be7f508 | 2019-02-06 17:44:07 +0000 | [diff] [blame] | 2002 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 2003 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 2004 | |
| Manuel Pégourié-Gonnard | 66b0d61 | 2022-06-17 10:49:29 +0200 | [diff] [blame] | 2005 | /* This is a public key, so it can't be opaque, so can_do() is a good |
| 2006 | * enough check to ensure pk_ec() is safe to use below. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2007 | if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) { |
| 2008 | MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); |
| 2009 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2010 | } |
| 2011 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2012 | peer_key = mbedtls_pk_ec(*peer_pk); |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2013 | |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2014 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2015 | size_t olen = 0; |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2016 | uint16_t tls_id = 0; |
| 2017 | psa_ecc_family_t ecc_family; |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2018 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2019 | if (mbedtls_ssl_check_curve(ssl, peer_key->grp.id) != 0) { |
| 2020 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); |
| 2021 | return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2022 | } |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2023 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2024 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(peer_key->grp.id); |
| 2025 | if (tls_id == 0) { |
| 2026 | MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported", |
| 2027 | peer_key->grp.id)); |
| 2028 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2029 | } |
| 2030 | |
| Valerio Setti | 1e868cc | 2023-01-09 17:30:01 +0100 | [diff] [blame] | 2031 | /* If the above conversion to TLS ID was fine, then also this one will be, |
| 2032 | so there is no need to check the return value here */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2033 | mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family, |
| 2034 | &ssl->handshake->ecdh_bits); |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2035 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2036 | ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family); |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2037 | |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2038 | /* Store peer's public key in psa format. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2039 | ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q, |
| 2040 | MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, |
| 2041 | ssl->handshake->ecdh_psa_peerkey, |
| 2042 | MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH); |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2043 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2044 | if (ret != 0) { |
| 2045 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret); |
| 2046 | return ret; |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2047 | } |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2048 | |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2049 | ssl->handshake->ecdh_psa_peerkey_len = olen; |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2050 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2051 | if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key, |
| 2052 | MBEDTLS_ECDH_THEIRS)) != 0) { |
| 2053 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); |
| 2054 | return ret; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2055 | } |
| 2056 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2057 | if (ssl_check_server_ecdh_params(ssl) != 0) { |
| 2058 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); |
| 2059 | return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2060 | } |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2061 | #endif |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2062 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 2063 | /* We don't need the peer's public key anymore. Free it, |
| 2064 | * so that more RAM is available for upcoming expensive |
| 2065 | * operations like ECDHE. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2066 | mbedtls_pk_free(peer_pk); |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2067 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 2068 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2069 | return ret; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2070 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2071 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| 2072 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2073 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2074 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2075 | static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2076 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2077 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2078 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2079 | ssl->handshake->ciphersuite_info; |
| Andres Amaya Garcia | 53c77cc | 2017-06-27 16:15:06 +0100 | [diff] [blame] | 2080 | unsigned char *p = NULL, *end = NULL; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2081 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2082 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2083 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2084 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2085 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| 2086 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2087 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2088 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2089 | } |
| Manuel Pégourié-Gonnard | bac0e3b | 2013-10-15 11:54:47 +0200 | [diff] [blame] | 2090 | ((void) p); |
| 2091 | ((void) end); |
| 2092 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2093 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2094 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2095 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2096 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| 2097 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| 2098 | if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) { |
| 2099 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2100 | mbedtls_ssl_send_alert_message( |
| 2101 | ssl, |
| 2102 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2103 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2104 | return ret; |
| Manuel Pégourié-Gonnard | ab24010 | 2014-02-04 16:18:07 +0100 | [diff] [blame] | 2105 | } |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2106 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2107 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2108 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2109 | return 0; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2110 | } |
| 2111 | ((void) p); |
| 2112 | ((void) end); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2113 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 2114 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2115 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2116 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2117 | if (ssl->handshake->ecrs_enabled && |
| 2118 | ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 2119 | goto start_processing; |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2120 | } |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2121 | #endif |
| 2122 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2123 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 2124 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2125 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2126 | } |
| 2127 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2128 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 2129 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2130 | mbedtls_ssl_send_alert_message( |
| 2131 | ssl, |
| 2132 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2133 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 2134 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2135 | } |
| 2136 | |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2137 | /* |
| 2138 | * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server |
| 2139 | * doesn't use a psk_identity_hint |
| 2140 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2141 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) { |
| 2142 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| 2143 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2144 | /* Current message is probably either |
| 2145 | * CertificateRequest or ServerHelloDone */ |
| 2146 | ssl->keep_current_message = 1; |
| Paul Bakker | 188c8de | 2013-04-19 09:13:37 +0200 | [diff] [blame] | 2147 | goto exit; |
| 2148 | } |
| 2149 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2150 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2151 | ("server key exchange message must not be skipped")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2152 | mbedtls_ssl_send_alert_message( |
| 2153 | ssl, |
| 2154 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2155 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2156 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2157 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2158 | } |
| 2159 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2160 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2161 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 2162 | ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2163 | } |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 2164 | |
| 2165 | start_processing: |
| 2166 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2167 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Paul Bakker | 3b6a07b | 2013-03-21 11:56:50 +0100 | [diff] [blame] | 2168 | end = ssl->in_msg + ssl->in_hslen; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2169 | MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p); |
| Paul Bakker | 3b6a07b | 2013-03-21 11:56:50 +0100 | [diff] [blame] | 2170 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2171 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2172 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2173 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| 2174 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2175 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| 2176 | if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) { |
| 2177 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2178 | mbedtls_ssl_send_alert_message( |
| 2179 | ssl, |
| 2180 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2181 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2182 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2183 | } |
| Shaun Case | 8b0ecbc | 2021-12-20 21:14:10 -0800 | [diff] [blame] | 2184 | } /* FALLTHROUGH */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2185 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2186 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2187 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ |
| 2188 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2189 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| 2190 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2191 | ; /* nothing more to do */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2192 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2193 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || |
| 2194 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 2195 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 2196 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2197 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || |
| 2198 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| 2199 | if (ssl_parse_server_dh_params(ssl, &p, end) != 0) { |
| 2200 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2201 | mbedtls_ssl_send_alert_message( |
| 2202 | ssl, |
| 2203 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2204 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2205 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 2206 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2207 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2208 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 2209 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 2210 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 2211 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2212 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2213 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2214 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2215 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { |
| 2216 | if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) { |
| 2217 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2218 | mbedtls_ssl_send_alert_message( |
| 2219 | ssl, |
| 2220 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2221 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2222 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2223 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2224 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2225 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 2226 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
| 2227 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2228 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2229 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2230 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2231 | /* |
| 2232 | * The first 3 bytes are: |
| 2233 | * [0] MBEDTLS_ECP_TLS_NAMED_CURVE |
| 2234 | * [1, 2] elliptic curve's TLS ID |
| 2235 | * |
| 2236 | * However since we only support secp256r1 for now, we check only |
| 2237 | * that TLS ID here |
| 2238 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2239 | uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1); |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 2240 | uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2241 | MBEDTLS_ECP_DP_SECP256R1); |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2242 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2243 | if (exp_tls_id == 0) { |
| 2244 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2245 | } |
| 2246 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2247 | if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) || |
| 2248 | (read_tls_id != exp_tls_id)) { |
| 2249 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Valerio Setti | 5151bdf | 2022-11-21 14:30:02 +0100 | [diff] [blame] | 2250 | } |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2251 | |
| 2252 | p += 3; |
| 2253 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2254 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 2255 | &ssl->handshake->psa_pake_ctx, p, end - p, |
| 2256 | MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { |
| 2257 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 2258 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2259 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2260 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2261 | mbedtls_ssl_send_alert_message( |
| 2262 | ssl, |
| 2263 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2264 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2265 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2266 | } |
| 2267 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2268 | ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, |
| 2269 | p, end - p); |
| 2270 | if (ret != 0) { |
| 2271 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2272 | mbedtls_ssl_send_alert_message( |
| 2273 | ssl, |
| 2274 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2275 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2276 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2277 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2278 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2279 | } else |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2280 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2281 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2282 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2283 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2284 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 2285 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2286 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2287 | if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { |
| Manuel Pégourié-Gonnard | d92d6a1 | 2014-09-10 15:25:02 +0000 | [diff] [blame] | 2288 | size_t sig_len, hashlen; |
| Przemek Stekiel | 40afdd2 | 2022-09-06 13:08:28 +0200 | [diff] [blame] | 2289 | unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; |
| 2290 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2291 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
| 2292 | mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2293 | unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | d92d6a1 | 2014-09-10 15:25:02 +0000 | [diff] [blame] | 2294 | size_t params_len = p - params; |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2295 | void *rs_ctx = NULL; |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2296 | uint16_t sig_alg; |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2297 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2298 | mbedtls_pk_context *peer_pk; |
| Hanno Becker | a6899bb | 2019-02-06 18:26:03 +0000 | [diff] [blame] | 2299 | |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2300 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 2301 | peer_pk = &ssl->handshake->peer_pubkey; |
| 2302 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2303 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2304 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2305 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2306 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2307 | } |
| 2308 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 2309 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 2310 | |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2311 | /* |
| 2312 | * Handle the digitally-signed structure |
| 2313 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2314 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 2315 | sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); |
| 2316 | if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( |
| 2317 | sig_alg, &pk_alg, &md_alg) != 0 && |
| 2318 | !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) && |
| 2319 | !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) { |
| 2320 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2321 | ("bad server key exchange message")); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2322 | mbedtls_ssl_send_alert_message( |
| 2323 | ssl, |
| 2324 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2325 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2326 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2327 | } |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2328 | p += 2; |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2329 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2330 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 2331 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2332 | ("bad server key exchange message")); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2333 | mbedtls_ssl_send_alert_message( |
| 2334 | ssl, |
| 2335 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2336 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2337 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 9659dae | 2013-08-28 16:21:34 +0200 | [diff] [blame] | 2338 | } |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 2339 | |
| 2340 | /* |
| 2341 | * Read signature |
| 2342 | */ |
| Krzysztof Stachowiak | a1098f8 | 2018-03-13 11:28:49 +0100 | [diff] [blame] | 2343 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2344 | if (p > end - 2) { |
| 2345 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2346 | mbedtls_ssl_send_alert_message( |
| 2347 | ssl, |
| 2348 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2349 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2350 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Krzysztof Stachowiak | a1098f8 | 2018-03-13 11:28:49 +0100 | [diff] [blame] | 2351 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2352 | sig_len = (p[0] << 8) | p[1]; |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 2353 | p += 2; |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 2354 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2355 | if (p != end - sig_len) { |
| 2356 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2357 | mbedtls_ssl_send_alert_message( |
| 2358 | ssl, |
| 2359 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2360 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2361 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2362 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2363 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2364 | MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len); |
| Manuel Pégourié-Gonnard | ff56da3 | 2013-07-11 10:46:21 +0200 | [diff] [blame] | 2365 | |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2366 | /* |
| 2367 | * Compute the hash that has been signed |
| 2368 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2369 | if (md_alg != MBEDTLS_MD_NONE) { |
| 2370 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, |
| 2371 | params, params_len, |
| 2372 | md_alg); |
| 2373 | if (ret != 0) { |
| 2374 | return ret; |
| 2375 | } |
| 2376 | } else { |
| 2377 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2378 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 2379 | } |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2380 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2381 | MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2382 | |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2383 | /* |
| 2384 | * Verify signature |
| 2385 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2386 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 2387 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2388 | mbedtls_ssl_send_alert_message( |
| 2389 | ssl, |
| 2390 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2391 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2392 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2393 | } |
| 2394 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2395 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2396 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 15d7df2 | 2017-08-17 14:33:31 +0200 | [diff] [blame] | 2397 | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2398 | } |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2399 | #endif |
| 2400 | |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2401 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2402 | if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2403 | mbedtls_pk_rsassa_pss_options rsassa_pss_options; |
| 2404 | rsassa_pss_options.mgf1_hash_id = md_alg; |
| Andrzej Kurek | 0ce5921 | 2022-08-17 07:54:34 -0400 | [diff] [blame] | 2405 | rsassa_pss_options.expected_salt_len = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2406 | mbedtls_hash_info_get_size(md_alg); |
| 2407 | if (rsassa_pss_options.expected_salt_len == 0) { |
| 2408 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2409 | } |
| Andrzej Kurek | 0ce5921 | 2022-08-17 07:54:34 -0400 | [diff] [blame] | 2410 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2411 | ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options, |
| 2412 | peer_pk, |
| 2413 | md_alg, hash, hashlen, |
| 2414 | p, sig_len); |
| 2415 | } else |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2416 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2417 | ret = mbedtls_pk_verify_restartable(peer_pk, |
| 2418 | md_alg, hash, hashlen, p, sig_len, rs_ctx); |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2419 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2420 | if (ret != 0) { |
| David Horstmann | b21bbef | 2022-10-06 17:49:31 +0100 | [diff] [blame] | 2421 | int send_alert_msg = 1; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2422 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2423 | send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS); |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2424 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2425 | if (send_alert_msg) { |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2426 | mbedtls_ssl_send_alert_message( |
| 2427 | ssl, |
| 2428 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2429 | MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); |
| 2430 | } |
| 2431 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2432 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2433 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2434 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2435 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2436 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2437 | return ret; |
| Paul Bakker | c3f177a | 2012-04-11 16:11:49 +0000 | [diff] [blame] | 2438 | } |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2439 | |
| 2440 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 2441 | /* We don't need the peer's public key anymore. Free it, |
| 2442 | * so that more RAM is available for upcoming expensive |
| 2443 | * operations like ECDHE. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2444 | mbedtls_pk_free(peer_pk); |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2445 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2446 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2447 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2448 | |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 2449 | exit: |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2450 | ssl->state++; |
| 2451 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2452 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2453 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2454 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2455 | } |
| 2456 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2457 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2458 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2459 | static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2460 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2461 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2462 | ssl->handshake->ciphersuite_info; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2463 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2464 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2465 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2466 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2467 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2468 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2469 | return 0; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2470 | } |
| 2471 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2472 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2473 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2474 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2475 | #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2476 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2477 | static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2478 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2479 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2480 | unsigned char *buf; |
| 2481 | size_t n = 0; |
| Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 2482 | size_t cert_type_len = 0, dn_len = 0; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2483 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2484 | ssl->handshake->ciphersuite_info; |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2485 | size_t sig_alg_len; |
| 2486 | #if defined(MBEDTLS_DEBUG_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2487 | unsigned char *sig_alg; |
| 2488 | unsigned char *dn; |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2489 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2490 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2491 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2492 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2493 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2494 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2495 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2496 | return 0; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2497 | } |
| 2498 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2499 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 2500 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2501 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2502 | } |
| 2503 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2504 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 2505 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2506 | mbedtls_ssl_send_alert_message( |
| 2507 | ssl, |
| 2508 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2509 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 2510 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2511 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2512 | |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2513 | ssl->state++; |
| Jerry Yu | fb28b88 | 2022-01-28 11:05:58 +0800 | [diff] [blame] | 2514 | ssl->handshake->client_auth = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2515 | (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2516 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2517 | MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request", |
| 2518 | ssl->handshake->client_auth ? "a" : "no")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2519 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2520 | if (ssl->handshake->client_auth == 0) { |
| Johan Pascal | a89ca86 | 2020-08-25 10:03:19 +0200 | [diff] [blame] | 2521 | /* Current message is probably the ServerHelloDone */ |
| 2522 | ssl->keep_current_message = 1; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2523 | goto exit; |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2524 | } |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 2525 | |
| Manuel Pégourié-Gonnard | 04c1b4e | 2014-09-10 19:25:43 +0200 | [diff] [blame] | 2526 | /* |
| 2527 | * struct { |
| 2528 | * ClientCertificateType certificate_types<1..2^8-1>; |
| 2529 | * SignatureAndHashAlgorithm |
| 2530 | * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only |
| 2531 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| 2532 | * } CertificateRequest; |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2533 | * |
| 2534 | * Since we only support a single certificate on clients, let's just |
| 2535 | * ignore all the information that's supposed to help us pick a |
| 2536 | * certificate. |
| 2537 | * |
| 2538 | * We could check that our certificate matches the request, and bail out |
| 2539 | * if it doesn't, but it's simpler to just send the certificate anyway, |
| 2540 | * and give the server the opportunity to decide if it should terminate |
| 2541 | * the connection when it doesn't like our certificate. |
| 2542 | * |
| 2543 | * Same goes for the hash in TLS 1.2's signature_algorithms: at this |
| 2544 | * point we only have one hash available (see comments in |
| Simon Butcher | c0957bd | 2016-03-01 13:16:57 +0000 | [diff] [blame] | 2545 | * write_certificate_verify), so let's just use what we have. |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2546 | * |
| 2547 | * However, we still minimally parse the message to check it is at least |
| 2548 | * superficially sane. |
| Manuel Pégourié-Gonnard | 04c1b4e | 2014-09-10 19:25:43 +0200 | [diff] [blame] | 2549 | */ |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2550 | buf = ssl->in_msg; |
| Paul Bakker | f7abd42 | 2013-04-16 13:15:56 +0200 | [diff] [blame] | 2551 | |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2552 | /* certificate_types */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2553 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) { |
| 2554 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| 2555 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2556 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2557 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Krzysztof Stachowiak | 73b183c | 2018-04-05 10:20:09 +0200 | [diff] [blame] | 2558 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2559 | cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)]; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2560 | n = cert_type_len; |
| 2561 | |
| Krzysztof Stachowiak | bc145f7 | 2018-03-20 11:19:50 +0100 | [diff] [blame] | 2562 | /* |
| Krzysztof Stachowiak | 94d4997 | 2018-04-05 14:48:55 +0200 | [diff] [blame] | 2563 | * In the subsequent code there are two paths that read from buf: |
| Krzysztof Stachowiak | bc145f7 | 2018-03-20 11:19:50 +0100 | [diff] [blame] | 2564 | * * the length of the signature algorithms field (if minor version of |
| 2565 | * SSL is 3), |
| 2566 | * * distinguished name length otherwise. |
| 2567 | * Both reach at most the index: |
| 2568 | * ...hdr_len + 2 + n, |
| 2569 | * therefore the buffer length at this point must be greater than that |
| 2570 | * regardless of the actual code path. |
| 2571 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2572 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) { |
| 2573 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| 2574 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2575 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2576 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2577 | } |
| 2578 | |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2579 | /* supported_signature_algorithms */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2580 | sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) |
| 2581 | | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2582 | |
| 2583 | /* |
| 2584 | * The furthest access in buf is in the loop few lines below: |
| 2585 | * sig_alg[i + 1], |
| 2586 | * where: |
| 2587 | * sig_alg = buf + ...hdr_len + 3 + n, |
| 2588 | * max(i) = sig_alg_len - 1. |
| 2589 | * Therefore the furthest access is: |
| 2590 | * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], |
| 2591 | * which reduces to: |
| 2592 | * buf[...hdr_len + 3 + n + sig_alg_len], |
| 2593 | * which is one less than we need the buf to be. |
| 2594 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2595 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) { |
| 2596 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2597 | mbedtls_ssl_send_alert_message( |
| 2598 | ssl, |
| 2599 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2600 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2601 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | f7abd42 | 2013-04-16 13:15:56 +0200 | [diff] [blame] | 2602 | } |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2603 | |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2604 | #if defined(MBEDTLS_DEBUG_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2605 | sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n; |
| 2606 | for (size_t i = 0; i < sig_alg_len; i += 2) { |
| 2607 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2608 | ("Supported Signature Algorithm found: %02x %02x", |
| 2609 | sig_alg[i], sig_alg[i + 1])); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2610 | } |
| 2611 | #endif |
| 2612 | |
| 2613 | n += 2 + sig_alg_len; |
| 2614 | |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2615 | /* certificate_authorities */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2616 | dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) |
| 2617 | | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2618 | |
| 2619 | n += dn_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2620 | if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) { |
| 2621 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| 2622 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2623 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2624 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2625 | } |
| 2626 | |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2627 | #if defined(MBEDTLS_DEBUG_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2628 | dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len; |
| 2629 | for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) { |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2630 | unsigned char *p = dn + i + 2; |
| 2631 | mbedtls_x509_name name; |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2632 | size_t asn1_len; |
| 2633 | char s[MBEDTLS_X509_MAX_DN_NAME_SIZE]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2634 | memset(&name, 0, sizeof(name)); |
| 2635 | dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0); |
| 2636 | if (dni_len > dn_len - i - 2 || |
| 2637 | mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len, |
| 2638 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 || |
| 2639 | mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) { |
| 2640 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2641 | mbedtls_ssl_send_alert_message( |
| 2642 | ssl, |
| 2643 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2644 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2645 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2646 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2647 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2648 | ("DN hint: %.*s", |
| 2649 | mbedtls_x509_dn_gets(s, sizeof(s), &name), s)); |
| 2650 | mbedtls_asn1_free_named_data_list_shallow(name.next); |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2651 | } |
| 2652 | #endif |
| 2653 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2654 | exit: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2655 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2656 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2657 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2658 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2659 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2660 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2661 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2662 | static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2663 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2664 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2665 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2666 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2667 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2668 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 2669 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2670 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2671 | } |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2672 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2673 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 2674 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); |
| 2675 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2676 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2677 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2678 | if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) || |
| 2679 | ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) { |
| 2680 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); |
| 2681 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2682 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2683 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2684 | } |
| 2685 | |
| 2686 | ssl->state++; |
| 2687 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2688 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2689 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 2690 | mbedtls_ssl_recv_flight_completed(ssl); |
| 2691 | } |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2692 | #endif |
| 2693 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2694 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2695 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2696 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2697 | } |
| 2698 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2699 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2700 | static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2701 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2702 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2703 | |
| 2704 | size_t header_len; |
| 2705 | size_t content_len; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2706 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2707 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2708 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2709 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2710 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2711 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2712 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2713 | /* |
| 2714 | * DHM key exchange -- send G^X mod P |
| 2715 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2716 | content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2717 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2718 | MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4); |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2719 | header_len = 6; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2720 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2721 | ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, |
| 2722 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 2723 | &ssl->out_msg[header_len], content_len, |
| 2724 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2725 | if (ret != 0) { |
| 2726 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); |
| 2727 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2728 | } |
| 2729 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2730 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); |
| 2731 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2732 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2733 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 2734 | ssl->handshake->premaster, |
| 2735 | MBEDTLS_PREMASTER_SIZE, |
| 2736 | &ssl->handshake->pmslen, |
| 2737 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2738 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 2739 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2740 | } |
| 2741 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2742 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| 2743 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2744 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 2745 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 2746 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 2747 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2748 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2749 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Przemek Stekiel | d905d33 | 2022-03-16 09:50:56 +0100 | [diff] [blame] | 2750 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 2751 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2752 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| Neil Armstrong | 11d4945 | 2022-04-13 15:03:43 +0200 | [diff] [blame] | 2753 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2754 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2755 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| Janos Follath | 53b8ec2 | 2019-08-08 10:28:27 +0100 | [diff] [blame] | 2756 | psa_key_attributes_t key_attributes; |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2757 | |
| 2758 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 2759 | |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2760 | header_len = 4; |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2761 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2762 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
| Hanno Becker | 0a94a64 | 2019-01-11 14:35:30 +0000 | [diff] [blame] | 2763 | |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2764 | /* |
| 2765 | * Generate EC private key for ECDHE exchange. |
| 2766 | */ |
| 2767 | |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2768 | /* The master secret is obtained from the shared ECDH secret by |
| 2769 | * applying the TLS 1.2 PRF with a specific salt and label. While |
| 2770 | * the PSA Crypto API encourages combining key agreement schemes |
| 2771 | * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not |
| 2772 | * yet support the provisioning of salt + label to the KDF. |
| 2773 | * For the time being, we therefore need to split the computation |
| 2774 | * of the ECDH secret and the application of the TLS 1.2 PRF. */ |
| Janos Follath | 53b8ec2 | 2019-08-08 10:28:27 +0100 | [diff] [blame] | 2775 | key_attributes = psa_key_attributes_init(); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2776 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2777 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2778 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 2779 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2780 | |
| 2781 | /* Generate ECDH private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2782 | status = psa_generate_key(&key_attributes, |
| 2783 | &handshake->ecdh_psa_privkey); |
| 2784 | if (status != PSA_SUCCESS) { |
| 2785 | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
| 2786 | } |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2787 | |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2788 | /* Export the public part of the ECDH private key from PSA. |
| Manuel Pégourié-Gonnard | 5d6053f | 2022-02-08 10:26:19 +0100 | [diff] [blame] | 2789 | * The export format is an ECPoint structure as expected by TLS, |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2790 | * but we just need to add a length byte before that. */ |
| 2791 | unsigned char *own_pubkey = ssl->out_msg + header_len + 1; |
| 2792 | unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2793 | size_t own_pubkey_max_len = (size_t) (end - own_pubkey); |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2794 | size_t own_pubkey_len; |
| 2795 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2796 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 2797 | own_pubkey, own_pubkey_max_len, |
| 2798 | &own_pubkey_len); |
| 2799 | if (status != PSA_SUCCESS) { |
| 2800 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2801 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2802 | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2803 | } |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2804 | |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2805 | ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; |
| 2806 | content_len = own_pubkey_len + 1; |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2807 | |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2808 | /* The ECDH secret is the premaster secret used for key derivation. */ |
| 2809 | |
| Janos Follath | df3b089 | 2019-08-08 11:12:24 +0100 | [diff] [blame] | 2810 | /* Compute ECDH shared secret. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2811 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 2812 | handshake->ecdh_psa_privkey, |
| 2813 | handshake->ecdh_psa_peerkey, |
| 2814 | handshake->ecdh_psa_peerkey_len, |
| 2815 | ssl->handshake->premaster, |
| 2816 | sizeof(ssl->handshake->premaster), |
| 2817 | &ssl->handshake->pmslen); |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2818 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2819 | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 2820 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2821 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2822 | if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) { |
| 2823 | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
| 2824 | } |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 2825 | #else |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2826 | /* |
| 2827 | * ECDH key exchange -- send client public value |
| 2828 | */ |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2829 | header_len = 4; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2830 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2831 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2832 | if (ssl->handshake->ecrs_enabled) { |
| 2833 | if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) { |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2834 | goto ecdh_calc_secret; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2835 | } |
| Manuel Pégourié-Gonnard | 23e4162 | 2017-05-18 12:35:37 +0200 | [diff] [blame] | 2836 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2837 | mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx); |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2838 | } |
| Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 2839 | #endif |
| 2840 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2841 | ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, |
| 2842 | &content_len, |
| 2843 | &ssl->out_msg[header_len], 1000, |
| 2844 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2845 | if (ret != 0) { |
| 2846 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2847 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2848 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2849 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2850 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2851 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2852 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2853 | } |
| 2854 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2855 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 2856 | MBEDTLS_DEBUG_ECDH_Q); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2857 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2858 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2859 | if (ssl->handshake->ecrs_enabled) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2860 | ssl->handshake->ecrs_n = content_len; |
| Manuel Pégourié-Gonnard | c37423f | 2018-10-16 10:28:17 +0200 | [diff] [blame] | 2861 | ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2862 | } |
| Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 2863 | |
| 2864 | ecdh_calc_secret: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2865 | if (ssl->handshake->ecrs_enabled) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2866 | content_len = ssl->handshake->ecrs_n; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2867 | } |
| Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 2868 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2869 | if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, |
| 2870 | &ssl->handshake->pmslen, |
| 2871 | ssl->handshake->premaster, |
| 2872 | MBEDTLS_MPI_MAX_SIZE, |
| 2873 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2874 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2875 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2876 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2877 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2878 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2879 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2880 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2881 | } |
| 2882 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2883 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 2884 | MBEDTLS_DEBUG_ECDH_Z); |
| Neil Armstrong | 11d4945 | 2022-04-13 15:03:43 +0200 | [diff] [blame] | 2885 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2886 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2887 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 2888 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 2889 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 2890 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2891 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 2892 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2893 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2894 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2895 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2896 | psa_key_attributes_t key_attributes; |
| 2897 | |
| 2898 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 2899 | |
| 2900 | /* |
| 2901 | * opaque psk_identity<0..2^16-1>; |
| 2902 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2903 | if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2904 | /* We don't offer PSK suites if we don't have a PSK, |
| 2905 | * and we check that the server's choice is among the |
| 2906 | * ciphersuites we offered, so this should never happen. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2907 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2908 | } |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2909 | |
| Neil Armstrong | fc834f2 | 2022-03-23 17:54:38 +0100 | [diff] [blame] | 2910 | /* uint16 to store content length */ |
| 2911 | const size_t content_len_size = 2; |
| 2912 | |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2913 | header_len = 4; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2914 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2915 | if (header_len + content_len_size + ssl->conf->psk_identity_len |
| 2916 | > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 2917 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2918 | ("psk identity too long or SSL buffer too short")); |
| 2919 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2920 | } |
| 2921 | |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2922 | unsigned char *p = ssl->out_msg + header_len; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2923 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2924 | *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len); |
| 2925 | *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len); |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2926 | header_len += content_len_size; |
| 2927 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2928 | memcpy(p, ssl->conf->psk_identity, |
| 2929 | ssl->conf->psk_identity_len); |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2930 | p += ssl->conf->psk_identity_len; |
| 2931 | |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2932 | header_len += ssl->conf->psk_identity_len; |
| 2933 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2934 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2935 | |
| 2936 | /* |
| 2937 | * Generate EC private key for ECDHE exchange. |
| 2938 | */ |
| 2939 | |
| 2940 | /* The master secret is obtained from the shared ECDH secret by |
| 2941 | * applying the TLS 1.2 PRF with a specific salt and label. While |
| 2942 | * the PSA Crypto API encourages combining key agreement schemes |
| 2943 | * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not |
| 2944 | * yet support the provisioning of salt + label to the KDF. |
| 2945 | * For the time being, we therefore need to split the computation |
| 2946 | * of the ECDH secret and the application of the TLS 1.2 PRF. */ |
| 2947 | key_attributes = psa_key_attributes_init(); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2948 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2949 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2950 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 2951 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2952 | |
| 2953 | /* Generate ECDH private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2954 | status = psa_generate_key(&key_attributes, |
| 2955 | &handshake->ecdh_psa_privkey); |
| 2956 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame^] | 2957 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2958 | } |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2959 | |
| 2960 | /* Export the public part of the ECDH private key from PSA. |
| 2961 | * The export format is an ECPoint structure as expected by TLS, |
| 2962 | * but we just need to add a length byte before that. */ |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2963 | unsigned char *own_pubkey = p + 1; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2964 | unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2965 | size_t own_pubkey_max_len = (size_t) (end - own_pubkey); |
| Neil Armstrong | bc5e8f9 | 2022-03-23 17:42:50 +0100 | [diff] [blame] | 2966 | size_t own_pubkey_len = 0; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2967 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2968 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 2969 | own_pubkey, own_pubkey_max_len, |
| 2970 | &own_pubkey_len); |
| 2971 | if (status != PSA_SUCCESS) { |
| 2972 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2973 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame^] | 2974 | return PSA_TO_MBEDTLS_ERR(status); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2975 | } |
| 2976 | |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2977 | *p = (unsigned char) own_pubkey_len; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2978 | content_len = own_pubkey_len + 1; |
| 2979 | |
| Neil Armstrong | 2540045 | 2022-03-23 17:44:07 +0100 | [diff] [blame] | 2980 | /* As RFC 5489 section 2, the premaster secret is formed as follows: |
| 2981 | * - a uint16 containing the length (in octets) of the ECDH computation |
| 2982 | * - the octet string produced by the ECDH computation |
| 2983 | * - a uint16 containing the length (in octets) of the PSK |
| 2984 | * - the PSK itself |
| 2985 | */ |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2986 | unsigned char *pms = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2987 | const unsigned char * const pms_end = pms + |
| 2988 | sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 0bdb68a | 2022-03-23 17:46:32 +0100 | [diff] [blame] | 2989 | /* uint16 to store length (in octets) of the ECDH computation */ |
| 2990 | const size_t zlen_size = 2; |
| Neil Armstrong | bc5e8f9 | 2022-03-23 17:42:50 +0100 | [diff] [blame] | 2991 | size_t zlen = 0; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2992 | |
| Neil Armstrong | 2540045 | 2022-03-23 17:44:07 +0100 | [diff] [blame] | 2993 | /* Perform ECDH computation after the uint16 reserved for the length */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2994 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 2995 | handshake->ecdh_psa_privkey, |
| 2996 | handshake->ecdh_psa_peerkey, |
| 2997 | handshake->ecdh_psa_peerkey_len, |
| 2998 | pms + zlen_size, |
| 2999 | pms_end - (pms + zlen_size), |
| 3000 | &zlen); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3001 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3002 | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3003 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3004 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3005 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame^] | 3006 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3007 | } else if (destruction_status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame^] | 3008 | return PSA_TO_MBEDTLS_ERR(destruction_status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3009 | } |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3010 | |
| Neil Armstrong | 2540045 | 2022-03-23 17:44:07 +0100 | [diff] [blame] | 3011 | /* Write the ECDH computation length before the ECDH computation */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3012 | MBEDTLS_PUT_UINT16_BE(zlen, pms, 0); |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 3013 | pms += zlen_size + zlen; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3014 | } else |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3015 | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
| 3016 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3017 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3018 | if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) { |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 3019 | /* |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 3020 | * opaque psk_identity<0..2^16-1>; |
| 3021 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3022 | if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { |
| Hanno Becker | 2e4f616 | 2018-10-23 11:54:44 +0100 | [diff] [blame] | 3023 | /* We don't offer PSK suites if we don't have a PSK, |
| 3024 | * and we check that the server's choice is among the |
| 3025 | * ciphersuites we offered, so this should never happen. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3026 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | b4b19f3 | 2015-07-07 11:41:21 +0200 | [diff] [blame] | 3027 | } |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 3028 | |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3029 | header_len = 4; |
| 3030 | content_len = ssl->conf->psk_identity_len; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3031 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3032 | if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 3033 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 3034 | ("psk identity too long or SSL buffer too short")); |
| 3035 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3036 | } |
| 3037 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3038 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); |
| 3039 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3040 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3041 | memcpy(ssl->out_msg + header_len, |
| 3042 | ssl->conf->psk_identity, |
| 3043 | ssl->conf->psk_identity_len); |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3044 | header_len += ssl->conf->psk_identity_len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3045 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3046 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3047 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3048 | content_len = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3049 | } else |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3050 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3051 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3052 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| 3053 | if ((ret = ssl_write_encrypted_pms(ssl, header_len, |
| 3054 | &content_len, 2)) != 0) { |
| 3055 | return ret; |
| 3056 | } |
| 3057 | } else |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3058 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3059 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3060 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3061 | /* |
| 3062 | * ClientDiffieHellmanPublic public (DHM send G^X mod P) |
| 3063 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3064 | content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx); |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3065 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3066 | if (header_len + 2 + content_len > |
| 3067 | MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 3068 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 3069 | ("psk identity or DHM size too long or SSL buffer too short")); |
| 3070 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3071 | } |
| 3072 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3073 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); |
| 3074 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3075 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3076 | ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, |
| 3077 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 3078 | &ssl->out_msg[header_len], content_len, |
| 3079 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3080 | if (ret != 0) { |
| 3081 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); |
| 3082 | return ret; |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3083 | } |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3084 | |
| 3085 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3086 | unsigned char *pms = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3087 | unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3088 | size_t pms_len; |
| 3089 | |
| 3090 | /* Write length only when we know the actual value */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3091 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3092 | pms + 2, pms_end - (pms + 2), &pms_len, |
| 3093 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3094 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3095 | return ret; |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3096 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3097 | MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3098 | pms += 2 + pms_len; |
| 3099 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3100 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3101 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3102 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3103 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 3104 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3105 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 3106 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3107 | /* |
| 3108 | * ClientECDiffieHellmanPublic public; |
| 3109 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3110 | ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, |
| 3111 | &content_len, |
| 3112 | &ssl->out_msg[header_len], |
| 3113 | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
| 3114 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3115 | if (ret != 0) { |
| 3116 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); |
| 3117 | return ret; |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3118 | } |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3119 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3120 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3121 | MBEDTLS_DEBUG_ECDH_Q); |
| 3122 | } else |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 3123 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3124 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3125 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3126 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3127 | } |
| 3128 | |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3129 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3130 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3131 | ciphersuite_info->key_exchange)) != 0) { |
| 3132 | MBEDTLS_SSL_DEBUG_RET(1, |
| 3133 | "mbedtls_ssl_psk_derive_premaster", ret); |
| 3134 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3135 | } |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3136 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3137 | } else |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3138 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3139 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3140 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3141 | header_len = 4; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3142 | if ((ret = ssl_write_encrypted_pms(ssl, header_len, |
| 3143 | &content_len, 0)) != 0) { |
| 3144 | return ret; |
| 3145 | } |
| 3146 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3147 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3148 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3149 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3150 | header_len = 4; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3151 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3152 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3153 | unsigned char *out_p = ssl->out_msg + header_len; |
| 3154 | unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - |
| 3155 | header_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3156 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 3157 | out_p, end_p - out_p, &content_len, |
| 3158 | MBEDTLS_ECJPAKE_ROUND_TWO); |
| 3159 | if (ret != 0) { |
| 3160 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 3161 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 3162 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 3163 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3164 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3165 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3166 | ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx, |
| 3167 | ssl->out_msg + header_len, |
| 3168 | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
| 3169 | &content_len, |
| 3170 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3171 | if (ret != 0) { |
| 3172 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); |
| 3173 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3174 | } |
| 3175 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3176 | ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, |
| 3177 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| 3178 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3179 | if (ret != 0) { |
| 3180 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); |
| 3181 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3182 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3183 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3184 | } else |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3185 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3186 | { |
| 3187 | ((void) ciphersuite_info); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3188 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3189 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3190 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3191 | |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3192 | ssl->out_msglen = header_len + content_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3193 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3194 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3195 | |
| 3196 | ssl->state++; |
| 3197 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3198 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3199 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3200 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3201 | } |
| 3202 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3203 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3204 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3205 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3206 | } |
| 3207 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3208 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3209 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3210 | static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3211 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3212 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3213 | ssl->handshake->ciphersuite_info; |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3214 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3215 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3216 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3217 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3218 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 3219 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 3220 | return ret; |
| Manuel Pégourié-Gonnard | ada3030 | 2014-10-20 20:33:10 +0200 | [diff] [blame] | 3221 | } |
| 3222 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3223 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 3224 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3225 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3226 | return 0; |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3227 | } |
| 3228 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3229 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3230 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3231 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3232 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3233 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3234 | static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3235 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3236 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3237 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3238 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3239 | size_t n = 0, offset = 0; |
| 3240 | unsigned char hash[48]; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3241 | unsigned char *hash_start = hash; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3242 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 3243 | size_t hashlen; |
| Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 3244 | void *rs_ctx = NULL; |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3245 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3246 | size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3247 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3248 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3249 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3250 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3251 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3252 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3253 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3254 | if (ssl->handshake->ecrs_enabled && |
| 3255 | ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3256 | goto sign; |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 3257 | } |
| Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 3258 | #endif |
| 3259 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3260 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 3261 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 3262 | return ret; |
| Manuel Pégourié-Gonnard | ada3030 | 2014-10-20 20:33:10 +0200 | [diff] [blame] | 3263 | } |
| 3264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3265 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 3266 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3267 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3268 | return 0; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3269 | } |
| 3270 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3271 | if (ssl->handshake->client_auth == 0 || |
| 3272 | mbedtls_ssl_own_cert(ssl) == NULL) { |
| 3273 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
| Johan Pascal | a89ca86 | 2020-08-25 10:03:19 +0200 | [diff] [blame] | 3274 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3275 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3276 | } |
| 3277 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3278 | if (mbedtls_ssl_own_key(ssl) == NULL) { |
| 3279 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate")); |
| 3280 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3281 | } |
| 3282 | |
| 3283 | /* |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3284 | * Make a signature of the handshake digests |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3285 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3286 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3287 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3288 | ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3289 | } |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3290 | |
| 3291 | sign: |
| 3292 | #endif |
| 3293 | |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 3294 | ret = ssl->handshake->calc_verify(ssl, hash, &hashlen); |
| 3295 | if (0 != ret) { |
| 3296 | MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); |
| 3297 | return ret; |
| 3298 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3299 | |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3300 | /* |
| 3301 | * digitally-signed struct { |
| 3302 | * opaque handshake_messages[handshake_messages_length]; |
| 3303 | * }; |
| 3304 | * |
| 3305 | * Taking shortcut here. We assume that the server always allows the |
| 3306 | * PRF Hash function and has sent it in the allowed signature |
| 3307 | * algorithms list received in the Certificate Request message. |
| 3308 | * |
| 3309 | * Until we encounter a server that does not, we will take this |
| 3310 | * shortcut. |
| 3311 | * |
| 3312 | * Reason: Otherwise we should have running hashes for SHA512 and |
| 3313 | * SHA224 in order to satisfy 'weird' needs from the server |
| 3314 | * side. |
| 3315 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3316 | if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3317 | md_alg = MBEDTLS_MD_SHA384; |
| 3318 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3319 | } else { |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3320 | md_alg = MBEDTLS_MD_SHA256; |
| 3321 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 3322 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3323 | ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl)); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3324 | |
| 3325 | /* Info from md_alg will be used instead */ |
| 3326 | hashlen = 0; |
| 3327 | offset = 2; |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3328 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3329 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3330 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 15d7df2 | 2017-08-17 14:33:31 +0200 | [diff] [blame] | 3331 | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3332 | } |
| Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 3333 | #endif |
| 3334 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3335 | if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), |
| 3336 | md_alg, hash_start, hashlen, |
| 3337 | ssl->out_msg + 6 + offset, |
| 3338 | out_buf_len - 6 - offset, |
| 3339 | &n, |
| 3340 | ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) { |
| 3341 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3342 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3343 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 3344 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3345 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 3346 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3347 | return ret; |
| Manuel Pégourié-Gonnard | 76c18a1 | 2013-08-20 16:50:40 +0200 | [diff] [blame] | 3348 | } |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 3349 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3350 | MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3351 | |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3352 | ssl->out_msglen = 6 + n + offset; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3353 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3354 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3355 | |
| 3356 | ssl->state++; |
| 3357 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3358 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3359 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3360 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3361 | } |
| 3362 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3363 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3364 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3365 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3366 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3367 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3368 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3369 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3370 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3371 | static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3372 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3373 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3374 | uint32_t lifetime; |
| 3375 | size_t ticket_len; |
| 3376 | unsigned char *ticket; |
| Manuel Pégourié-Gonnard | 000d5ae | 2014-09-10 21:52:12 +0200 | [diff] [blame] | 3377 | const unsigned char *msg; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3378 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3379 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3380 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3381 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 3382 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 3383 | return ret; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3384 | } |
| 3385 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3386 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 3387 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 3388 | mbedtls_ssl_send_alert_message( |
| 3389 | ssl, |
| 3390 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3391 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 3392 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3393 | } |
| 3394 | |
| 3395 | /* |
| 3396 | * struct { |
| 3397 | * uint32 ticket_lifetime_hint; |
| 3398 | * opaque ticket<0..2^16-1>; |
| 3399 | * } NewSessionTicket; |
| 3400 | * |
| Manuel Pégourié-Gonnard | 000d5ae | 2014-09-10 21:52:12 +0200 | [diff] [blame] | 3401 | * 0 . 3 ticket_lifetime_hint |
| 3402 | * 4 . 5 ticket_len (n) |
| 3403 | * 6 . 5+n ticket content |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3404 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3405 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || |
| 3406 | ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) { |
| 3407 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
| 3408 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3409 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 3410 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3411 | } |
| 3412 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3413 | msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3414 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3415 | lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) | |
| 3416 | (msg[2] << 8) | (msg[3]); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3417 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3418 | ticket_len = (msg[4] << 8) | (msg[5]); |
| Manuel Pégourié-Gonnard | 000d5ae | 2014-09-10 21:52:12 +0200 | [diff] [blame] | 3419 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3420 | if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) { |
| 3421 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
| 3422 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3423 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 3424 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3425 | } |
| 3426 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3427 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len)); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3428 | |
| Manuel Pégourié-Gonnard | 7cd5924 | 2013-08-02 13:24:41 +0200 | [diff] [blame] | 3429 | /* We're not waiting for a NewSessionTicket message any more */ |
| 3430 | ssl->handshake->new_session_ticket = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3431 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Manuel Pégourié-Gonnard | 7cd5924 | 2013-08-02 13:24:41 +0200 | [diff] [blame] | 3432 | |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3433 | /* |
| 3434 | * Zero-length ticket means the server changed his mind and doesn't want |
| 3435 | * to send a ticket after all, so just forget it |
| 3436 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3437 | if (ticket_len == 0) { |
| 3438 | return 0; |
| 3439 | } |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3440 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3441 | if (ssl->session != NULL && ssl->session->ticket != NULL) { |
| 3442 | mbedtls_platform_zeroize(ssl->session->ticket, |
| 3443 | ssl->session->ticket_len); |
| 3444 | mbedtls_free(ssl->session->ticket); |
| Hanno Becker | b2964cb | 2019-01-30 14:46:35 +0000 | [diff] [blame] | 3445 | ssl->session->ticket = NULL; |
| 3446 | ssl->session->ticket_len = 0; |
| 3447 | } |
| 3448 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3449 | mbedtls_platform_zeroize(ssl->session_negotiate->ticket, |
| 3450 | ssl->session_negotiate->ticket_len); |
| 3451 | mbedtls_free(ssl->session_negotiate->ticket); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3452 | ssl->session_negotiate->ticket = NULL; |
| 3453 | ssl->session_negotiate->ticket_len = 0; |
| 3454 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3455 | if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) { |
| 3456 | MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed")); |
| 3457 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3458 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 3459 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3460 | } |
| 3461 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3462 | memcpy(ticket, msg + 6, ticket_len); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3463 | |
| 3464 | ssl->session_negotiate->ticket = ticket; |
| 3465 | ssl->session_negotiate->ticket_len = ticket_len; |
| 3466 | ssl->session_negotiate->ticket_lifetime = lifetime; |
| 3467 | |
| 3468 | /* |
| 3469 | * RFC 5077 section 3.4: |
| 3470 | * "If the client receives a session ticket from the server, then it |
| 3471 | * discards any Session ID that was sent in the ServerHello." |
| 3472 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3473 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id")); |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 3474 | ssl->session_negotiate->id_len = 0; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3475 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3476 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3477 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3478 | return 0; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3479 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3480 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3481 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3482 | /* |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 3483 | * SSL handshake -- client side -- single step |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3484 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3485 | int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3486 | { |
| 3487 | int ret = 0; |
| 3488 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3489 | /* Change state now, so that it is right in mbedtls_ssl_read_record(), used |
| Manuel Pégourié-Gonnard | cd32a50 | 2014-09-20 13:54:12 +0200 | [diff] [blame] | 3490 | * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3491 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3492 | if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && |
| 3493 | ssl->handshake->new_session_ticket != 0) { |
| Jerry Yu | a357cf4 | 2022-07-12 05:36:45 +0000 | [diff] [blame] | 3494 | ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET; |
| Manuel Pégourié-Gonnard | cd32a50 | 2014-09-20 13:54:12 +0200 | [diff] [blame] | 3495 | } |
| 3496 | #endif |
| 3497 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3498 | switch (ssl->state) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3499 | case MBEDTLS_SSL_HELLO_REQUEST: |
| 3500 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3501 | break; |
| 3502 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3503 | /* |
| 3504 | * ==> ClientHello |
| 3505 | */ |
| 3506 | case MBEDTLS_SSL_CLIENT_HELLO: |
| 3507 | ret = mbedtls_ssl_write_client_hello(ssl); |
| 3508 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3509 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3510 | /* |
| 3511 | * <== ServerHello |
| 3512 | * Certificate |
| 3513 | * ( ServerKeyExchange ) |
| 3514 | * ( CertificateRequest ) |
| 3515 | * ServerHelloDone |
| 3516 | */ |
| 3517 | case MBEDTLS_SSL_SERVER_HELLO: |
| 3518 | ret = ssl_parse_server_hello(ssl); |
| 3519 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3520 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3521 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| 3522 | ret = mbedtls_ssl_parse_certificate(ssl); |
| 3523 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3524 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3525 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| 3526 | ret = ssl_parse_server_key_exchange(ssl); |
| 3527 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3528 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3529 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| 3530 | ret = ssl_parse_certificate_request(ssl); |
| 3531 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3532 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3533 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| 3534 | ret = ssl_parse_server_hello_done(ssl); |
| 3535 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3536 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3537 | /* |
| 3538 | * ==> ( Certificate/Alert ) |
| 3539 | * ClientKeyExchange |
| 3540 | * ( CertificateVerify ) |
| 3541 | * ChangeCipherSpec |
| 3542 | * Finished |
| 3543 | */ |
| 3544 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| 3545 | ret = mbedtls_ssl_write_certificate(ssl); |
| 3546 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3547 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3548 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| 3549 | ret = ssl_write_client_key_exchange(ssl); |
| 3550 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3551 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3552 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| 3553 | ret = ssl_write_certificate_verify(ssl); |
| 3554 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3555 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3556 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| 3557 | ret = mbedtls_ssl_write_change_cipher_spec(ssl); |
| 3558 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3559 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3560 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| 3561 | ret = mbedtls_ssl_write_finished(ssl); |
| 3562 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3563 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3564 | /* |
| 3565 | * <== ( NewSessionTicket ) |
| 3566 | * ChangeCipherSpec |
| 3567 | * Finished |
| 3568 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3569 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3570 | case MBEDTLS_SSL_NEW_SESSION_TICKET: |
| 3571 | ret = ssl_parse_new_session_ticket(ssl); |
| 3572 | break; |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 3573 | #endif |
| Manuel Pégourié-Gonnard | cd32a50 | 2014-09-20 13:54:12 +0200 | [diff] [blame] | 3574 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3575 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| 3576 | ret = mbedtls_ssl_parse_change_cipher_spec(ssl); |
| 3577 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3578 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3579 | case MBEDTLS_SSL_SERVER_FINISHED: |
| 3580 | ret = mbedtls_ssl_parse_finished(ssl); |
| 3581 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3582 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3583 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| 3584 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
| 3585 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| 3586 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3587 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3588 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| 3589 | mbedtls_ssl_handshake_wrapup(ssl); |
| 3590 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 3591 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3592 | default: |
| 3593 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
| 3594 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 3595 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3596 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3597 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3598 | } |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3599 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 3600 | #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */ |